FlyingFathead · May 28, 2025 11:53
diff --git a/disable_and_mask_avahi_and_cups.sh b/disable_and_mask_avahi_and_cups.sh
 #!/bin/bash
 #
 # Disable and Mask CUPS & Avahi Services
 #
 # ~~~ Overview ~~~
 # 
 # This script is designed to disable and mask specific CUPS (Common Unix Printing System)
 # and Avahi services and sockets on your Debian/Ubuntu tree Linux systems.
 #
 # It reduces possible attack vectors and mitigates several security vulnerabilities 
 # associated with these services. The tradeoff is, of course, that it will affect
 # some functionalities.
 #
 # Tested and working with Ubuntu 24.04 LTS.
 # 
 # ~~~ Why Disable and Mask CUPS & Avahi? ~~~
 # 
 # Security research published in September 2024 has uncovered critical vulnerabilities in CUPS 
 # that can be exploited to achieve Remote Code Execution (RCE) and other malicious activities.
 # Although it's mainly CUPS, disabling Avahi isn't a bad idea either in many use scenarios.
 # In fact, long before the latest CUPS exploits were found, it was already a common security 
 # practice to disable both CUPS and Avahi if you don't need them.
 #
 # ~~~ Pros And Cons In Disabling The Services ~~~
 #
 # Disabling Avahi will disable local network service discovery, meaning that devices and 
 # services (such as printers) on the network won't automatically be found using the 
 # zero-configuration networking protocol (like Apple's Bonjour).
 #
 # Disabling CUPS (Common Unix Printing System) will stop your system from being able to manage 
 # network printing, and in most cases it may affect USB printing as well.
 #
 # So, if you're trying to streamline or troubleshoot services and don't need network printing 
 # or automatic service discovery, disabling these two services could be useful. 
 #
 # Again: just know that it’ll disable network printing and any automatic device discovery.
 # If you have no use for printing services (or can live without them), this script could help 
 # mitigate potential risks associated with the recent vulnerabilities (e.g., CVE-2024-47176 
 # and related ones). If you do want to print later, you could unmask and restart these services 
 # when needed.
 #
 # ~~~ What Do The Vulnerabilities do? ~~~
 #
 # Specifically, the vulnerabilities (found in September 2024) allow attackers to:
 #
 # - Bind on UDP INADDR_ANY:631: This exposes the service to any network interface, making 
 #   it accessible from potentially untrusted networks.
 # - Trust Malicious Packets: Attackers can send specially crafted UDP packets to trigger 
 #   malicious actions.
 # - Inject Malicious Data: Unsanitized inputs can lead to buffer overflows and other 
 #   forms of exploitation.
 #
 # For a detailed analysis of these vulnerabilities and their implications, refer to the 
 # Attacking UNIX Systems via CUPS, Part I blog post:
 # (https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/).
 #
 # ~~~ Key Vulnerabilities Addressed: ~~
 #
 # - CVE-2024-47176: Allows binding on UDP INADDR_ANY:631 without proper validation.
 # - CVE-2024-47076: Enables injection of attacker-controlled data into the CUPS system.
 # - CVE-2024-47175: Facilitates injection of malicious data into temporary PPD files.
 # - CVE-2024-47177: Permits arbitrary command execution via the FoomaticRIPCommandLine 
 #   PPD parameter.
 #
 # These vulnerabilities are particularly concerning because they can be exploited 
 # remotely without authentication, potentially compromising the entire system.

 # ~~~ What This Script Does ~~~
 #
 # 1. Disables Services: Prevents the specified CUPS and Avahi services from starting 
 #    automatically on boot.
 # 2. Stops Services: Halts any currently running instances of these services.
 # 3. Masks Services: Ensures that the services cannot be started manually or automatically 
 #    by other processes.
 # 4. Verification: Checks that all specified services are correctly masked by confirming 
 #    their unit files point to /dev/null.

 # ~~~ Usage ~~~

 # Download the script, `chmod +x` it and run it. You will need `sudo` privileges.
 # NOTE: THIS CODE IS PROVIDED AS-IS WITH ABSOLUTELY NO WARRANTY. 
 # USE IT AT YOUR OWN RISK.

 # https://github.com/FlyingFathead (c) 2024 FlyingFathed
 # Feel free to star my repos if you find any of these things useful. Thanks.

