maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/network-services-pentesting/pentesting-631-internet-printing-protocol-ipp.md

5.3 KiB
Raw Blame History

Internet Printing Protocol

{{#include ../banners/hacktricks-training.md}}

The Internet Printing Protocol (IPP), as specified in RFC 2910 and RFC 2911, is the de-facto standard for network printing. It sits on top of HTTP/1.1 (either clear-text or TLS) and exposes a rich API for creating print jobs, querying printer capabilities and managing queues. Modern extensions such as IPP Everywhere even allow driver-less printing from mobile and cloud environments, while the same packet format has been reused for 3-D printers.

Unfortunately, exposing port 631/tcp (and 631/udp for printer discovery) often leads to serious security issues both on traditional office printers and on any Linux/Unix host running CUPS.

Quick PoC crafting raw IPP with Python

import struct, requests

# Minimal IPP Get-Printer-Attributes request (operation-id 0x000B)
ipp = struct.pack(
    ">IHHIHH",               # version 2.0, operation-id, request-id
    0x0200,                  # 2.0
    0x000B,                  # Get-Printer-Attributes
    0x00000001,             # request-id
    0x01, 0x47,             # operation-attributes-tag, charset attr (skipped)
) + b"\x03"                # end-of-attributes

r = requests.post("http://printer:631/ipp/print", headers={"Content-Type":"application/ipp"}, data=ipp)
print(r.status_code, r.content[:40])

Enumeration & Recon

1. Nmap NSE

# run all CUPS/IPP scripts
nmap -sV -p631 --script=cups* <target>
# or only basic info
nmap -p631 --script=cups-info,cups-queue-info <target>

The cups-info script extracts model, state and queue statistics while cups-queue-info enumerates pending jobs.

2. IPP utilities from CUPS

  • ippfind multicast/UDP discovery (works against cups-browsed): 
    ippfind --timeout 3 --txt -v "@local and port=631"  # list printers
  • ipptool arbitrary requests defined in a .test file: 
    ipptool -tv ipp://<IP>/ipp/print get-printer-attributes.test
    The bundled get-printer-attributes.test file queries firmware version, supported document formats, etc.

3. Shodan / Censys dorks

shodan search 'product:"CUPS (IPP)" port:631'

More than 70 000 hosts were publicly exposing CUPS in April 2025 .

Recent Vulnerabilities (2023-2025)

Year CVE ID(s) Affected component Impact
2025 CVE-2023-50739 Lexmark firmware (IPP parser) Heap-overflow → RCE over Wi-Fi/LAN
2024 CVE-2024-47076, 47175, 47176, 47177 cups-browsed, libcupsfilters, libppd, cups-filters Full unauthenticated RCE chain on any Linux desktop/server with CUPS browsing enabled
2024 CVE-2024-35235 cupsd 2.4.8- Symlink trick → arbitrary chmod 666 → privilege escalation
2023 CVE-2023-0856 (Canon) + Pwn2Own Stack-overflow in sides attribute → remote code execution

cups-browsed RCE chain (September 2024)

  1. cups-browsed listens on UDP/631 for printer advertisements.
  2. An attacker sends a single spoofed packet pointing to a malicious IPP URL (CVE-2024-47176).
  3. libcupsfilters automatically fetches the remote PPD without validation (CVE-2024-47076 & 47175).
  4. A crafted PPD abuses the foomatic-rip filter to execute arbitrary shell commands whenever anything is printed (CVE-2024-47177).

Proof-of-concept code is public on the researchers blog and exploits require no authentication; network access to UDP/631 is enough.

Temporary mitigations

sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsed
sudo ufw deny 631/udp  # or equivalent firewall rule

Patches were released by major distributions in October 2024 ensure cups-filters ≥ 2.0.0.

cupsd symlink Listen misconfiguration (CVE-2024-35235)

Placing a symbolic link in cupsd.confs Listen directive causes cupds (root) to chmod 666 an attacker-chosen path, leading to writable system files and, on Ubuntu, code execution via a malicious PPD with FoomaticRIPCommandLine .

Offensive Techniques

  • Unauthenticated raw print job many printers accept POST /ipp/print without auth. A malicious PostScript payload can invoke shell commands (system("/bin/nc ...")) on high-end devices.
  • Job Hijacking Cancel-Job followed by Send-Document lets an attacker replace someone elses document before it is physically printed.
  • SNMP → IPP combo default community public often leaks the internal queue name required in the IPP URL.

Defensive Best Practices

  1. Patch CUPS and printer firmware promptly; subscribe to vendor PSIRT feeds.
  2. Disable cups-browsed and UDP/631 unless zeroconf printing is required.
  3. Restrict TCP/631 to trusted subnets/VPN and enforce TLS (ipps://).
  4. Require Kerberos/Negotiate or certificate auth instead of anonymous printing.
  5. Monitor logs: /var/log/cups/error_log with LogLevel debug2 will show unsolid PPD downloads or suspicious filter invocations.
  6. In high-security networks, move printing to a hardened, isolated print server that proxies jobs to devices via USB only.

References

  • Akamai “Critical Linux RCE Vulnerability in CUPS — What We Know and How to Prepare”, April 2025.
  • Debian Security Tracker CVE-2024-35235 details. {{#include ../banners/hacktricks-training.md}}