IPP / CUPS

Since version 1.0.0.dev10, Dementor includes an inbuilt IPP server, which can be utilized to trigger multiple bugs that may lead to potential code execution on systems running the legacy CUPS browsing service. A practical example of such exploitation can be found in Abusing CUPS for RCE. The server is built using the awesome python-ipp package.

See also

This service was specifically implemented to address CVE-2024-47076, CVE-2024-47175 and CVE-2024-47176. Special thanks to @Evilsocket for his initial research and blog entry on Attacking UNIX Systems via CUPS, Part I. You should definitely check that out before attempting to use this server.

Section [IPP]

Added in version 1.0.0.dev10.

Server Configuration

IPP.Port: int = 631

Linked to ipp.IPPConfig.ipp_port

Specifies the port used by the IPP server instance.

IPP.ServerType: str = "IPP/1.1"

Linked to ipp.IPPConfig.ipp_server_type

Defines the server name returned in the Server header. The value can be a formatted string, supporting templating (Jinja2). For example:

[IPP]
# ...
ServerType = "IPP/{{ random(3) }}" # results in: "IPP/cq2"
IPP.ExtraHeaders: List[str]

Maps to ipp.IPPConfig.ipp_extra_headers

Specifies additional headers to include in all server responses. Each entry must be a fully qualified HTTP header line without CRLF at the end.

Printer Attributes

The get-printer-attributes request retrieves a printer’s stored attributes. However, some printers may lack certain attributes. Therefore, additional attributes can be configured to be included in the response.

IPP.ExtraAttributes: List[AttributeDict]

Maps to ipp.IPPConfig.ipp_extra_attrib

Specifies additional attributes to include in the get-printer-attributes response. Each new attribute requires the following fields:

AttributeDict.name: str

Required setting

Specifies the name of the new attribute (e.g., printer-device-id).

AttributeDict.value: str | int | list

Optional, if AttributeDict.tag is defined

Specifies the value of the new attribute. Must match the registered data type.

AttributeDict.tag: int | str

Optional setting

Specifies the data type of the new attribute. Can be an IppTag string or an integer.

Example configuration:

[IPP]
ExtraAttributes = [
    { name = "printer-device-id", tag = "TEXT", value = "FOOBAR" },
]

See also

For a complete list of registered attributes, refer to Internet Printing Protocol (IPP) Registrations.

The following attributes can also be overridden using IPP.ExtraAttributes.

AttributeDict.PrinterName: str

Maps to ipp.IPPConfig.ipp_printer_name.

Defines the printer name to return to clients. If not specified, the printer name will be determined by the last path element of the request.

AttributeDict.PrinterInfo: str = "Printer Info"

Maps to ipp.IPPConfig.ipp_printer_info.

Defines the printer information attribute.

AttributeDict.PrinterLocation: str = "outside"

Maps to ipp.IPPConfig.ipp_printer_location.

Defines the printer location attribute. This will not be used if specified in the CUPS request.

AttributeDict.PrinterModel: str = "HP 8.0"

Maps to ipp.IPPConfig.ipp_printer_model.

Defines the printer model attribute. This setting is required by the CUPS client.

AttributeDict.DriverUri: str

Maps to ipp.IPPConfig.ipp_driver_uri.

Specifies a custom printer driver URI that clients can use to download a driver.

AttributeDict.DocumentFormats: List[str]

Maps to ipp.IPPConfig.ipp_supported_formats.

Defines the supported print document formats.

AttributeDict.DefaultDocumentFormat: str = "text/plain"

Maps to ipp.IPPConfig.ipp_default_format.

Defines the default print document format.

AttributeDict.SupportedVersions: List[str] = ["1.0", "1.1", "2.0", "2.1", "2.2"]

Maps to ipp.IPPConfig.ipp_supported_versions.

Specifies the supported IPP versions.

AttributeDict.SupportedOperations: List[str | int] = range(0x0001, 0x0013)

Maps to ipp.IPPConfig.ipp_supported_operations.

Specifies the operations supported by the server. These operations cannot be removed unless explicitly overridden using ExtraAttributes.

CVE-2024-47175 / CVE-2024-47076

The following settings were introduced to specifically address CVE-2024-47175 and CVE-2024-47076. For practical usage, refer to Abusing CUPS for RCE.

AttributeDict.RemoteCmd: str

Maps to ipp.IPPConfig.ipp_remote_cmd.

Specifies the command to inject into the generated PPD. (CVE-2024-47175)

AttributeDict.RemoteCmdAttribute: str = "printer-privacy-policy-uri"

Maps to ipp.IPPConfig.ipp_remote_cmd_attr.

Specifies the printer attribute that stores the malformed text. (CVE-2024-47176)

AttributeDict.RemoteCmdCupsFilter: str

Maps to ipp.IPPConfig.ipp_remote_cmd_filter.

Specifies the printer attribute that stores the malformed text. (CVE-2024-47176). Ensure that foomatic-rip is present in this filter string to correctly interpolate the FoomaticRIPCommandLine.

Default Configuration

IPP configuration section (default values)
 1[IPP]
 2Port = 631
 3ServerType = "IPP/1.1"
 4PrinterInfo = "Printer Info"
 5PrinterModel = "HP 8.0"
 6PrinterLocation = "outside"
 7DefaultDocumentFormat = "text/plain"
 8SupportedVersions = ["1.0", "1.1", "2.0", "2.1", "2.2"]
 9DocumentFormats = [
10    "text/html",
11    "text/plain",
12    "text/plain; charset = US-ASCII",
13    "text/plain; charset = ISO-8859-1",
14    "text/plain; charset = utf-8",
15    "application/postscript",
16    "application/vnd.hp-PCL",
17    "application/pdf",
18    "application/octet-stream",
19]