Pierluigi Paganini November 22, 2017

Researchers at FoxGlove Security have found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers. 

HP dedicates significant efforts in designing secure printing systems, a recent marketing campaign launched by the firm shows the dangers of vulnerable printers for corporate networks.

https://youtu.be/FqibWHfn_Yc

HP launched new enterprise LaserJet printers back in 2015 and introduced several security improvements across the time.

Experts from FoxGlove Security tested an HP PageWide Enterprise 586dn multi-functional printer (MFP) and an HP LaserJet Enterprise M553n printer.

The team used a hacking tool dubbed PRET (PRinter Exploitation Toolkit) developed by researchers from Ruhr-Universität Bochum in Germany.

At the time, the tool was used by the author to find security vulnerabilities in 20 printer models manufactured by Dell, Brother, Konica, Samsung, HP, OKI, and Lexmark.

The printers were affected by flaws related to common printing languages, PostScript and PJL, used in most laser printers. The flaws are not a novelty, according to the experts, they have existed for decades.

Now experts from FoxGlove used the PRET tool to find a path traversal flaw that allowed them to access the content of any print job, including those jobs protected by a PIN code. The same team found vulnerabilities that can be exploited by attackers to manipulate the content of print jobs and reset devices to factory settings.

In order to find a remote code execution (RCE) the researchers reverse engineered the firmware extracted from the HP printer, bypassing anti-tampering mechanisms implemented by the vendor.

The team analyzed firmware updates and HP Software Solutions discovering they leverages the OXP platform and SDK to extend a printer’s functionality. Both Solutions and firmware updates are delivered as a single bundle (.BDL) file that must be digitally signed.

“PJL is a language that computers will speak with the printer when submitting print jobs. This language has also been extended to have the ability of performing some administrative tasks.” stated the analysis published by the experts.

“One of the capabilities of PJL is very limited management of files on the printer. For example, it is possible to store and delete files, but only in a very specific location, a small “jail” on the filesystem that it should not be possible for a user speaking PJL to escape from:” 

The experts failed to upload a malicious firmware to the device due to the signature validation checks, but they devised possible attack vectors.

“A BDL file modified in this way was uploaded to the printer and confirmed working, however no malicious changes to code could be implemented just yet. When we tried to replace any of the DLL files in the ZIP we began getting DLL signature validation errors.” continues the analysis.

The researchers succeeded in cracking signature validation for Solutions files and uploading a malicious DLL and execute arbitrary code.

The experts shared the source code of the tools used during the tests, including the  proof-of-concept (PoC) malware the exploited.

The team reported the discovery to HP on August 21 and the tech giant is committed to release a security update this week.

Pierluigi Paganini

(Security Affairs – HP, printers)

[adrotate banner=”5″]

[adrotate banner=”13″]