Multifunction printers (MFPs) have been common in offices for years. They let employees print, scan, and copy documents. Two separate talks at the 28th Chaos Communications Congress (28c3) show how attackers can infect these trusted office devices.
In Andrei Costin’s presentation “Hacking MFPs,” he covered the history of printer and copier hacks from the 1960s to today. The meat of the talk concerned executing remote code on an MFP using crafted PostScript. Just printing a particular document can get code to run on the machine. Previous research proof of concepts have done exactly that, once with a specially designed Word document and once with a Java applet.
Costin found a method to exploit the firmware update capability of certain Xerox MFPs to upload his crafted PostScript code. He was able to run code to dump memory from the printer. This could allow an attacker to grab passwords for the administration interface or access or print PIN-protected documents.
MFPs are trusted devices connected to the office network, but sometimes they’re also accessible from the Internet. The numbers of publicly accessible office MFPs range in the tens of thousands. An attacker could craft PostScript code tied with exploits from the Metasploit framework and upload it to an MFP to attack a corporate network.
Print me if you can
A day later researcher Ang Cui referred to Costin’s talk about PostScript attacks, though Cui’s research was limited to MFPs from HP. Similar to the earlier presentation Cui’s attack leveraged the update capabilities on multifunction devices.
Cui’s technique for infecting printers involves the more limited Printer Job Language, rather than PostScript, and injects code into processes running on the printer. This was effectively a custom rootkit for the printer’s OS.
To get his code on a machine, he needed to reverse-engineer HP’s proprietary firmware update file format. This involved dumping memory images from the printer and using a disassembler on the extracted firmware to determine how to parse the update files. Cui has developed a tool, HPacker, that can take an infected firmware image and repackage it into the proper RFU format for updates. This tool can also analyze current memory dumps.
The vulnerability was disclosed to HP, and updates for infected printers were released last week.