 # prints a horizontal line; terminal width
 function hz_line() {
 printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' - ;
 }

 # Define the services to disable and mask globally
 SERVICES=(
    "cups.service"
    "cups-browsed.service"
    "cups.socket"
    "cups.path"
    "avahi-daemon.service"
    "avahi-daemon.socket"
 )

 # Function to disable and mask CUPS & Avahi services
 function disable_and_mask_cups_and_avahi() {
    LOGFILE="/tmp/disable_cups_avahi.log"
    
    hz_line &&
    echo "::: Disabling and masking all CUPS & Avahi services and sockets..." | tee -a "$LOGFILE"
    hz_line &&
    
    # Disable services and sockets
    sudo systemctl disable "${SERVICES[@]}" 2>&1 | tee -a "$LOGFILE"
    if [ "${PIPESTATUS[0]}" -ne 0 ]; then
        echo "Failed to disable some services. Please check the log at $LOGFILE." | tee -a "$LOGFILE"
    fi
    
    # Stop services and sockets
    sudo systemctl stop "${SERVICES[@]}" 2>&1 | tee -a "$LOGFILE"
    if [ "${PIPESTATUS[0]}" -ne 0 ]; then
        echo "Failed to stop some services. They might not be running." | tee -a "$LOGFILE"
    fi
    
    # Mask services and sockets
    sudo systemctl mask "${SERVICES[@]}" 2>&1 | tee -a "$LOGFILE"
    if [ "${PIPESTATUS[0]}" -ne 0 ]; then
        echo "Failed to mask some services. Please check the log at $LOGFILE." | tee -a "$LOGFILE"
        return 1
    fi
    
    # Reload systemd daemon to recognize changes
    sudo systemctl daemon-reload
    
    hz_line &&
    echo "::: All CUPS & Avahi services, sockets, and paths have been disabled and masked." | tee -a "$LOGFILE"
    hz_line &&
    echo ""
 }


 # Function to verify if specified services are masked
 function verify_masked_services() {
    LOGFILE="/tmp/disable_cups_avahi.log"
    
    hz_line &&
    echo "::: Verifying if the specified services are masked..." &&
    hz_line &&
    echo ""
    
    # Initialize a counter for masked services
    masked_count=0
    total_services=${#SERVICES[@]}
    
    for service in "${SERVICES[@]}"; do
        UNIT_FILE="/etc/systemd/system/$service"
        
        echo "Service: $service"
        
        if [ -L "$UNIT_FILE" ]; then
            TARGET=$(readlink -f "$UNIT_FILE")
            echo "  Target: $TARGET"
            if [ "$TARGET" == "/dev/null" ]; then
                echo "  Masked: Yes"
                masked_count=$((masked_count + 1))
            else
                echo "  Masked: No"
            fi
        else
            echo "  Status: Not a symlink. Masking may not be applied correctly."
        fi
        echo ""
    done
    
    # Summary
    if [ "$masked_count" -eq "$total_services" ]; then
 	hz_line &&
        echo "::: All specified services are successfully masked." &&
        hz_line &&
        echo ""
    else
    	hz_line &&
        echo "[ERROR] Some services are not properly masked. Please review the above details." &&
        hz_line &&
        echo "" 
    fi
 }

 # Execute the functions
 disable_and_mask_cups_and_avahi
 verify_masked_services
	#!/bin/bash
	#
	# Disable and Mask CUPS & Avahi Services
	#
	# ~~~ Overview ~~~
	#
	# This script is designed to disable and mask specific CUPS (Common Unix Printing System)
	# and Avahi services and sockets on your Debian/Ubuntu tree Linux systems.
	#
	# It reduces possible attack vectors and mitigates several security vulnerabilities
	# associated with these services. The tradeoff is, of course, that it will affect
	# some functionalities.
	#
	# Tested and working with Ubuntu 24.04 LTS.
	#
	# ~~~ Why Disable and Mask CUPS & Avahi? ~~~
	#
	# Security research published in September 2024 has uncovered critical vulnerabilities in CUPS
	# that can be exploited to achieve Remote Code Execution (RCE) and other malicious activities.
	# Although it's mainly CUPS, disabling Avahi isn't a bad idea either in many use scenarios.
	# In fact, long before the latest CUPS exploits were found, it was already a common security
	# practice to disable both CUPS and Avahi if you don't need them.
	#
	# ~~~ Pros And Cons In Disabling The Services ~~~
	#
	# Disabling Avahi will disable local network service discovery, meaning that devices and
	# services (such as printers) on the network won't automatically be found using the
	# zero-configuration networking protocol (like Apple's Bonjour).
	#
	# Disabling CUPS (Common Unix Printing System) will stop your system from being able to manage
	# network printing, and in most cases it may affect USB printing as well.
	#
	# So, if you're trying to streamline or troubleshoot services and don't need network printing
	# or automatic service discovery, disabling these two services could be useful.
	#
	# Again: just know that it’ll disable network printing and any automatic device discovery.
	# If you have no use for printing services (or can live without them), this script could help
	# mitigate potential risks associated with the recent vulnerabilities (e.g., CVE-2024-47176
	# and related ones). If you do want to print later, you could unmask and restart these services
	# when needed.
	#
	# ~~~ What Do The Vulnerabilities do? ~~~
	#
	# Specifically, the vulnerabilities (found in September 2024) allow attackers to:
	#
	# - Bind on UDP INADDR_ANY:631: This exposes the service to any network interface, making
	# it accessible from potentially untrusted networks.
	# - Trust Malicious Packets: Attackers can send specially crafted UDP packets to trigger
	# malicious actions.
	# - Inject Malicious Data: Unsanitized inputs can lead to buffer overflows and other
	# forms of exploitation.
	#
	# For a detailed analysis of these vulnerabilities and their implications, refer to the
	# Attacking UNIX Systems via CUPS, Part I blog post:
	# (https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/).
	#
	# ~~~ Key Vulnerabilities Addressed: ~~
	#
	# - CVE-2024-47176: Allows binding on UDP INADDR_ANY:631 without proper validation.
	# - CVE-2024-47076: Enables injection of attacker-controlled data into the CUPS system.
	# - CVE-2024-47175: Facilitates injection of malicious data into temporary PPD files.
	# - CVE-2024-47177: Permits arbitrary command execution via the FoomaticRIPCommandLine
	# PPD parameter.
	#
	# These vulnerabilities are particularly concerning because they can be exploited
	# remotely without authentication, potentially compromising the entire system.

