Ang Cui, a researcher on embedded devices demonstrated at this year’s Chaos Communications Congress (28C3) that is possible to embed malware in a HP printer firmware using the RFU mechanism, a presentation of an extraordinary importance for any corporate or small networks since the printers are ubiquitous in any office . RFU stands for remote firmware update and is an important feature assuring the best performance and security for the printers, sort of update feature for your operating system or antivirus. Because the operating system in a printer is much simpler than Windows for example, it runs from a ROM(read-only memory) as a smart phone or let’s say electronic wash machine, the firmware update is in fact a ROM flash. About embedded operating systems running in a printer, some runs on LynxOS and some on VxWorks(ARM processors) developed by Wind River Systems and used also by NASA for their space programs(see spaceships)!
Ang Cui reverse engineered the RFU file format and since no digital signatures are used and no encryption either(only compression), he used to modify the file embedding a malware into it. He even automated the process releasing a tool for unpacking-packing the RFU files called HPacker. His presentation at Chaos Communications Congress (28C3) goes further by embedding in the RFU file a WxWorks advanced rootkit 3 KB in size written in a special assembly language for ARM processors with capabilities to communicate over Internet, to perform LAN port scanning, to intercept, monitor and send the print jobs to a specified IP address performing as a true spy in the local network. It was able even to bypass the firewalls using the reverse proxy ability and to spread itself in the network, so we can classify it as a printers worm. Obviously this worm was able to compromise the printer and the entire local network from which the printer was part.
The scary thing in this story is the way how this remote firmware update vulnerability can be triggered simply by sending a specially crafted document to the printer. This make use of LPR(Line Printer Remote) firmware update mechanism. Since the LPR/RAW printing has not an authenticate mechanism, a PJL(Printer Job Language) command can be embedded in PostScript, causing the printer firmware to be updated with a malevolent modification of a RFU file. It worth to mention that several years back, Stuxnet computer worm abused the printing subsystems to spread itself in the corporate networks.
The conclusions of Ang Cui upon RFU files are summarized below:
- Specific version of compression library has
known arb-code execution vulnerability.
- No memory space separation
- ? No kernel-level security
- ? Everything runs as supervisor mode on CPU
- Any vulnerability in any (unprivileged) code
will lead to full compromise
The attacks vectors against a printer are:
- active — when somebody direct connects to a printer using port 9100 TCP(JetDirect technology developed by Hewlett-Packard that allows computer printers to be directly attached to a Local Area Network;
- reflexive — by embedding a malicious RFU in a document and send it for printing;
Using a vulnerability scanner, it was revealed that a number of 76,995 of printers worldwide are still vulnerable to this type of attack. What can be done in these circumstances for our defense(according to Ang Cui)?
- Disable RFU Updates (possible, but not on all models)
- Apply ACL, passwords (use Web JetAdmin)
- Filter print-job content on print-server
- Isolate printers from sensitive networks
- Use a firewall for your network
- Update the firmware immediately(to patch this vulnerability)
HP stats that only printers shipped prior to 2009 year are vulnerable to this type of attack because they are using now digital signatures for their RFU files and more secure drivers. They released a firmware update to patch this vulnerability on dec 23, 2011.
It’s a bit strange what HP announced on Nov. 29, 2011, that the speculations about a firmware update that causes some HP printers to get fired are false. In fact it was about unauthorized access inside a network using a printer vulnerability and not about printers in flames. However, it is important they addressed the issue very quickly, this article should not create panic because in the real world nobody reported unauthorized access inside a network using this vulnerability.
Be safe !