Networked Printers at Risk

Multifunction printers (MFPs) have been common in offices for years. They let employees print, scan, and copy documents. Two separate talks at the 28th Chaos Communications Congress (28c3) show how attackers can infect these trusted office devices.

Hacking MFPs
In Andrei Costin’s presentation “Hacking MFPs,” he covered the history of printer and copier hacks from the 1960s to today. The meat of the talk concerned executing remote code on an MFP using crafted PostScript. Just printing a particular document can get code to run on the machine. Previous research proof of concepts have done exactly that, once with a specially designed Word document and once with a Java applet.

Printers and copiers have been targets of attackers and spies for decades.

Costin found a method to exploit the firmware update capability of certain Xerox MFPs to upload his crafted PostScript code. He was able to run code to dump memory from the printer. This could allow an attacker to grab passwords for the administration interface or access or print PIN-protected documents.

Attackers can grab passwords to the administration interface from an MFP's memory.

MFPs are trusted devices connected to the office network, but sometimes they’re also accessible from the Internet. The numbers of publicly accessible office MFPs range in the tens of thousands. An attacker could craft PostScript code tied with exploits from the Metasploit framework and upload it to an MFP to attack a corporate network.

Print me if you can
A day later researcher Ang Cui referred to Costin’s talk about PostScript attacks, though Cui’s research was limited to MFPs from HP. Similar to the earlier presentation Cui’s attack leveraged the update capabilities on multifunction devices.

Ang Cui and Jonathan Voris demonstrate printer malware that forwards printed documents to a printer outside the corporate network.

Cui’s technique for infecting printers involves the more limited Printer Job Language, rather than PostScript, and injects code into processes running on the printer. This was effectively a custom rootkit for the printer’s OS.

To get his code on a machine, he needed to reverse-engineer HP’s proprietary firmware update file format. This involved dumping memory images from the printer and using a disassembler on the extracted firmware to determine how to parse the update files. Cui has developed a tool, HPacker, that can take an infected firmware image and repackage it into the proper RFU format for updates. This tool can also analyze current memory dumps.

Researcher Ang Cui uses a memory dumper to access the boot code and reverse-engineer the update file format.

The vulnerability was disclosed to HP, and updates for infected printers were released last week.

SQL Slammer Worm Regains Momentum

At McAfee Labs every day we monitor millions of intrusion prevention systems (IPS) alerts from our sensors around the world. From these alerts, we often see interesting global data and trends. Recently, ISC noticed a sudden decline of Slammer traffic in the wild, which we also noticed on our sensors.

The infamous Slammer was a rapid-spreading worm that started on January 25, 2003. It targeted Microsoft SQL Server, and the worm traveled over UDP on port 1434, which contributes to its rapid spread. It is incredibly noisy, and it really never went away, even though the worm is eight years old!

To our surprise, the amount of traffic that we detect dropped significantly in early March, and we do not yet know the reason for the decline. What we have noticed, however, was that alerts for Slammer started to reappear early this month.

I guess we will be seeing more Slammer alerts for a while.