A new open-source scanner has been released to detect a critical vulnerability in the Common Unix Printing System (CUPS), explicitly targeting CVE-2024-47176.
This vulnerability and others in the chain pose significant risks as it can allow remote code execution on UNIX and UNIX-like systems.
The scanner aims to help system administrators identify and mitigate these vulnerabilities before malicious actors can exploit them.
What is CUPS, and Why Does it Matter?
CUPS, or the Common Unix Printing System, is an open-source framework widely used for managing and controlling printers on UNIX and UNIX-like systems.
UNIX and Linux support it, and some Apple devices make it one of the most prevalent printing libraries.
Given its widespread use, any vulnerabilities within CUPS can have far-reaching implications, affecting numerous systems globally.
Several critical vulnerabilities have recently been identified in CUPS, including CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177.
These vulnerabilities can be chained together to allow a remote attacker to add or reconfigure network printers to execute arbitrary code when users attempt to print from them.
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free
A Quick Overview of CVE-2024-47176
According to the MalwareTech report in Github, the vulnerability CVE-2024-47176 is found in the cups-browsed daemon.
The flaw arises because cups-browsed binds its control port (UDP port 631) to INADDR_ANY, making it accessible to the world without authentication.
This means anyone reaching the control port can instruct cups-browsed to perform printer discovery.
Even if the port is not directly accessible from the internet due to firewalls or NAT configurations, it may still be reachable via local networks.
This opens up possibilities for privilege escalation and lateral movement within an organization’s network.
How CVE-2024-47176 Scanning Works
The exploitation process typically begins with an attacker sending a specially crafted request to cups-browsed on UDP port 631.
This causes cups-browsed to reach a malicious URL controlled by the attacker. Attackers can identify susceptible systems by triggering a vulnerable cups-browsed instance to issue an HTTP request (callback) to a server under their control.
The scanning process involves:
- Setting up a basic HTTP server.
- Crafting a UDP packet instructing cups-browsed to connect to this server.
- Sending the UDP packet across a range of IP addresses on port 631.
- Logging any POST requests triggered by vulnerable instances.
Automating Scans with cups_scanner.py
The newly released Python script, cups_scanner.py, automates this scanning process. It handles both the HTTP server setup and the scanning itself.
The script launches a temporary HTTP server using http.server on a specified IP and port, constructs UDP packets, and sends them across specified IP ranges. It captures callbacks from vulnerable instances and logs them for analysis.
Command Line Arguments
- –target: Specifies the CIDR(s) to scan.
- –callback: Sets the local IP and port for hosting the HTTP server.
- –scan-unsafe: Overrides default behavior to scan all addresses, including network and broadcast addresses.
Example Usage
To scan CIDR 10.0.0.0/24 from IP address 10.0.0.1 with a callback server on port 1337:
python3 cups_scanner.py --targets 10.0.0.0/24 --callback 10.0.0.1:1337
This tool provides system administrators with a powerful method for proactively identifying and addressing vulnerabilities in their CUPS configurations, enhancing security across their networks.
Upgrade Your Cybersecurity Skills With 100+ Premium Cyber Security Courses Online - Enroll Here