Internet Printing Protocol

Reading time: 5 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

The Internet Printing Protocol (IPP), as specified in RFC 2910 and RFC 2911, is the de-facto standard for network printing. It sits on top of HTTP/1.1 (either clear-text or TLS) and exposes a rich API for creating print jobs, querying printer capabilities and managing queues. Modern extensions such as IPP Everywhere even allow driver-less printing from mobile and cloud environments, while the same packet format has been reused for 3-D printers.

Unfortunately, exposing port 631/tcp (and 631/udp for printer discovery) often leads to serious security issues – both on traditional office printers and on any Linux/Unix host running CUPS.

Quick PoC – crafting raw IPP with Python

python
import struct, requests

# Minimal IPP Get-Printer-Attributes request (operation-id 0x000B)
ipp = struct.pack(
    ">IHHIHH",               # version 2.0, operation-id, request-id
    0x0200,                  # 2.0
    0x000B,                  # Get-Printer-Attributes
    0x00000001,             # request-id
    0x01, 0x47,             # operation-attributes-tag, charset attr (skipped)
) + b"\x03"                # end-of-attributes

r = requests.post("http://printer:631/ipp/print", headers={"Content-Type":"application/ipp"}, data=ipp)
print(r.status_code, r.content[:40])

Enumeration & Recon

1. Nmap NSE

bash
# run all CUPS/IPP scripts
nmap -sV -p631 --script=cups* <target>
# or only basic info
nmap -p631 --script=cups-info,cups-queue-info <target>

The cups-info script extracts model, state and queue statistics while cups-queue-info enumerates pending jobs.

2. IPP utilities from CUPS

  • ippfind – multicast/UDP discovery (works against cups-browsed): 
    ippfind --timeout 3 --txt -v "@local and port=631"  # list printers
  • ipptool – arbitrary requests defined in a .test file: 
    ipptool -tv ipp://<IP>/ipp/print get-printer-attributes.test
    The bundled get-printer-attributes.test file queries firmware version, supported document formats, etc.

3. Shodan / Censys dorks

bash
shodan search 'product:"CUPS (IPP)" port:631'

More than 70 000 hosts were publicly exposing CUPS in April 2025 .

Recent Vulnerabilities (2023-2025)

YearCVE ID(s)Affected componentImpact
2025CVE-2023-50739Lexmark firmware (IPP parser)Heap-overflow → RCE over Wi-Fi/LAN
2024CVE-2024-47076, 47175, 47176, 47177cups-browsed, libcupsfilters, libppd, cups-filtersFull unauthenticated RCE chain on any Linux desktop/server with CUPS browsing enabled
2024CVE-2024-35235cupsd 2.4.8-Symlink trick → arbitrary chmod 666 → privilege escalation
2023CVE-2023-0856 (Canon) + Pwn2OwnStack-overflow in sides attribute → remote code execution

cups-browsed RCE chain (September 2024)

  1. cups-browsed listens on UDP/631 for printer advertisements.
  2. An attacker sends a single spoofed packet pointing to a malicious IPP URL (CVE-2024-47176).
  3. libcupsfilters automatically fetches the remote PPD without validation (CVE-2024-47076 & 47175).
  4. A crafted PPD abuses the foomatic-rip filter to execute arbitrary shell commands whenever anything is printed (CVE-2024-47177).

Proof-of-concept code is public on the researcher’s blog and exploits require no authentication; network access to UDP/631 is enough.

Temporary mitigations

sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsed
sudo ufw deny 631/udp  # or equivalent firewall rule

Patches were released by major distributions in October 2024 – ensure cups-filters ≥ 2.0.0.

Placing a symbolic link in cupsd.conf’s Listen directive causes cupds (root) to chmod 666 an attacker-chosen path, leading to writable system files and, on Ubuntu, code execution via a malicious PPD with FoomaticRIPCommandLine .

Offensive Techniques

  • Unauthenticated raw print job – many printers accept POST /ipp/print without auth. A malicious PostScript payload can invoke shell commands (system("/bin/nc ...")) on high-end devices.
  • Job HijackingCancel-Job followed by Send-Document lets an attacker replace someone else’s document before it is physically printed.
  • SNMP → IPP combo – default community public often leaks the internal queue name required in the IPP URL.

Defensive Best Practices

  1. Patch CUPS and printer firmware promptly; subscribe to vendor PSIRT feeds.
  2. Disable cups-browsed and UDP/631 unless zeroconf printing is required.
  3. Restrict TCP/631 to trusted subnets/VPN and enforce TLS (ipps://).
  4. Require Kerberos/Negotiate or certificate auth instead of anonymous printing.
  5. Monitor logs: /var/log/cups/error_log with LogLevel debug2 will show unsolid PPD downloads or suspicious filter invocations.
  6. In high-security networks, move printing to a hardened, isolated print server that proxies jobs to devices via USB only.

References

  • Akamai – “Critical Linux RCE Vulnerability in CUPS — What We Know and How to Prepare”, April 2025.
  • Debian Security Tracker – CVE-2024-35235 details.

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks