Survey of CUPS exploit attempts, (Fri, Oct 4th)

SANS Internet Storm Center, InfoCON: green 2024-10-04

It is about a week since the release of the four CUPS remote code execution vulnerabilities. After the vulnerabilities became known, I configured one of our honeypots that watches a larger set of IPs to specifically collect UDP packets to port 631. Here is a quick summary of the results.

We do see plenty of scanning to enumerate vulnerable systems, but at this point, no evidence of actual exploitations. But the honeypot is not responding to these requests, so we may be missing post-recon attempts to exploit the vulnerability

Top URLs

http://192.34.63.88:5674/printers/securitytest3/

The website is down now, but used to show a message that this is a scan to evaluate systems for research purposes. We do no t have a prior history from this IP address.

http://194.113.74.187:631/printers/amongus

Also no longer responding. The IP address is associated with security researcher Bill Demirkapi.

http://80.94.95.85:65000/printers/YmVuaWduYmUK "location_field" "info_field"

The string at the end of the URL decoded to "benignbe". The IP address was first seen last August scanning for various ports. The URL is no longer responding.

http://34.176.139.243/printers/YmVuaWducHJpbnRlcnMK "location_field" "info_field"

Note the similar base64 encoded string. This one decoded to "benignprinters". 

http://t828r8qoegavzdeaqtn5jd9umlsdg34s.oastify.com/printers/research_cups_if_we_find_you_are_vulnerable_we_will_let_you_know_via_responsible_disclosure

The URL hopefully identifies the purpose of the scan correctly :) . Oastify.com is used by the Burp collaboration server.

http://172.214.128.90:65000/printers/YmVuaWduYmUK "location_field" "info_field"

Another "benignbe" URL. Interestingly a Microsoft/GitHub IP address.

http://87.236.176.146:631/classes/2ef46bd9-ae8f4743 (and similar URLs with varying random end)

This IP is associated with internet-measurement.com.

So far, I only saw two "ipp" URLs:

ipp://146.70.100.229:80/printers/ "XXlocation" "XXinfo" "XXmake-and-model"

and 

ipp://199.247.0.94:631/printers/test

I will try to setup some automated responses soon to get a bit more detail.

 

--- Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.