New module: cups_version_scan to help with the vulnerable CUPS printer detection

securestep9 · securestep9 · commit 546042dea522 · 2024-09-29T19:41:48.000+01:00
diff --git a/docs/Modules.md b/docs/Modules.md
@@ -12,6 +12,7 @@ OWASP Nettacker Modules can be of type **Scan** (scan for something), **Vuln** (
 * '**citrix_lastpatcheddate_scan**'  Scan the target and try to detect Citrix Netscaler Gateway and it's last patched date
 * '**cms_detection_scan**' - Scan the target and try to detect the CMS (Wordpress, Drupal or Joomla) using response fingerprinting
 * '**confluence_version_scan**' - Scan the target and identify the Confluence version
+* '**cups_version_scan**' - Scan the target and identify the CUPS version (on port 631)
 * '**dir_scan**' - Scan the target for well-known directories
 * '**drupal_modules_scan**' - Scan the target for popular Drupal modules
 * '**drupal_theme_scan**' - Scan the target for popular Drupal themes
diff --git a/nettacker/modules/scan/cups_version.yaml b/nettacker/modules/scan/cups_version.yaml
@@ -0,0 +1,44 @@
+info:
+  name: cups_version_scan
+  author: OWASP Nettacker Team
+  severity: 3
+  description: fetch CUPS version from target to help identify CVE-2024-47176
+  reference: https://thehackernews.com/2024/09/critical-linux-cups-printing-system.html
+  profiles:
+    - scan
+    - http
+    - backup
+    - low_severity
+    - drupal
+
+payloads:
+  - library: http
+    steps:
+      - method: get
+        timeout: 3
+        headers:
+          User-Agent: "{user_agent}"
+        allow_redirects: false
+        ssl: false
+        url:
+          nettacker_fuzzer:
+            input_format: "{{schema}}://{target}:{{ports}}/"
+            prefix: ""
+            suffix: ""
+            interceptors:
+            data:
+              schema:
+                - "http"
+              ports:
+                - 631
+        response:
+          condition_type: and        
+          conditions:
+            status_code:
+                regex: \d\d\d
+                reverse: false
+            headers:
+              Server:
+                regex: (CUPS\/[0-9]+\.[0-9]+)
+                reverse: false
+          log: "response_dependent['headers']['Server']"
