Updated Sysadmins have been advised to watch for a coming HP printer firmware update that will plug a remote code execution vulnerability (among others) in its MFP-586 and the M553 printers.
News of the threat emerged from a Foxglove Security deep-dive into printer security that saw the researchers warn HP of problems in August. The post, by Foxglove's Steeve Breen, said “HP notified us that a fix has been developed and is being released this week.”
The researchers also discovered other bugs, but led with the remote code execution (RCE) that they found after considerable efforts to extract usually-encrypted system files, plus reverse-engineering HP's firmware signature validation. After those chores the researchers concluded: “it may be possible to manipulate the numbers read into
int32_3 in such a way that the portion of the DLL file having its signature verified could be separated from the actual executable code that would run on the printer.”
Having worked out how to construct non-HP software solution packages, the researchers were ready create malware from the main class of HP's ThinPrint client.
The actions performed by their proof of concept are:
- 1) Download a file from http://nationalinsuranceprograms.com/blar;
- 2) Execute the command specified in the file on the printer;
- 3) Wait for 5 seconds; and
- 4) Repeat.
Foxglove posted its malicious code on GitHub.
On the way to discovering the RCE vulnerability, the researchers also found ways to retrieve even PIN-protected print jobs, using path traversal, plus a PostScript manipulation bug and two unsecured factory reset conditions.
The reset vulnerability means an attacker could put both the printer's administrative password (empty) and its SNMP community string (public).
Readers may particularly appreciate one of the details of Foxglove's work: getting at encrypted code.
HP's printers use FIPS-compliant encryption on their internal storage and the hackers weren't about to try to get around that. Instead, they substituted the HP drive for a Toshiba unit that doesn't support encryption.
When the printer was powered on, they were able to install both operating system and firmware from USB onto an unencrypted drive, yielding access to much of the drive's content on “a standard PC”.
To get to the Windows CE directory, they used the
That didn't, however, let them into the
/Core partition. For that, the researchers needed to grab a copy with the
dd utility, and put in the hard work looking at DLL files to extract the software they were looking for. ®
Update: HP has contacted The Register to say that the firmware was, in fact, available at the time Foxglove went public. The updated firmware is here.