Survey of CUPS exploit attempts, (Fri, Oct 4th)
SANS Internet Storm Center, InfoCON: green 2024-10-04
It is about a week since the release of the four CUPS remote code execution vulnerabilities. After the vulnerabilities became known, I configured one of our honeypots that watches a larger set of IPs to specifically collect UDP packets to port 631. Here is a quick summary of the results.
We do see plenty of scanning to enumerate vulnerable systems, but at this point, no evidence of actual exploitations. But the honeypot is not responding to these requests, so we may be missing post-recon attempts to exploit the vulnerability
Top URLs
http://192.34.63.88:5674/printers/securitytest3/
The website is down now, but used to show a message that this is a scan to evaluate systems for research purposes. We do no t have a prior history from this IP address.
http://194.113.74.187:631/printers/amongus
Also no longer responding. The IP address is associated with security researcher Bill Demirkapi.
http://80.94.95.85:65000/printers/YmVuaWduYmUK "location_field" "info_field"
The string at the end of the URL decoded to "benignbe". The IP address was first seen last August scanning for various ports. The URL is no longer responding.
http://34.176.139.243/printers/YmVuaWducHJpbnRlcnMK "location_field" "info_field"
Note the similar base64 encoded string. This one decoded to "benignprinters".
http://t828r8qoegavzdeaqtn5jd9umlsdg34s.oastify.com/printers/research_cups_if_we_find_you_are_vulnerable_we_will_let_you_know_via_responsible_disclosure
The URL hopefully identifies the purpose of the scan correctly :) . Oastify.com is used by the Burp collaboration server.
http://172.214.128.90:65000/printers/YmVuaWduYmUK "location_field" "info_field"
Another "benignbe" URL. Interestingly a Microsoft/GitHub IP address.
http://87.236.176.146:631/classes/2ef46bd9-ae8f4743 (and similar URLs with varying random end)
This IP is associated with internet-measurement.com.
So far, I only saw two "ipp" URLs:
ipp://146.70.100.229:80/printers/ "XXlocation" "XXinfo" "XXmake-and-model"
and
ipp://199.247.0.94:631/printers/test
I will try to setup some automated responses soon to get a bit more detail.
--- Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu Twitter|
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.