mirror of
				https://github.com/HackTricks-wiki/hacktricks.git
				synced 2025-10-10 18:36:50 +00:00 
			
		
		
		
	Merge pull request #1264 from HackTricks-wiki/research_update_src_network-services-pentesting_pentesting-631-internet-printing-protocol-ipp_20250809_012555
Research Update Enhanced src/network-services-pentesting/pen...
This commit is contained in:
		
						commit
						9f02ef0154
					
				| @ -2,27 +2,104 @@ | ||||
| 
 | ||||
| {{#include ../banners/hacktricks-training.md}} | ||||
| 
 | ||||
| The **Internet Printing Protocol (IPP)**, as specified in **RFC2910** and **RFC2911**, serves as a foundation for printing over the internet. Its capability to be extended is showcased by developments like **IPP Everywhere**, which aims to standardize mobile and cloud printing, and the introduction of extensions for **3D printing**. | ||||
| The **Internet Printing Protocol (IPP)**, as specified in **RFC 2910** and **RFC 2911**, is the de-facto standard for network printing. It sits on top of **HTTP/1.1** (either clear-text or TLS) and exposes a rich API for creating print jobs, querying printer capabilities and managing queues. Modern extensions such as **IPP Everywhere** even allow driver-less printing from mobile and cloud environments, while the same packet format has been reused for 3-D printers. | ||||
| 
 | ||||
| Leveraging the **HTTP** protocol, IPP benefits from established security practices including **basic/digest authentication** and **SSL/TLS encryption**. Actions like submitting a print job or querying printer status are performed through **HTTP POST requests** directed at the IPP server, which operates on **port 631/tcp**. | ||||
| 
 | ||||
| A well-known implementation of IPP is **CUPS**, an open-source printing system prevalent across various Linux distributions and OS X. Despite its utility, IPP, akin to LPD, can be exploited to transmit malicious content through **PostScript** or **PJL files**, highlighting a potential security risk. | ||||
| Unfortunately, exposing port **631/tcp (and 631/udp for printer discovery)** often leads to serious security issues – both on traditional office printers and on any Linux/Unix host running **CUPS**. | ||||
| 
 | ||||
| --- | ||||
| ## Quick PoC – crafting raw IPP with Python | ||||
| ```python | ||||
| # Example of sending an IPP request using Python | ||||
| import requests | ||||
| import struct, requests | ||||
| 
 | ||||
| url = "http://printer.example.com:631/ipp/print" | ||||
| headers = {"Content-Type": "application/ipp"} | ||||
| data = b"..."  # IPP request data goes here | ||||
| # Minimal IPP Get-Printer-Attributes request (operation-id 0x000B) | ||||
| ipp = struct.pack( | ||||
|     ">IHHIHH",               # version 2.0, operation-id, request-id | ||||
|     0x0200,                  # 2.0 | ||||
|     0x000B,                  # Get-Printer-Attributes | ||||
|     0x00000001,             # request-id | ||||
|     0x01, 0x47,             # operation-attributes-tag, charset attr (skipped) | ||||
| ) + b"\x03"                # end-of-attributes | ||||
| 
 | ||||
| response = requests.post(url, headers=headers, data=data, verify=True) | ||||
| print(response.status_code) | ||||
| r = requests.post("http://printer:631/ipp/print", headers={"Content-Type":"application/ipp"}, data=ipp) | ||||
| print(r.status_code, r.content[:40]) | ||||
| ``` | ||||
| --- | ||||
| ## Enumeration & Recon | ||||
| 
 | ||||
| If you want to learn more about [**hacking printers read this page**](http://hacking-printers.net/wiki/index.php/Main_Page). | ||||
| ### 1. Nmap NSE | ||||
| ```bash | ||||
| # run all CUPS/IPP scripts | ||||
| nmap -sV -p631 --script=cups* <target> | ||||
| # or only basic info | ||||
| nmap -p631 --script=cups-info,cups-queue-info <target> | ||||
| ``` | ||||
| The `cups-info` script extracts model, state and queue statistics while `cups-queue-info` enumerates pending jobs. | ||||
| 
 | ||||
| ### 2. IPP utilities from CUPS | ||||
| * `ippfind` – multicast/UDP discovery (works against cups-browsed): | ||||
|   ```bash | ||||
|   ippfind --timeout 3 --txt -v "@local and port=631"  # list printers | ||||
|   ``` | ||||
