Linux OpenPrinting CUPS page-border cupsFilter2 Injection Vulnerability Remote Code Execution Exploit

In a network-exposed cupsd with a shared target queue, an unauthorized client can send a Print-Job to that shared PostScript queue without authentication. In CUPS, the server accepts a page-border value supplied as textWithoutLanguage, preserves an embedded newline through option escaping and reparse, and then reparses the resulting second-line "PPD:" text as a trusted scheduler control record. A follow-up raw print job can therefore make the server execute an attacker-chosen existing binary with with lp user privileges. This module will first get the list of the shared printers of the target. Then, it will register an endpoint in the local webserver for future files exfiltrations. Later, it will use the vulnerability against each shared printer to exfiltrate the /etc/os-release file. If the file is retrieved, then the target will be marked as vulnerable and the following printers will be skipped in the attack. Also, the ID field of the exfiltrated file will be used to identify the Linux distribution and decide the following step of the attack. If the Linux distribution is Arch, then the module will use the vulnerability again to deploy an agent in the target that will run with the cups user privileges. If the Linux distribution is any other, the module will use the vulnerability again to exfiltrate the /etc/passwd file. This is due the fact that in any other Linux distribution CUPS's sub-processes are isolated and monitored by AppArmor or SELinux.
Exploit Platform
Product Name