---
title: "631 - Ipp"
weight: 631
date: "2026-03-10T10:03:28+08:00"
lastmod: "2026-03-10T13:26:55+08:00"
---

💡 **学习提示**: 本文档介绍 **631 - 631 Internet Printing Protocol Ipp** 的渗透测试方法，适合信息安全初学者和从业人员参考。

⚠️ **法律声明**: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

---

> ⚠️ **法律声明**: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

## Internet Printing 协议

The **Internet Printing 协议 (IPP)**, as specified in **RFC 2910** and **RFC 2911**, is the de-facto standard for network printing. It sits on top of **HTTP/1.1** (either clear-text or TLS) and exposes a rich API for creating print jobs, querying printer capabilities and managing queues. Modern extensions such as **IPP Everywhere** even allow driver-less printing from mobile and cloud environments, while the same packet format has been reused for 3-D printers.

Unfortunately, exposing port **631/tcp (and 631/udp for printer discovery)** often leads to serious security issues – both on traditional office printers and on any Linux/Unix host running **CUPS**.

---
### Quick PoC – crafting raw IPP with Python
```python
import struct, requests

## Minimal IPP Get-Printer-Attributes request (operation-id 0x000B)
ipp = struct.pack(
    ">IHHIHH",               # version 2.0, operation-id, request-id
    0x0200,                  # 2.0
    0x000B,                  # Get-Printer-Attributes
    0x00000001,             # request-id
    0x01, 0x47,             # operation-attributes-tag, charset attr (skipped)
) + b"\x03"                # end-of-attributes

r = requests.post("http://printer:631/ipp/print", headers={"Content-Type":"application/ipp"}, data=ipp)
print(r.status_code, r.content[:40])
```
---
### 信息收集 & Recon

#### 1. Nmap NSE
```bash
## run all CUPS/IPP scripts
nmap -sV -p631 --script=cups* <target>
## or only basic info
nmap -p631 --script=cups-info,cups-queue-info <target>
```
The `cups-info` script extracts model, state and queue statistics while `cups-queue-info` enumerates pending jobs.

#### 2. IPP utilities from CUPS
* `ippfind` – multicast/UDP discovery (works against cups-browsed):
  ```bash
  ippfind --timeout 3 --txt -v "@local and port=631"  # list printers
  ```
* `ipptool` – arbitrary requests defined in a *.test* file:
  ```bash
  ipptool -tv ipp://<IP>/ipp/print get-printer-attributes.test
  ```
  The bundled *get-printer-attributes.test* file queries firmware version, supported document formats, etc.

#### 3. Shodan / Censys dorks
```bash
shodan search 'product:"CUPS (IPP)" port:631'
```
More than **70 000** hosts were publicly exposing CUPS in April 2025 .

---
### Recent Vulnerabilities (2023-2025)

| Year | CVE ID(s) | Affected component | Impact |
|------|-----------|--------------------|--------|
| 2025 | CVE-2023-50739 | Lexmark firmware (IPP parser) | Heap-overflow → 远程代码执行 over Wi-Fi/LAN  |
| 2024 | CVE-2024-47076, 47175, 47176, 47177 | cups-browsed, libcupsfilters, libppd, cups-filters | Full unauthenticated 远程代码执行 chain on any Linux desktop/server with CUPS browsing enabled  |
| 2024 | CVE-2024-35235 | cupsd 2.4.8- | Symlink trick → arbitrary **chmod 666** → privilege escalation  |
| 2023 | CVE-2023-0856 (Canon) + Pwn2Own | Stack-overflow in `sides` attribute → remote code execution  |

#### cups-browsed 远程代码执行 chain (September 2024)
1. `cups-browsed` listens on **UDP/631** for printer advertisements.
2. An attacker sends a single spoofed packet pointing to a malicious IPP URL (CVE-2024-47176).
3. `libcupsfilters` automatically fetches the remote **PPD** without validation (CVE-2024-47076 & 47175).
4. A crafted PPD abuses the **foomatic-rip** filter to execute arbitrary shell commands whenever anything is printed (CVE-2024-47177).

Proof-of-concept code is public on the researcher’s blog and exploits require **no authentication**; network access to UDP/631 is enough.

#### Temporary mitigations
```
sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsed
sudo ufw deny 631/udp  # or equivalent firewall rule
```
Patches were released by major distributions in October 2024 – ensure **cups-filters ≥ 2.0.0**.

#### cupsd symlink `Listen` misconfiguration (CVE-2024-35235)
Placing a symbolic link in *cupsd.conf*’s `Listen` directive causes **cupds (root)** to `chmod 666` an attacker-chosen path, leading to writable system files and, on Ubuntu, code execution via a malicious PPD with `FoomaticRIPCommandLine` .

---
### Offensive Techniques

* **Unauthenticated raw print job** – many printers accept `POST /ipp/print` without auth. A malicious **PostScript** payload can invoke shell commands (`system("/bin/nc ...")`) on high-end devices.
* **Job Hijacking** – `Cancel-Job` followed by `Send-Document` lets an attacker replace someone else’s document before it is physically printed.
* **SNMP → IPP combo** – default community `public` often leaks the internal queue name required in the IPP URL.

---
### Defensive 最佳实践
1. Patch CUPS and printer firmware promptly; subscribe to vendor PSIRT feeds.
2. Disable `cups-browsed` and UDP/631 unless zeroconf printing is required.
3. Restrict TCP/631 to trusted subnets/VPN and enforce **TLS (ipps://)**.
4. Require **Kerberos/Negotiate** or certificate auth instead of anonymous printing.
5. Monitor logs: `/var/log/cups/error_log` with `LogLevel debug2` will show unsolid PPD downloads or suspicious filter invocations.
6. In high-security networks, move printing to a hardened, isolated print server that proxies jobs to devices via USB only.

---


### 搜索引擎语法

#### FOFA

```bash
# FOFA 搜索语法
port="631"
```

#### Shodan

```bash
# Shodan 搜索语法
port:631
```

#### ZoomEye

```bash
# ZoomEye 搜索语法
port:631
```

---

## 📖 参考资料

- [HackTricks - 631-ipp](https://book.hacktricks.wiki/en/network-services-pentesting/631-ipp.html)