631 - Ipp
💡 学习提示: 本文档介绍 631 - 631 Internet Printing Protocol Ipp 的渗透测试方法,适合信息安全初学者和从业人员参考。
⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。
⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。
Internet Printing 协议
The Internet Printing 协议 (IPP), as specified in RFC 2910 and RFC 2911, is the de-facto standard for network printing. It sits on top of HTTP/1.1 (either clear-text or TLS) and exposes a rich API for creating print jobs, querying printer capabilities and managing queues. Modern extensions such as IPP Everywhere even allow driver-less printing from mobile and cloud environments, while the same packet format has been reused for 3-D printers.
Unfortunately, exposing port 631/tcp (and 631/udp for printer discovery) often leads to serious security issues – both on traditional office printers and on any Linux/Unix host running CUPS.
Quick PoC – crafting raw IPP with Python
信息收集 & Recon
1. Nmap NSE
The cups-info script extracts model, state and queue statistics while cups-queue-info enumerates pending jobs.
2. IPP utilities from CUPS
ippfind– multicast/UDP discovery (works against cups-browsed):ipptool– arbitrary requests defined in a .test file: The bundled get-printer-attributes.test file queries firmware version, supported document formats, etc.
3. Shodan / Censys dorks
More than 70 000 hosts were publicly exposing CUPS in April 2025 .
Recent Vulnerabilities (2023-2025)
| Year | CVE ID(s) | Affected component | Impact |
|---|---|---|---|
| 2025 | CVE-2023-50739 | Lexmark firmware (IPP parser) | Heap-overflow → 远程代码执行 over Wi-Fi/LAN |
| 2024 | CVE-2024-47076, 47175, 47176, 47177 | cups-browsed, libcupsfilters, libppd, cups-filters | Full unauthenticated 远程代码执行 chain on any Linux desktop/server with CUPS browsing enabled |
| 2024 | CVE-2024-35235 | cupsd 2.4.8- | Symlink trick → arbitrary chmod 666 → privilege escalation |
| 2023 | CVE-2023-0856 (Canon) + Pwn2Own | Stack-overflow in sides attribute → remote code execution |
cups-browsed 远程代码执行 chain (September 2024)
cups-browsedlistens on UDP/631 for printer advertisements.- An attacker sends a single spoofed packet pointing to a malicious IPP URL (CVE-2024-47176).
libcupsfiltersautomatically fetches the remote PPD without validation (CVE-2024-47076 & 47175).- A crafted PPD abuses the foomatic-rip filter to execute arbitrary shell commands whenever anything is printed (CVE-2024-47177).
Proof-of-concept code is public on the researcher’s blog and exploits require no authentication; network access to UDP/631 is enough.
Temporary mitigations
Patches were released by major distributions in October 2024 – ensure cups-filters ≥ 2.0.0.
cupsd symlink Listen misconfiguration (CVE-2024-35235)
Placing a symbolic link in cupsd.conf’s Listen directive causes cupds (root) to chmod 666 an attacker-chosen path, leading to writable system files and, on Ubuntu, code execution via a malicious PPD with FoomaticRIPCommandLine .
Offensive Techniques
- Unauthenticated raw print job – many printers accept
POST /ipp/printwithout auth. A malicious PostScript payload can invoke shell commands (system("/bin/nc ...")) on high-end devices. - Job Hijacking –
Cancel-Jobfollowed bySend-Documentlets an attacker replace someone else’s document before it is physically printed. - SNMP → IPP combo – default community
publicoften leaks the internal queue name required in the IPP URL.
Defensive 最佳实践
- Patch CUPS and printer firmware promptly; subscribe to vendor PSIRT feeds.
- Disable
cups-browsedand UDP/631 unless zeroconf printing is required. - Restrict TCP/631 to trusted subnets/VPN and enforce TLS (ipps://).
- Require Kerberos/Negotiate or certificate auth instead of anonymous printing.
- Monitor logs:
/var/log/cups/error_logwithLogLevel debug2will show unsolid PPD downloads or suspicious filter invocations. - In high-security networks, move printing to a hardened, isolated print server that proxies jobs to devices via USB only.