A brand new open-source scanner has been launched to detect a crucial vulnerability within the Widespread Unix Printing System (CUPS), explicitly concentrating on CVE-2024-47176.
This vulnerability and others within the chain pose important dangers as it will probably enable distant code execution on UNIX and UNIX-like techniques.
The scanner goals to assist system directors determine and mitigate these vulnerabilities earlier than malicious actors can exploit them.
What’s CUPS, and Why Does it Matter?
CUPS, or the Widespread Unix Printing System, is an open-source framework extensively used for managing and controlling printers on UNIX and UNIX-like techniques.
UNIX and Linux assist it, and a few Apple gadgets make it one of the crucial prevalent printing libraries.
Given its widespread use, any vulnerabilities inside CUPS can have far-reaching implications, affecting quite a few techniques globally.
A number of crucial vulnerabilities have lately been recognized in CUPS, together with CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177.
These vulnerabilities may be chained collectively to permit a distant attacker so as to add or reconfigure community printers to execute arbitrary code when customers try to print from them.
Analyse Any Suspicious Hyperlinks Utilizing ANY.RUN’s New Protected Looking Device: Attempt for Free
A Fast Overview of CVE-2024-47176
In accordance with the MalwareTech report in Github, the vulnerability CVE-2024-47176 is discovered within the cups-browsed daemon.
The flaw arises as a result of cups-browsed binds its management port (UDP port 631) to INADDR_ANY, making it accessible to the world with out authentication.
This implies anybody reaching the management port can instruct cups-browsed to carry out printer discovery.
Even when the port isn’t immediately accessible from the web on account of firewalls or NAT configurations, it could nonetheless be reachable by way of native networks.
This opens up potentialities for privilege escalation and lateral motion inside a corporation’s community.
How CVE-2024-47176 Scanning Works
The exploitation course of usually begins with an attacker sending a specifically crafted request to cups-browsed on UDP port 631.
This causes cups-browsed to achieve a malicious URL managed by the attacker. Attackers can determine inclined techniques by triggering a susceptible cups-browsed occasion to problem an HTTP request (callback) to a server beneath their management.
The scanning course of entails:
- Organising a fundamental HTTP server.
- Crafting a UDP packet instructing cups-browsed to connect with this server.
- Sending the UDP packet throughout a spread of IP addresses on port 631.
- Logging any POST requests triggered by susceptible situations.
Automating Scans with cups_scanner.py
The newly launched Python script, cups_scanner.py, automates this scanning course of. It handles each the HTTP server setup and the scanning itself.
The script launches a short lived HTTP server utilizing http.server on a specified IP and port, constructs UDP packets, and sends them throughout specified IP ranges. It captures callbacks from susceptible situations and logs them for evaluation.
Command Line Arguments
- –goal: Specifies the CIDR(s) to scan.
- –callback: Units the native IP and port for internet hosting the HTTP server.
- –scan-unsafe: Overrides default conduct to scan all addresses, together with community and broadcast addresses.
Instance Utilization
To scan CIDR 10.0.0.0/24 from IP deal with 10.0.0.1 with a callback server on port 1337:
python3 cups_scanner.py --targets 10.0.0.0/24 --callback 10.0.0.1:1337This software supplies system directors with a strong methodology for proactively figuring out and addressing vulnerabilities of their CUPS configurations, enhancing safety throughout their networks.
Improve Your Cybersecurity Expertise With 100+ Premium Cyber Safety Programs On-line - Enroll Right here