Investigating CVE-2024–47177: Exploitation of CUPS via Malicious PPD Injection
Investigating CUPS Exploitation Incident
The Common Unix Printing System (CUPS) is an essential printing framework widely utilized in Unix-like operating systems, including various distributions of Linux and macOS. By implementing the Internet Printing Protocol (IPP), CUPS facilitates seamless printing services over local and networked environments, allowing users to manage and deploy printers efficiently. The core of the incident we will be investigating involves exploiting CUPS by tricking it into generating a malicious PostScript Printer Description (PPD) file.
Incident Summary
Alert Details:
- Event Time: Oct 04, 2024, 12:11
- CVE: CVE-2024–47177
- Source IP: 18.217.36.165
- Destination IP: 172.16.17.178
- Hostname: Bernard
This incident began as an escalated alert from an L1 Analyst. Key observations included suspicious IPP requests from a source IP over port 631. Let’s dive into the logs to analyze the activity.
Initial Observations
Log Analysis
The cups-browsed component of CUPS accepts connections on UDP/631. The alert revealed that printer attributes were sent to port 631 of the target IP (172.16.17.178) from the source IP (18.217.36.165). This activity was confirmed through logs accessible at localhost:631/printers:
- The /var/log/cups/access.log.1 file displayed two entries around the alert time.
- The first entry showed an error code 401 (unauthorized attempt).
- The second entry showed a success code 200, indicating a new printer addition with root privileges.
Rogue Print Job
At 12:12:34, a print job was sent to the rogue printer. The job utilized foomatic, a filter system that translates PostScript and PDF files for printers, guided by the instructions in a PPD file.
Exploitation Breakdown
Malicious PPD File
The attack exploited CUPS by embedding a malicious command in a PPD file’s FoomaticRIPCommandLine value. Upon inspection of the CUPS PPD storage directory, the rogue PPD file was located, and its contents confirmed the presence of the embedded command.
Execution Process
The foomatic-rip process executed the embedded command with the privileges of the “lp” user (CUPS’ default user). While the “lp” user typically has limited privileges, this foothold allowed the attacker to further their intrusion.
Reverse Shell Analysis
The embedded command attempted to establish a reverse shell by initiating a connection to 18.217.36.165 on port 9001.
Verification via PCAP
Analysis of the provided PCAP file confirmed the connection and subsequent interactive Bash session. Packet captures showed command executions accessing sensitive files. These activities matched entries in the server’s process logs.
This investigation highlights the dangers of unsecured printing services and the exploitation of CUPS vulnerabilities via malicious PPD files. The attacker leveraged:
- Network Misconfigurations: Unrestricted access to UDP/631.
- Privilege Escalation: Abuse of root privileges to add a rogue printer.
- Command Execution: A crafted PPD file to execute malicious commands via the foomatic-rip process.
Detecting Exploitation
1. Monitor CUPS Logs:
· Inspect /var/log/cups/access_log and /var/log/cups/error_log for unusual activity.
· Look for unauthorized or unexpected printer registrations and suspicious PPD file manipulations.
2. Network Traffic Monitoring:
· Capture and analyze UDP or mDNS traffic targeting port 631 using network monitoring tools.
· Flag unusual or unauthorized traffic, especially from unfamiliar devices or networks.
3. Monitor Process Activity of “lp” User:
· Review commands and file changes initiated by the “lp” user.
· Focus on activity outside normal printing operations.
Mitigation Strategies
1. Patch Management:
· Update CUPS to the latest version to address CVE-2024–47177 and related vulnerabilities.
2. Access Restrictions:
· Restrict external access to printing services.
· Use firewalls to block unauthorized traffic to UDP/63
3. System Hardening:
· Disable unnecessary services and protocols.
· Regularly audit server and process logs for anomalies.
4. Monitoring and Alerts:
· Implement SIEM rules to detect printer-related activities such as unauthorized additions.
· Set up alerts for anomalous network traffic targeting CUPS.
Proactive detection, robust patching, and careful monitoring can help mitigate risks and prevent exploitation of vulnerabilities in CUPS.
