Serious security vulnerabilities affecting numerous HP printer models have been discovered which could wreak havoc if exploited. Dubbed “Printing Shellz”, these vulnerabilities allowed a remote attacker to take control of target systems via HP printers.
Printing Shellz HP Vulnerabilities
Specifically, they tested a multi-function printer (MFP) commonly used in the corporate sector to find any serious bugs. They kept this device as a subject given their numerous functionalities in an office environment. As stated in their report,
“Modern MFPs have various functionalities from print/fax over e-mail to large-scale integrations with organization directory services, document storage, and authorization and accounting functionalities.
If we consider an MFP from a red teaming perspective, it makes a great target for multiple reasons.
Some of their specified “reasons” include,
- the significant data that those devices process while printing and scanning,
- the requirement for user authentication that involves processing credentials, hence letting an attacker steal passwords,
- frequent use of USBs with MFPs that allow an adversary to spread malware to a connected USB (which would then further spread to the network when connected on other devices),
- their ease of accessibility, especially in public settings, and
- the common “install and forget” installation settings where users seldom remember updating MFPs, hence adding to their potential vulnerabilities.
All of these risk factors make printers an attractive target for the threat actors.
Hence, the researchers tested an HP MFP M725z that bears scanner, printer, and fax functionalities that increase its attack surface.
About the bugs
Briefly, the first vulnerability they noticed was a buffer overflow vulnerability, CVE-2021-39238. Describing this bug in an advisory, F-Secure stated,
The font parser library is vulnerable to a memory corruption issue due to improper validation of an array index (CWE-129). The issue can be exploited remotely using a Cross-Site Printing (XSP) vector as part of a drive-by or social engineering attack via workstations that can communicate directly with the devices’ JetDirect service. It is also possible to trigger and exploit the vulnerability locally using the ‘print from USB’ feature.
Exploiting this bug could allow an attacker to take control of the device. This would further allow it to access in-process documents, any connected USBs, steal credentials, and move laterally in a “wormable” manner compromising the entire network.
Whereas the second vulnerability, CVE-2021-39237, was a hardware flaw, describing which, the researchers state in the advisory,
F-Secure have discovered exposed UART interfaces that provide unlimited access to the shell within the communication board of HP MFPs. One UART interface on the board provides access to the UEFI shell control, the other one to the root Linux shell of the scanner module.
Planting malicious devices could let the attacker install malicious software, network pivoting, access in-process documents, and steal access credentials.
HP Deployed Patches
Upon discovering the bugs, the researchers contacted HP to report the matter. While they didn’t test, the researchers explain that the vulnerabilities potentially affect over 150 HP printer models.
Consequently, HP deployed the patches with the latest firmware updates. Currently, no exploitation of the bugs has been found. Nonetheless, all MFP users should ensure updating their devices to avoid any issues in the future.
Also, it’s better to keep an eye on firmware updates for printers and other integrated devices to enhance network security.
The researchers have shared the technical details of their findings in an interesting report that they presented at the Pwn2Own Austin 2021.
Last modified: December 10, 2021