Researchers at f-secure have developed an impressive new attack, leveraging HP printers as an unexpected attack surface. Printing Shellz (PDF) is a one-click attack, where simply visiting a malicious webpage is enough to get a shell and reverse proxy installed to a printer on the same network. The demo below uses a cross-site printing (XSP) attack to send the malicious print job to the printer without any further interactions.
The vulnerability used to get a foot in the door is in how Type 2 fonts are parsed. The charstrings used in these font descriptors are essentially little tiny programs of their own, that run on the printer to define each symbol in the font. It should come as no surprise that the interpreters for these little programs, being obscure and easily forgotten, are full of sketchy code and vulnerabilities. The HP printer they are tackling is no exception, and here the
load operator is the culprit. This command has been officially removed from the Type 2 specification, likely due to the security challenge it represents, but older parsers may still have support for it.
Load is little more than a
memcpy(), and since the parser doesn’t properly validate the arguments, this allows for arbitrary memory overwrites. The researchers chose to overwrite a function pointer of another function, giving them the ability to jump to any code gadget they could find. Through judicious use of the
longjmp() function, they could construct a fake stack, and jump directly to it, resulting in arbitrary code execution.
There’s quite a long section about how they reverse engineered the printer’s firmware update file format, to determine which models were still vulnerable to the attack. It turned out to be an unnecessary distraction, as an extraction tool was already available. Let this be a lesson to us all, use a search engine before spending hours doing work someone else may have already done and published. The conclusion of their research was that 38 different HP printers were vulnerable to the attack. Updates are available, and the circumstances of this vulnerability makes exploitation more likely. First, the write-up here is quite good, and one would expect the exploit to be recreated easily enough by interested parties. Second, updating printer firmware is often quite a chore, so it’s likely that unpatched device will be ubiquitous for years to come.
Remote code execution exploits are sometimes extremely difficult, and then there’s instances like ms-officecmd. This is yet another instance of OS mishandling of URI schemes. [Fabian Bräunlein] and [Lukas Euler] were looking through the URI handlers in Windows 10, and found the
ms-officecmd scheme. A bit of exploring revealed that the scheme expected JSON arguments, which really got them excited, as it implied complexity.
Once they found the proper JSON format for the URI scheme, they started looking for a way to abuse it. The vulnerability they found is launching Teams with the
click() command to trigger the link and call the URI without user interaction. Microsoft took a look at the bug report, and closed it saying, “Unfortunately your report appears to rely on social engineering to accomplish, which would not meet the definition of a security vulnerability.” Thankfully that misunderstanding was quickly cleared up, but the first patch didn’t fix the issue, and Microsoft paid 10% of what the vulnerability should have been worth. The zero-click vulnerability has been fixed, but it’s still too easy to inject commands into the URI field.
AI Detects Weird TLS Certificates
NCC Group apparently misses the good old days, when TLS encryption generally meant traffic was valid. OK, maybe it was never that simple. Regardless, [Margit Hazenbroek] noted that malware sometimes hides its activity inside TLS, but when you actually look at the TLS certificate in use, it tends to look odd. The example given of the Ryuk ransomware is a good one — the organization listed is “lol”. It’s pretty obvious to a human that this is strange, but it’s not exactly practical to check every certificate used on your network.
We do have a tool that might be able to do an automated test for weirdness, Machine Learning. If we could provide enough good examples of valid certificates and questionable ones, an AI model might be able to flag questionable certs in real time. Using Half-Space-Trees, a clever way to classify the oddness of a given example. NCC Group has had success at trials, and has now deployed the idea in their SECOPS centers. With the availability of open source ML frameworks, very little stops any of us from re-implementing the idea ourselves, or using AI for other, similar tasks.
More NPM Malice
The stream of rotton NPM packages doesn’t seem to be abating, as 17 more were just removed from the repository. Most of them are the garden variety typosquatting that we’ve seen before. At least one, however, is using the dependency confusion attack, where the malicious package is named the same as a proprietary package, in the hopes that the target’s build tools will grab the malicious version instead of their own private package. Also interesting is that several of these malicious packages are attempting to steal Discord tokens, while many just grab environment variables, hoping to find secrets.
And finally, if you get your kicks from reading about high complexity malware, and you probably do given that you’re here reading this column, then you’ll appreciate ESET’s 15-year summary of jumping the air-gap. There’s none of the hypothetical wizardry you might expect from APT groups. Everything found in the wild uses the lowly USB key to make the jump. While Stuxnet was certainly the most famous, it wasn’t the first such malware program deployed. The overview is great, and serves as a reminder that the simplest of devices, the USB drive, can be so effective.