Survey of CUPS exploit attempts

    Published: 2024-10-04. Last Updated: 2024-10-04 14:14:14 UTC
    by Johannes Ullrich (Version: 1)
    0 comment(s)

    It is about a week since the release of the four CUPS remote code execution vulnerabilities. After the vulnerabilities became known, I configured one of our honeypots that watches a larger set of IPs to specifically collect UDP packets to port 631. Here is a quick summary of the results.

    We do see plenty of scanning to enumerate vulnerable systems, but at this point, no evidence of actual exploitations. But the honeypot is not responding to these requests, so we may be missing post-recon attempts to exploit the vulnerability

    Top URLs

    http://192.34.63.88:5674/printers/securitytest3/

    The website is down now, but used to show a message that this is a scan to evaluate systems for research purposes. We do no t have a prior history from this IP address.

    http://194.113.74.187:631/printers/amongus

    Also no longer responding. The IP address is associated with security researcher Bill Demirkapi.

    http://80.94.95.85:65000/printers/YmVuaWduYmUK "location_field" "info_field"

    The string at the end of the URL decoded to "benignbe". The IP address was first seen last August scanning for various ports. The URL is no longer responding.

    http://34.176.139.243/printers/YmVuaWducHJpbnRlcnMK "location_field" "info_field"

    Note the similar base64 encoded string. This one decoded to "benignprinters". 

    http://t828r8qoegavzdeaqtn5jd9umlsdg34s.oastify.com/printers/research_cups_if_we_find_you_are_vulnerable_we_will_let_you_know_via_responsible_disclosure

    The URL hopefully identifies the purpose of the scan correctly :) . Oastify.com is used by the Burp collaboration server.

    http://172.214.128.90:65000/printers/YmVuaWduYmUK "location_field" "info_field"

    Another "benignbe" URL. Interestingly a Microsoft/GitHub IP address.

    http://87.236.176.146:631/classes/2ef46bd9-ae8f4743 (and similar URLs with varying random end)

    This IP is associated with internet-measurement.com.

    So far, I only saw two "ipp" URLs:

    ipp://146.70.100.229:80/printers/ "XXlocation" "XXinfo" "XXmake-and-model"

    and 

    ipp://199.247.0.94:631/printers/test

    I will try to setup some automated responses soon to get a bit more detail.

     

    ---
    Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
    Twitter|

    Keywords:
    0 comment(s)
    ISC Stormcast For Friday, October 4th, 2024 https://isc.sans.edu/podcastdetail/9166

      Comments


      Diary Archives