Researchers at f-secure have developed an impressive new attack, leveraging HP printers as an unexpected attack surface. Printing Shellz (PDF) is a one-click attack, where simply visiting a malicious webpage is enough to get a shell and reverse proxy installed to a printer on the same network. The demo below uses a cross-site printing (XSP) attack to send the malicious print job to the printer without any further interactions.
The vulnerability used to get a foot in the door is in how Type 2 fonts are parsed. The charstrings used in these font descriptors are essentially little tiny programs of their own, that run on the printer to define each symbol in the font. It should come as no surprise that the interpreters for these little programs, being obscure and easily forgotten, are full of sketchy code and vulnerabilities. The HP printer they are tackling is no exception, and here the load operator is the culprit. This command has been officially removed from the Type 2 specification, likely due to the security challenge it represents, but older parsers may still have support for it. Load is little more than a memcpy(), and since the parser doesn’t properly validate the arguments, this allows for arbitrary memory overwrites. The researchers chose to overwrite a function pointer of another function, giving them the ability to jump to any code gadget they could find. Through judicious use of the longjmp() function, they could construct a fake stack, and jump directly to it, resulting in arbitrary code execution.
There’s quite a long section about how they reverse engineered the printer’s firmware update file format, to determ ..
Support the originator by clicking the read the rest link below.
