CVE-2024-47175 - How a CUPS PPD Bug Opens the Door to Remote Code Execution

In June 2024, a new vulnerability was reported in CUPS (Common UNIX Printing System), specifically in a library called libppd, responsible for handling legacy PPD (PostScript Printer Description) files. Tracked as CVE-2024-47175, this vulnerability can enable attackers to execute code remotely on affected systems by abusing PPD file generation via unsanitized input. If you manage Linux or Mac printing stacks, or develop print-related software, this is one you need to understand.

Let’s walk through exactly how this bug happens, which code is vulnerable, why it can be exploited, show a proof of concept, and what you can do to defend your systems.

libppd is a component used for handling legacy printers and driver compatibility.

- Attackers can achieve code execution through network-supplied print jobs in certain configurations.
- Combined with CVE-2024-47176, an attacker can achieve remote code execution (RCE).

How The Vulnerability Happens

The vulnerable function is ppdCreatePPDFromIPP2 in libppd. This function takes data from an IPP (Internet Printing Protocol) response about a printer and generates a PPD file on the fly. Normally, the function should sanitize all inputs coming from the network or remote printers before generating the PPD file. However:

> ppdCreatePPDFromIPP2 does NOT sanitize the IPP attributes passed to it before placing them into a PPD buffer.

When a user or software (like CUPS or Foomatic backends) calls this function, and the printer supplies malicious attribute values, they end up in the PPD file unfiltered. The PPD file, once created, may be interpreted by other subsystems that could end up parsing or executing its contents.

A related function, cfGetPrinterAttributes5, may be used in combination to pull these printer attributes from a remote device, so a network attacker can supply crafted attribute values.

Attackers can then supply shell code or other payloads via crafted attribute values, leading to arbitrary code execution when the PPD is parsed or used by the print stack, especially Foomatic. This can become an exploit chain, referenced by CVE-2024-47176, leading to Remote Code Execution (RCE).

Below is a simplified version of the vulnerable logic (not real production code)

// cfGetPrinterAttributes5 fetches attributes from a printer
ipp_t *printerAttrs = cfGetPrinterAttributes5(printer_uri);

// These attributes are passed UNSANITIZED to the function
ppd_file_t *ppdFile = ppdCreatePPDFromIPP2(printerAttrs, ...);

// PPD file buffer now contains user-controlled content that can include exploit payload

And in the vulnerable ppdCreatePPDFromIPP2 function (simplified)

// Walks over all attributes and writes them into ppdBuf
for (attr = ippFirstAttribute(printerAttrs); attr; attr = ippNextAttribute(printerAttrs)) {
    // BAD: No sanitization on attribute names or values
    snprintf(ppdBuf + pos, size - pos, "*%s: \"%s\"\n", ippGetName(attr), ippGetString(attr, , NULL));
    pos += ...; // Updates buffer position
}

How Attackers Might Exploit

The attacker sets up a malicious network printer or abuses an allowed IPP interface, making it reply with crafted attributes. When a user or CUPS backend queries this printer and creates a PPD using the vulnerable function, the result is a PPD file that embeds the attacker’s code. Foomatic and other interpreters may then process this file, and if they interpret certain directives (like PostScript code in PPDs or embedded comments), code execution can occur.

`

attribute-name: "*cupsFilter: \"|/tmp/evil.sh\""

`sh

lpinfo --include-schemes=socket ippfile:///

`

*cupsFilter: "|/tmp/evil.sh"

`

5. When a print job is sent, Foomatic or a similar backend runs the filter, executing the attacker's script!

Update your software:

- The CUPS team has released patches for CVE-2024-47175 and CVE-2024-47176.
- Official patch for libppd

References

- CVE-2024-47175 at MITRE
- Github Advisory for CVE-2024-47175
- Patch Commit in libppd
- CVE-2024-47176 RCE Chain

Conclusion

CVE-2024-47175 is a reminder that even old protocols like PPD and IPP, when combined with careless handling of user input, can allow remote attackers to take over systems. If you work with printers or support environments running CUPS, patch immediately and audit your printing infrastructure. Attackers don’t need to physically access your network—an open print service and this bug can be enough for full compromise. Stay safe, and stay updated.


*Written exclusively for you. For questions or deep dives on CUPS security, let's discuss further!*

Timeline

Published on: 09/26/2024 22:15:04 UTC
Last modified on: 09/30/2024 12:46:20 UTC