Security researchers have discovered a potentially dangerous vulnerability in the firmware of various Hewlett Packard (HP) enterprise printer models that could be abused by attackers to run arbitrary code on affected printer models remotely.
The vulnerability (CVE-2017-2750), rated as high in severity with 8.1 CVSS scale, is due to insufficiently validating parts of Dynamic Link Libraries (DLL) that allows for the potential execution of arbitrary code remotely on affected 54 printer models.
The security flaw affects 54 printer models ranging from HP LaserJet Enterprise, LaserJet Managed, PageWide Enterprise and OfficeJet Enterprise printers.
This remote code execution (RCE) vulnerability was discovered by researchers at FoxGlove Security when they were analyzing the security of HP's MFP-586 printer (currently sold for $2,000) and HP LaserJet Enterprise M553 printers (sold for $500).
According to a
technical write-upposted by FoxGlove on Monday, researchers were able to execute code on affected printers by reverse engineering files with the ".BDL" extension used in both HP Solutions and firmware updates.
"This (.BDL) is a proprietary binary format with no publicly available documentation," researchers said. "We decided that reverse engineering this file format would be beneficial, as it would allow us to gain insight into exactly what firmware updates and software solutions are composed of."
Since HP has implemented the signature validation mechanism to prevent tampering with the system, the researchers failed to upload a malicious firmware to the affected printer.
However, after some testing researchers said that "it may be possible to manipulate the numbers read into int32_2 and int32_3 in such a way that the portion of the DLL file having its signature verified could be separated from the actual executable code that would run on the printer."
The researchers were able to bypass digital signature validation mechanism for HP software "Solution" package and managed to add a malicious DLL payload and execute arbitrary code.
FoxGlove Security has made the source code of the tools used during its research available on GitHub, along with the
proof-of-concept (PoC) malwarepayload that could be remotely installed on the printers.
The actions performed by their proof of concept malware are as follows:
- It downloads a file from http[://]nationalinsuranceprograms[.]com/blar
- Executes the command specified in the file on the printer
- Waits for 5 seconds
- Repeat
FoxGlove Security reported this remote code execution vulnerability to HP in August this year, and the vendor fixed the issue with the release of new firmware updates for its business and enterprise printers.
To download the new
firmware update, visit the HP website in your web browser, and select Support from the top of the page and select Software & drivers. Now, enter the product name or model number in the search box, then scroll down in the search results to firmware and download the necessary files.
from The Hacker News http://ift.tt/2A2tyqe
Godly Apex 123.hp.com/envy Thanks for sharing, Good Appreciable 123.hp.com/envy Thanks for sharing, Good-humoured Appreciation 123.hp.com/oj Thanks for sharing, Good-natured Appropriate 123.hp.com/ojp Thanks for sharing, Graceful Architecure 123.hp.com/dj Thanks for sharing
ReplyDeleteFeasible Sensible 123 HP Envy 6252 Printer Support Thanks for sharing, Felicitous Sentence 123 HP Envy 5661 Printer Support Thanks for sharing, Festive Sight 123 HP Envy 7644 Printer Support Thanks for sharing, Filial Site 123 HP OfficeJet Pro 8710 Printer Support Thanks for sharing
ReplyDeletetyping services redding ca
ReplyDelete