CVE-2024-47176 - How A cups-browsed Printer Discovery Flaw Exposes Remote Code Execution On Linux

Printing is something most of us don’t think about—until it goes terribly wrong. This long read explores CVE-2024-47176, a critical vulnerability in cups-browsed (part of the popular CUPS printing system for Linux and Unix). We’ll walk through what went wrong, provide code examples, give you links to authoritative sources, and show how this bug can lead to Remote Code Execution (RCE) *without authentication* in some scenarios.

If your Linux machine runs “out of the box” printing, keep reading—your network printer could be a doorway for attackers.

What Is CUPS And cups-browsed?

CUPS (Common UNIX Printing System) is the default printing system on most Linux distributions and MacOS. It lets you print, scan, and discover printers across a network using the Internet Printing Protocol (IPP).

cups-browsed is a daemon that automatically discovers network printers and helps set them up for client machines. For ease of use, it listens for announcements and broadcasts on the network—so new printers “just work.”

cups-browsed Listens Everywhere

Inside your /etc/services, port 631 is reserved for IPP. By default, cups-browsed will bind to INADDR_ANY:631 (...:631), listening for the entire world—not just local machines. That means any host can send it packets.

Where Trust Goes Wrong

When a new printer broadcasts its existence (using IPP, DNS-SD, or legacy protocols), cups-browsed will fetch its attributes, such as paper size, supported options, and configuration URLs. But the implementation is overly trusting: it will send a Get-Printer-Attributes request to whatever printer advertises itself, *regardless of source*.

Step 1: Fake Printer Announcement

An attacker creates a rogue service that announces itself as a printer. When cups-browsed detects it, it automatically sends it a Get-Printer-Attributes IPP request.

Step 2: Hostile Response

The malicious printer responds with attributes containing URLs, scripts, or payloads designed to exploit vulnerabilities. The main risk is when combined with other flaws (see below).

Step 3: Chaining With Other Vulnerabilities

By itself, CVE-2024-47176 lets attackers influence what the victim’s CUPS service fetches or runs. Combined with vulnerabilities like:

* CVE-2024-47076
* CVE-2024-47175
* CVE-2024-47177

…it’s possible to go from packet injection to *remote command execution*—simply by printing to a malicious printer.

Example: Malicious Printer Discovery

Here’s a basic Python example simulating a network printer that announces itself using ZeroConf/Bonjour (mDNS). A full PoC is more complex, but this illustrates the core idea:

# Fake Printer Announcement (Python 3, needs zeroconf library)
from zeroconf import ServiceInfo, Zeroconf
import time

desc = {'note': 'Malicious Printer'}
info = ServiceInfo("_ipp._tcp.local.",
                   "FakePrinter._ipp._tcp.local.",
                   addresses=[b"\xc\xa8\x01\x64"], # 192.168.1.100
                   port=631,
                   properties=desc)

zeroconf = Zeroconf()
print("Registering malicious printer service...")
zeroconf.register_service(info)

try:
    while True:
        time.sleep(10)  # Remain visible to cups-browsed clients
finally:
    zeroconf.unregister_service(info)
    zeroconf.close()

Once this “printer” is visible, any Linux machine running cups-browsed on the network may discover it and reach out. If your fake IPP server provides a crafted response exploiting a buffer overflow, use-after-free, or command injection—score!

Here’s what red teamers and black hats love

1. Lure a victim’s desktop/laptop onto Wi-Fi or local LAN (coffee shop, enterprise Wi-Fi).

Wait for cups-browsed to connect and download attributes.

4. Exploit the victim’s system with further vulnerabilities—like those cited—to run code, steal credentials, or move laterally.

No user interaction required. A Gnome/KDE user could just boot up and become infected.

Official References

- CVE-2024-47176 (NIST)
- GitHub: OpenPrinting cups-filters
- Debian Security Advisory DSA-5754-1 cups-filters
- Canonical Ubuntu Security Notices (USN-6789-1)

Patch Now – Watch for updates from your distro (Debian, Ubuntu, RedHat, etc.).

- Restrict Network Scope – If possible, configure cups-browsed to bind only to localhost/network interfaces you trust.

Disable cups-browsed if you don’t use network printers or dynamic discovery.

- Network Segmentation – Don’t let printing devices or clients communicate with untrusted hosts.

Disabling cups-browsed (Systemd)

sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsed

Conclusion

CVE-2024-47176 shows how problems with blind trust in network discovery can give attackers a foothold in otherwise secure Linux systems. Always follow the principle of least privilege—not every device on your network is a friend.

Stay patched, stay vigilant, and remember: convenience in IT often comes at the cost of new attack surfaces.


*This security deep dive is authored exclusively for you by ChatGPT.*

Timeline

Published on: 09/26/2024 22:15:04 UTC
Last modified on: 10/02/2024 20:15:11 UTC