DEF CON 2018: Critical Bug Opens Millions of HP OfficeJet Printers to Attack

A malicious fax sent to an HP Inc. OfficeJet all-in-one inkjet printer can give hackers control of the printer and act as a springboard into an attached network environment.

LAS VEGAS – Tens of millions of fax-ready HP OfficeJet inkjet printers are vulnerable to a simple hack that gives an attacker full control over a targeted printer. Once compromised, the all-in-one OfficeJet could act as a springboard for deeper network penetration by an attacker.

Here at DEF CON, researchers at Check Point released public details on two critical vulnerabilities found in HP’s implementation of a widely used fax protocol used in all its OfficeJet all-in-one inkjet printers. In coordination with Check Point’s public disclosure, HP Inc. released patches for both vulnerabilities (CVE-2018-5925 and CVE-2018-5924).

“We are able to take complete control over the printer just by sending a malicious fax,” said Yaniv Balmas, malware research team lead with Check Point. “There is no prerequisite for this attack. All you need to do is send a malicious fax to the printer and you have control.”

Once the fax machine is compromised, Check Point researchers were able to demonstrate how they could leverage the NSA spy-tool EternalBlue for further penetration. In March 2017, Microsoft patched the underlying Microsoft Server Message Block 1.0 (SMBv1) vulnerability that EternalBlue exploited.

While the numbers of fax machines and users has plummeted over the years, hospitals and insurance companies are still dependent on them. To a lesser extent legal, banking and real estate sectors also use fax machines for some transactions – mainly because of signature requirements and fax verification of delivery features.

“Nobody owns just a fax machine. Instead they own all-in-one printers,” Balmas said. “Many are connected to vulnerable networks.” He estimates there are 46 million fax machines still in use today, with 17 million of them in the United States.

The vulnerability is tied to all-in-one printers that support Group 3 (G3) fax protocols, part of the ITU T.30 standard for sending and receiving color faxes. “This standard defines the basic capabilities required from the sender and the receiver, while also outlining the different phases of the protocol,” according to Check Point that published its research on the hack Sunday.

The fax vulnerability is exploited during the receiving handshake.

“We could reach this vulnerability by sending a huge XML (> 2GB) to the printer over TCP port 53048 thus triggering a stack-based buffer overflow. Exploiting this vulnerability then gave us full control over the printer, meaning that we could use this as a debugging vulnerability,” researchers wrote.

Typically, when sending a fax the OfficeJet printer uses .TIFF image format. The sending fax broadcasts the .TIFF meta-data for the receiving fax machine to use for such things as page sizes. The (ITU T.30 standard) protocol dictates an examination of that meta-data by the receiving fax for data continuity and sanitation. However, when researchers sent a color fax, they noticed the sending/receiving machines used the image format .JPG instead of .TIFF.

“When we examined the code that handles the colourful faxes we found out another good finding: the received data is stored to a .jpg file without any check. In contrast to the .tiff case in which the headers are built by the receiver, in the .jpg case we controlled the entire file,” researchers noted. “When the target printer receives a colourful fax it simply dumps its content into a .jpg file (“%s/jfxp_temp%d_%d.jpg” to be precise), without any sanitation checks.”

Upon receiving the color fax data the vulnerable OfficeJet printers used a custom JPEG parser to interpret the fax data. “This means that instead of using libjpeg, the developers implemented their own JPEG parser. From an attacker’s point of view this is a jackpot, as finding a vulnerability in a complex file format parser looks very promising,” they wrote.

In total researchers found two vulnerabilities with this custom .JPEG parser – both stack-based buffer overflows. Both were rated critical, with a rating of 9.8 – based on NIST’s Common Vulnerability Scoring System.

“A maliciously crafted file sent to an affected device can cause a stack or static buffer overflow, which could allow remote code execution,” wrote HP on its support page.

Suggested articles