hacktricks/src/network-services-pentesting/pentesting-631-internet-printing-protocol-ipp.md

106 lines
5.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Internet Printing Protocol
{{#include ../banners/hacktricks-training.md}}
The **Internet Printing Protocol (IPP)**, as specified in **RFC 2910** and **RFC 2911**, is the de-facto standard for network printing. It sits on top of **HTTP/1.1** (either clear-text or TLS) and exposes a rich API for creating print jobs, querying printer capabilities and managing queues. Modern extensions such as **IPP Everywhere** even allow driver-less printing from mobile and cloud environments, while the same packet format has been reused for 3-D printers.
Unfortunately, exposing port **631/tcp (and 631/udp for printer discovery)** often leads to serious security issues both on traditional office printers and on any Linux/Unix host running **CUPS**.
---
## Quick PoC crafting raw IPP with Python
```python
import struct, requests
# Minimal IPP Get-Printer-Attributes request (operation-id 0x000B)
ipp = struct.pack(
">IHHIHH", # version 2.0, operation-id, request-id
0x0200, # 2.0
0x000B, # Get-Printer-Attributes
0x00000001, # request-id
0x01, 0x47, # operation-attributes-tag, charset attr (skipped)
) + b"\x03" # end-of-attributes
r = requests.post("http://printer:631/ipp/print", headers={"Content-Type":"application/ipp"}, data=ipp)
print(r.status_code, r.content[:40])
```
---
## Enumeration & Recon
### 1. Nmap NSE
```bash
# run all CUPS/IPP scripts
nmap -sV -p631 --script=cups* <target>
# or only basic info
nmap -p631 --script=cups-info,cups-queue-info <target>
```
The `cups-info` script extracts model, state and queue statistics while `cups-queue-info` enumerates pending jobs.
### 2. IPP utilities from CUPS
* `ippfind` multicast/UDP discovery (works against cups-browsed):
```bash
ippfind --timeout 3 --txt -v "@local and port=631" # list printers
```
* `ipptool` arbitrary requests defined in a *.test* file:
```bash
ipptool -tv ipp://<IP>/ipp/print get-printer-attributes.test
```
The bundled *get-printer-attributes.test* file queries firmware version, supported document formats, etc.
### 3. Shodan / Censys dorks
```bash
shodan search 'product:"CUPS (IPP)" port:631'
```
More than **70 000** hosts were publicly exposing CUPS in April 2025 .
---
## Recent Vulnerabilities (2023-2025)
| Year | CVE ID(s) | Affected component | Impact |
|------|-----------|--------------------|--------|
| 2025 | CVE-2023-50739 | Lexmark firmware (IPP parser) | Heap-overflow → RCE over Wi-Fi/LAN |
| 2024 | CVE-2024-47076, 47175, 47176, 47177 | cups-browsed, libcupsfilters, libppd, cups-filters | Full unauthenticated RCE chain on any Linux desktop/server with CUPS browsing enabled |
| 2024 | CVE-2024-35235 | cupsd 2.4.8- | Symlink trick → arbitrary **chmod 666** → privilege escalation |
| 2023 | CVE-2023-0856 (Canon) + Pwn2Own | Stack-overflow in `sides` attribute → remote code execution |
### cups-browsed RCE chain (September 2024)
1. `cups-browsed` listens on **UDP/631** for printer advertisements.
2. An attacker sends a single spoofed packet pointing to a malicious IPP URL (CVE-2024-47176).
3. `libcupsfilters` automatically fetches the remote **PPD** without validation (CVE-2024-47076 & 47175).
4. A crafted PPD abuses the **foomatic-rip** filter to execute arbitrary shell commands whenever anything is printed (CVE-2024-47177).
Proof-of-concept code is public on the researchers blog and exploits require **no authentication**; network access to UDP/631 is enough.
#### Temporary mitigations
```
sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsed
sudo ufw deny 631/udp # or equivalent firewall rule
```
Patches were released by major distributions in October 2024 ensure **cups-filters ≥ 2.0.0**.
### cupsd symlink `Listen` misconfiguration (CVE-2024-35235)
Placing a symbolic link in *cupsd.conf*s `Listen` directive causes **cupds (root)** to `chmod 666` an attacker-chosen path, leading to writable system files and, on Ubuntu, code execution via a malicious PPD with `FoomaticRIPCommandLine` .
---
## Offensive Techniques
* **Unauthenticated raw print job** many printers accept `POST /ipp/print` without auth. A malicious **PostScript** payload can invoke shell commands (`system("/bin/nc ...")`) on high-end devices.
* **Job Hijacking** `Cancel-Job` followed by `Send-Document` lets an attacker replace someone elses document before it is physically printed.
* **SNMP → IPP combo** default community `public` often leaks the internal queue name required in the IPP URL.
---
## Defensive Best Practices
1. Patch CUPS and printer firmware promptly; subscribe to vendor PSIRT feeds.
2. Disable `cups-browsed` and UDP/631 unless zeroconf printing is required.
3. Restrict TCP/631 to trusted subnets/VPN and enforce **TLS (ipps://)**.
4. Require **Kerberos/Negotiate** or certificate auth instead of anonymous printing.
5. Monitor logs: `/var/log/cups/error_log` with `LogLevel debug2` will show unsolid PPD downloads or suspicious filter invocations.
6. In high-security networks, move printing to a hardened, isolated print server that proxies jobs to devices via USB only.
## References
- Akamai “Critical Linux RCE Vulnerability in CUPS — What We Know and How to Prepare”, April 2025.
- Debian Security Tracker CVE-2024-35235 details.
{{#include ../banners/hacktricks-training.md}}