| * `ipptool` – arbitrary requests defined in a *.test* file: | ||||
|   ```bash | ||||
|   ipptool -tv ipp://<IP>/ipp/print get-printer-attributes.test | ||||
|   ``` | ||||
|   The bundled *get-printer-attributes.test* file queries firmware version, supported document formats, etc. | ||||
| 
 | ||||
| ### 3. Shodan / Censys dorks | ||||
| ```bash | ||||
| shodan search 'product:"CUPS (IPP)" port:631' | ||||
| ``` | ||||
| More than **70 000** hosts were publicly exposing CUPS in April 2025 . | ||||
| 
 | ||||
| --- | ||||
| ## Recent Vulnerabilities (2023-2025) | ||||
| 
 | ||||
| | Year | CVE ID(s) | Affected component | Impact | | ||||
| |------|-----------|--------------------|--------| | ||||
| | 2025 | CVE-2023-50739 | Lexmark firmware (IPP parser) | Heap-overflow → RCE over Wi-Fi/LAN  | | ||||
| | 2024 | CVE-2024-47076, 47175, 47176, 47177 | cups-browsed, libcupsfilters, libppd, cups-filters | Full unauthenticated RCE chain on any Linux desktop/server with CUPS browsing enabled  | | ||||
| | 2024 | CVE-2024-35235 | cupsd 2.4.8- | Symlink trick → arbitrary **chmod 666** → privilege escalation  | | ||||
| | 2023 | CVE-2023-0856 (Canon) + Pwn2Own | Stack-overflow in `sides` attribute → remote code execution  | | ||||
| 
 | ||||
| ### cups-browsed RCE chain (September 2024) | ||||
| 1. `cups-browsed` listens on **UDP/631** for printer advertisements. | ||||
| 2. An attacker sends a single spoofed packet pointing to a malicious IPP URL (CVE-2024-47176). | ||||
| 3. `libcupsfilters` automatically fetches the remote **PPD** without validation (CVE-2024-47076 & 47175). | ||||
| 4. A crafted PPD abuses the **foomatic-rip** filter to execute arbitrary shell commands whenever anything is printed (CVE-2024-47177). | ||||
| 
 | ||||
| Proof-of-concept code is public on the researcher’s blog and exploits require **no authentication**; network access to UDP/631 is enough. | ||||
| 
 | ||||
| #### Temporary mitigations | ||||
| ``` | ||||
| sudo systemctl stop cups-browsed | ||||
| sudo systemctl disable cups-browsed | ||||
| sudo ufw deny 631/udp  # or equivalent firewall rule | ||||
| ``` | ||||
| Patches were released by major distributions in October 2024 – ensure **cups-filters ≥ 2.0.0**. | ||||
| 
 | ||||
| ### cupsd symlink `Listen` misconfiguration (CVE-2024-35235) | ||||
| Placing a symbolic link in *cupsd.conf*’s `Listen` directive causes **cupds (root)** to `chmod 666` an attacker-chosen path, leading to writable system files and, on Ubuntu, code execution via a malicious PPD with `FoomaticRIPCommandLine` . | ||||
| 
 | ||||
| --- | ||||
| ## Offensive Techniques | ||||
| 
 | ||||
| * **Unauthenticated raw print job** – many printers accept `POST /ipp/print` without auth. A malicious **PostScript** payload can invoke shell commands (`system("/bin/nc ...")`) on high-end devices. | ||||
| * **Job Hijacking** – `Cancel-Job` followed by `Send-Document` lets an attacker replace someone else’s document before it is physically printed. | ||||
| * **SNMP → IPP combo** – default community `public` often leaks the internal queue name required in the IPP URL. | ||||
| 
 | ||||
| --- | ||||
| ## Defensive Best Practices | ||||
| 1. Patch CUPS and printer firmware promptly; subscribe to vendor PSIRT feeds. | ||||
| 2. Disable `cups-browsed` and UDP/631 unless zeroconf printing is required. | ||||
| 3. Restrict TCP/631 to trusted subnets/VPN and enforce **TLS (ipps://)**. | ||||
| 4. Require **Kerberos/Negotiate** or certificate auth instead of anonymous printing. | ||||
| 5. Monitor logs: `/var/log/cups/error_log` with `LogLevel debug2` will show unsolid PPD downloads or suspicious filter invocations. | ||||
| 6. In high-security networks, move printing to a hardened, isolated print server that proxies jobs to devices via USB only. | ||||
| 
 | ||||
| 
 | ||||
| 
 | ||||
| ## References | ||||
| - Akamai – “Critical Linux RCE Vulnerability in CUPS — What We Know and How to Prepare”, April 2025. | ||||
| - Debian Security Tracker – CVE-2024-35235 details. | ||||
| {{#include ../banners/hacktricks-training.md}} | ||||
| 
 | ||||
| 
 | ||||
| 
 | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user