Faxploit – Critical flaws potentially exposes millions of HP OfficeJet Printers to hack

Pierluigi Paganini August 13, 2018

A vulnerability in HP OfficeJet all-in-one inkjet printer can be exploited by attackers to gain control of the printer and use it as entry point into the network environment.

A critical vulnerability potentially exposes millions of HP OfficeJet printers to hack, according to the experts at Check Point the attackers only need to send a fax to the vulnerable printers.

The researchers discovered two critical vulnerabilities in HP’s implementation of a widely used fax protocol implemented in all its OfficeJet all-in-one inkjet printers.

The vulnerabilities affect the HP all-in-one printers that support Group 3 (G3) fax protocols that are part of the ITU T.30 standard for sending and receiving color faxes.

OfficeJet HP flawCheckpoint experts reported the flaws to HP and shared details for the two vulnerabilities at the DEF CON conference.

The researchers devised an attack technique dubbed Faxploit, they demonstrated that once the attackers have compromised a fax machine they could leverage the NSA exploit EternalBlue for lateral movements.

“The below diagram shows the Faxploit attack flow, following which a threat actor could then move laterally across your network to access your organization’s most confidential information.” reads the blog post published by CheckPoint Security. 

“The crucial element to notice is that whereas most attacks today penetrate through an internet connection to enter an organization’s network, using this vulnerability in the fax protocol even a network that is completely detached would be vulnerable. This is due to the attack being channeled through a route that until now was considered to be secure and need not have protection layers applied.”

HP OfficeJet all-in-one inkjet printer 2

Below a video PoC of the exploit.

The experts explained that attackers run several type of attack, such as stealing documents or tampering with the fax content by replacing the documents received with altered versions of them.

The fax flaws could be exploited by attackers during the receiving handshake.

“We could reach this vulnerability by sending a huge XML (> 2GB) to the printer over TCP port 53048 thus triggering a stack-based buffer overflow. Exploiting this vulnerability then gave us full control over the printer, meaning that we could use this as a debugging vulnerability,” researchers wrote.

The expert explained that when sending a fax the OfficeJet printer it is used the TIFF image format. The sender’s fax broadcasts the .TIFF meta-data for the receiving fax machine to set transmission parameters such as page sizes. According to the ITU T.30 standard protocol, the receiver’s fax will have to analyze meta-data for data continuity and sanitation, but exports discovered that by sending a color fax, they noticed the sending/receiving machines used the image format .JPG instead of .TIFF.

“When we examined the code that handles the colourful faxes we found out another good finding: the received data is stored to a .jpg file without any check. In contrast to the .tiff case in which the headers are built by the receiver, in the .jpg case we controlled the entire file,” researchers noted. “When the target printer receives a colourful fax it simply dumps its content into a .jpg file (“%s/jfxp_temp%d_%d.jpg” to be precise), without any sanitation checks.”

The vulnerable OfficeJet printers used a custom JPEG parser to parse the fax data, instead of using libjpeg, the developers implemented their own JPEG parser.

The experts examined the parser and discovered two stack-based buffer overflow vulnerabilities.

HP also released security patches for both vulnerabilities tracked as CVE-2018-5925 and CVE-2018-5924.

“Two security vulnerabilities have been identified with certain HP Inkjet printers. A maliciously crafted file sent to an affected device can cause a stack or static buffer overflow, which could allow remote code execution.” reads the security advisory published by HP.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – OfficeJet HP flaw, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment