Hacktricks-skills ipp-pentest

Internet Printing Protocol (IPP) security assessment and pentesting. Use this skill whenever the user mentions IPP, CUPS, port 631, printer security, network printing vulnerabilities, or needs to enumerate/test printing services. This skill covers enumeration, vulnerability assessment, and exploitation techniques for IPP/CUPS services on port 631/tcp and 631/udp.

install

source · Clone the upstream repo

git clone https://github.com/abelrguezr/hacktricks-skills

manifest: skills/network-services-pentesting/pentesting-631-internet-printing-protocol-ipp/SKILL.MD

source content

IPP/CUPS Pentesting Skill

This skill enables security assessment of Internet Printing Protocol (IPP) services, primarily targeting CUPS (Common Unix Printing System) and network printers on port 631.

When to Use This Skill

Trigger this skill when the user:

Mentions IPP, CUPS, or port 631
Wants to assess printer security or network printing vulnerabilities
Needs to enumerate printing services on a target
Is investigating CVE-2024-47076, CVE-2024-35235, or similar CUPS vulnerabilities
Wants to test for unauthenticated print job injection
Needs to audit printing infrastructure security

Quick Start

# Basic enumeration
nmap -sV -p631 --script=cups-info,cups-queue-info <target>

# Full CUPS script suite
nmap -sV -p631 --script=cups* <target>

# UDP discovery (if cups-browsed is running)
ippfind --timeout 3 --txt -v "@local and port=631"

Enumeration Workflow

Step 1: Service Discovery

Use the bundled enumeration script to identify IPP services:

./scripts/ipp-enumerate.sh <target>

This runs:

TCP port 631 scan with version detection
NSE scripts for CUPS info extraction
UDP 631 discovery for cups-browsed
Shodan/Censys query generation for public exposure check

Step 2: Detailed Information Gathering

# Using ipptool (requires CUPS installed)
ipptool -tv ipp://<target>/ipp/print get-printer-attributes.test

# Raw IPP request (Python)
python3 ./scripts/raw-ipp-query.py <target>

The raw IPP script crafts minimal Get-Printer-Attributes requests to extract:

Firmware version
Supported document formats
Printer state and capabilities
Queue information

Step 3: Vulnerability Assessment

Check for known vulnerabilities:

./scripts/ipp-vuln-check.sh <target>

This checks for:

CVE-2024-47076/47175/47176/47177: cups-browsed RCE chain (2024)
CVE-2024-35235: cupsd symlink misconfiguration (2024)
CVE-2023-50739: Lexmark firmware heap overflow (2025)
CVE-2023-0856: Canon stack overflow (2023)

Offensive Techniques

Unauthenticated Print Job Injection

Many printers accept POST requests to

/ipp/print

without authentication:

python3 ./scripts/test-unauth-print.py <target> <payload-file>

Warning: Only use on systems you own or have explicit authorization to test.

Job Hijacking

Replace pending print jobs:

Enumerate queue:

nmap -p631 --script=cups-queue-info <target>

Cancel target job:

ipptool -tv ipp://<target>/ipp/print cancel-job.test

Send replacement:

ipptool -tv ipp://<target>/ipp/print send-document.test

SNMP + IPP Combo

Default SNMP community strings often leak queue names:

snmpwalk -c public -v1 <target> .1.3.6.1.2.1.43
# Use returned queue name in IPP URL: ipp://<target>/ipp/<queue-name>

Vulnerability Details

CVE-2024-47076 Series (cups-browsed RCE Chain)

Impact: Full unauthenticated RCE on Linux systems with CUPS browsing enabled

Attack Chain:

Send spoofed UDP packet to port 631 (CVE-2024-47176)
Point to malicious IPP URL with crafted PPD
libcupsfilters fetches PPD without validation (CVE-2024-47076/47175)
FoomaticRIPCommandLine executes shell commands (CVE-2024-47177)

Detection: Check if cups-browsed is running:

systemctl status cups-browsed
ss -ulnp | grep 631

Mitigation:

sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsed
sudo ufw deny 631/udp

CVE-2024-35235 (cupsd Symlink)

Impact: Arbitrary file chmod 666 → privilege escalation

Vector: Symbolic link in cupsd.conf Listen directive

Detection:

grep -r "Listen.*->" /etc/cups/cupsd.conf
ls -la /etc/cups/ | grep "^l"

Defensive Recommendations

Patch Management: Keep CUPS ≥ 2.4.10 and cups-filters ≥ 2.0.0
Disable cups-browsed: Unless zeroconf printing is required
Firewall Rules: Restrict TCP/631 to trusted subnets, block UDP/631
Enforce TLS: Use ipps:// (port 631 with TLS) instead of ipp://
Authentication: Require Kerberos/Negotiate or certificate auth
Logging: Set LogLevel debug2 in cupsd.conf, monitor /var/log/cups/error_log
Network Segmentation: Isolate print servers, proxy via USB-only devices

Output Format

All scripts output results in structured format:

{
  "target": "<ip>",
  "port": 631,
  "service": "CUPS",
  "version": "2.4.7",
  "vulnerabilities": [
    {
      "cve": "CVE-2024-35235",
      "severity": "HIGH",
      "status": "VULNERABLE",
      "details": "..."
    }
  ],
  "recommendations": [...]
}

References

RFC 2910: Internet Printing Protocol/1.1: Encoding and Transport
RFC 2911: Internet Printing Protocol/1.1: Specification
Akamai: "Critical Linux RCE Vulnerability in CUPS" (April 2025)
Debian Security Tracker: CVE-2024-35235
Shodan:
```
product:"CUPS (IPP)" port:631
```