The Latest in IT Security

Networked Printers at Risk

31
Dec
2011


Multifunction printers (MFPs) have been common in offices for years. They let employees print, scan, and copy documents. Two separate talks at the 28th Chaos Communications Congress (28c3) show how attackers can infect these trusted office devices.

Hacking MFPs
In Andrei Costin’s presentation “Hacking MFPs,” he covered the history of printer and copier hacks from the 1960s to today. The meat of the talk concerned executing remote code on an MFP using crafted PostScript. Just printing a particular document can get code to run on the machine. Previous research proof of concepts have done exactly that, once with a specially designed Word document and once with a Java applet.

Printers and copiers have been targets of attackers and spies for decades.

Costin found a method to exploit the firmware update capability of certain Xerox MFPs to upload his crafted PostScript code. He was able to run code to dump memory from the printer. This could allow an attacker to grab passwords for the administration interface or access or print PIN-protected documents.

Attackers can grab passwords to the administration interface from an MFP’s memory.

MFPs are trusted devices connected to the office network, but sometimes they’re also accessible from the Internet. The numbers of publicly accessible office MFPs range in the tens of thousands. An attacker could craft PostScript code tied with exploits from the Metasploit framework and upload it to an MFP to attack a corporate network.

Print me if you can
A day later researcher Ang Cui referred to Costin’s talk about PostScript attacks, though Cui’s research was limited to MFPs from HP. Similar to the earlier presentation Cui’s attack leveraged the update capabilities on multifunction devices.

Ang Cui and Jonathan Voris demonstrate printer malware that forwards printed documents to a printer outside the corporate network.

Cui’s technique for infecting printers involves the more limited Printer Job Language, rather than PostScript, and injects code into processes running on the printer. This was effectively a custom rootkit for the printer’s OS.

To get his code on a machine, he needed to reverse-engineer HP’s proprietary firmware update file format. This involved dumping memory images from the printer and using a disassembler on the extracted firmware to determine how to parse the update files. Cui has developed a tool, HPacker, that can take an infected firmware image and repackage it into the proper RFU format for updates. This tool can also analyze current memory dumps.

Researcher Ang Cui uses a memory dumper to access the boot code and reverse-engineer the update file format.

The vulnerability was disclosed to HP, and updates for infected printers were released last week.

Leave a reply


Categories

THURSDAY, OCTOBER 18, 2018
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments

Social Networks