Patch on way 'this week' for HP printer vulns

RCE? Check. Clear passwords? Check. Interfere with print jobs? Check


Updated Sysadmins have been advised to watch for a coming HP printer firmware update that will plug a remote code execution vulnerability (among others) in its MFP-586 and the M553 printers.

News of the threat emerged from a Foxglove Security deep-dive into printer security that saw the researchers warn HP of problems in August. The post, by Foxglove's Steeve Breen, said “HP notified us that a fix has been developed and is being released this week.”

The researchers also discovered other bugs, but led with the remote code execution (RCE) that they found after considerable efforts to extract usually-encrypted system files, plus reverse-engineering HP's firmware signature validation. After those chores the researchers concluded: “it may be possible to manipulate the numbers read into int32_2 and int32_3 in such a way that the portion of the DLL file having its signature verified could be separated from the actual executable code that would run on the printer.”

Having worked out how to construct non-HP software solution packages, the researchers were ready create malware from the main class of HP's ThinPrint client.

The actions performed by their proof of concept are:

  • 1) Download a file from http://nationalinsuranceprograms.com/blar;
  • 2) Execute the command specified in the file on the printer;
  • 3) Wait for 5 seconds; and
  • 4) Repeat.

Foxglove posted its malicious code on GitHub.

On the way to discovering the RCE vulnerability, the researchers also found ways to retrieve even PIN-protected print jobs, using path traversal, plus a PostScript manipulation bug and two unsecured factory reset conditions.

The reset vulnerability means an attacker could put both the printer's administrative password (empty) and its SNMP community string (public).

Readers may particularly appreciate one of the details of Foxglove's work: getting at encrypted code.

HP's printers use FIPS-compliant encryption on their internal storage and the hackers weren't about to try to get around that. Instead, they substituted the HP drive for a Toshiba unit that doesn't support encryption.

When the printer was powered on, they were able to install both operating system and firmware from USB onto an unencrypted drive, yielding access to much of the drive's content on “a standard PC”.

To get to the Windows CE directory, they used the

nkbintools

extractor.

That didn't, however, let them into the /Core partition. For that, the researchers needed to grab a copy with the dd utility, and put in the hard work looking at DLL files to extract the software they were looking for. ®

Update: HP has contacted The Register to say that the firmware was, in fact, available at the time Foxglove went public. The updated firmware is here.

Broader topics


Other stories you might like

  • Symantec: More malware operators moving in to exploit Follina
    Meanwhile Microsoft still hasn't patched the fatal flaw

    While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.

    Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.

    In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.

    Continue reading
  • That critical vulnerability might not be the first you should patch
    Startup Rezilion suggests enterprises should change prioritization strategies

    Enterprise security teams being overrun by the rising numbers of vulnerabilities uncovered each day could vastly reduce their patching workload by changing how they prioritize the flaws, according to recent research from vulnerability startup Rezilion.

    Most enterprises look to the ratings given to flaws in the Common Vulnerability Scoring System (CVSS) framework, which range from 0 to 10 (with 10 being the highest) and are ranked as low and medium to high and critical, depending on the characteristics of the vulnerability.

    Companies will start their remediation efforts with the vulnerabilities deemed "critical" and work their way down, said Yotam Perkal, director of vulnerability research with Rezilion.

    Continue reading
  • To cut off all nearby phones with these Chinese chips, this is the bug to exploit
    Android patches incoming for NAS-ty memory overwrite flaw

    A critical flaw in the LTE firmware of the fourth-largest smartphone chip biz in the world could be exploited over the air to block people's communications and deny services.

    The vulnerability in the baseband – or radio modem – of UNISOC's chipset was found by folks at Check Point Research who were looking for ways the silicon could be used to remotely attack devices. It turns out the flaw doesn't just apply to lower-end smartphones but some smart TVs, too.

    Check Point found attackers could transmit a specially designed radio packet to a nearby device to crash the firmware, ending that equipment's cellular connectivity, at least, presumably until it's rebooted. This would be achieved by broadcasting non-access stratum (NAS) messages over the air that when picked up and processed by UNISOC's firmware would end in a heap memory overwrite.

    Continue reading

Biting the hand that feeds IT © 1998–2022