	# ~~~ What This Script Does ~~~
	#
	# 1. Disables Services: Prevents the specified CUPS and Avahi services from starting
	# automatically on boot.
	# 2. Stops Services: Halts any currently running instances of these services.
	# 3. Masks Services: Ensures that the services cannot be started manually or automatically
	# by other processes.
	# 4. Verification: Checks that all specified services are correctly masked by confirming
	# their unit files point to /dev/null.

	# ~~~ Usage ~~~

	# Download the script, `chmod +x` it and run it. You will need `sudo` privileges.
	# NOTE: THIS CODE IS PROVIDED AS-IS WITH ABSOLUTELY NO WARRANTY.
	# USE IT AT YOUR OWN RISK.

	# https://github.com/FlyingFathead (c) 2024 FlyingFathed
	# Feel free to star my repos if you find any of these things useful. Thanks.

	# prints a horizontal line; terminal width
	function hz_line() {
	printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' \| tr ' ' - ;
	}

	# Define the services to disable and mask globally
	SERVICES=(
	"cups.service"
	"cups-browsed.service"
	"cups.socket"
	"cups.path"
	"avahi-daemon.service"
	"avahi-daemon.socket"
	)

	# Function to disable and mask CUPS & Avahi services
	function disable_and_mask_cups_and_avahi() {
	LOGFILE="/tmp/disable_cups_avahi.log"

	hz_line &&
	echo "::: Disabling and masking all CUPS & Avahi services and sockets..." \| tee -a "$LOGFILE"
	hz_line &&

	# Disable services and sockets
	sudo systemctl disable "${SERVICES[@]}" 2>&1 \| tee -a "$LOGFILE"
	if [ "${PIPESTATUS[0]}" -ne 0 ]; then
	echo "Failed to disable some services. Please check the log at $LOGFILE." \| tee -a "$LOGFILE"
	fi

	# Stop services and sockets
	sudo systemctl stop "${SERVICES[@]}" 2>&1 \| tee -a "$LOGFILE"
	if [ "${PIPESTATUS[0]}" -ne 0 ]; then
	echo "Failed to stop some services. They might not be running." \| tee -a "$LOGFILE"
	fi

	# Mask services and sockets
	sudo systemctl mask "${SERVICES[@]}" 2>&1 \| tee -a "$LOGFILE"
	if [ "${PIPESTATUS[0]}" -ne 0 ]; then
	echo "Failed to mask some services. Please check the log at $LOGFILE." \| tee -a "$LOGFILE"
	return 1
	fi

	# Reload systemd daemon to recognize changes
	sudo systemctl daemon-reload

	hz_line &&
	echo "::: All CUPS & Avahi services, sockets, and paths have been disabled and masked." \| tee -a "$LOGFILE"
	hz_line &&
	echo ""
	}


	# Function to verify if specified services are masked
	function verify_masked_services() {
	LOGFILE="/tmp/disable_cups_avahi.log"

	hz_line &&
	echo "::: Verifying if the specified services are masked..." &&
	hz_line &&
	echo ""

	# Initialize a counter for masked services
	masked_count=0
	total_services=${#SERVICES[@]}

	for service in "${SERVICES[@]}"; do
	UNIT_FILE="/etc/systemd/system/$service"

	echo "Service: $service"

	if [ -L "$UNIT_FILE" ]; then
	TARGET=$(readlink -f "$UNIT_FILE")
	echo " Target: $TARGET"
	if [ "$TARGET" == "/dev/null" ]; then
	echo " Masked: Yes"
	masked_count=$((masked_count + 1))
	else
	echo " Masked: No"
	fi
	else
	echo " Status: Not a symlink. Masking may not be applied correctly."
	fi
	echo ""
	done

	# Summary
	if [ "$masked_count" -eq "$total_services" ]; then
	hz_line &&
	echo "::: All specified services are successfully masked." &&
	hz_line &&
	echo ""
	else
	hz_line &&
	echo "[ERROR] Some services are not properly masked. Please review the above details." &&
	hz_line &&
	echo ""
	fi
	}

	# Execute the functions
	disable_and_mask_cups_and_avahi
	verify_masked_services