This Week In Security: Printing Shellz, Ms-officecmd, And AI Security

Researchers at f-secure have developed an impressive new attack, leveraging HP printers as an unexpected attack surface. Printing Shellz (PDF) is a one-click attack, where simply visiting a malicious webpage is enough to get a shell and reverse proxy installed to a printer on the same network. The demo below uses a cross-site printing (XSP) attack to send the malicious print job to the printer without any further interactions.

The vulnerability used to get a foot in the door is in how Type 2 fonts are parsed. The charstrings used in these font descriptors are essentially little tiny programs of their own, that run on the printer to define each symbol in the font. It should come as no surprise that the interpreters for these little programs, being obscure and easily forgotten, are full of sketchy code and vulnerabilities. The HP printer they are tackling is no exception, and here the load operator is the culprit. This command has been officially removed from the Type 2 specification, likely due to the security challenge it represents, but older parsers may still have support for it. Load is little more than a memcpy(), and since the parser doesn’t properly validate the arguments, this allows for arbitrary memory overwrites. The researchers chose to overwrite a function pointer of another function, giving them the ability to jump to any code gadget they could find. Through judicious use of the longjmp() function, they could construct a fake stack, and jump directly to it, resulting in arbitrary code execution.

There’s quite a long section about how they reverse engineered the printer’s firmware update file format, to determine which models were still vulnerable to the attack. It turned out to be an unnecessary distraction, as an extraction tool was already available. Let this be a lesson to us all, use a search engine before spending hours doing work someone else may have already done and published. The conclusion of their research was that 38 different HP printers were vulnerable to the attack. Updates are available, and the circumstances of this vulnerability makes exploitation more likely. First, the write-up here is quite good, and one would expect the exploit to be recreated easily enough by interested parties. Second, updating printer firmware is often quite a chore, so it’s likely that unpatched device will be ubiquitous for years to come.


Remote code execution exploits are sometimes extremely difficult, and then there’s instances like ms-officecmd. This is yet another instance of OS mishandling of URI schemes. [Fabian Bräunlein] and [Lukas Euler] were looking through the URI handlers in Windows 10, and found the ms-officecmd scheme. A bit of exploring revealed that the scheme expected JSON arguments, which really got them excited, as it implied complexity.

Once they found the proper JSON format for the URI scheme, they started looking for a way to abuse it. The vulnerability they found is launching Teams with the --gpu-launcher flag. This flag allows specifying an arbitrary application to run on startup. Using Chromium-derived browsers, there is a popup requesting permission to run the URI. On the other hand, legacy Edge and IE11 allow a Javascript click() command to trigger the link and call the URI without user interaction. Microsoft took a look at the bug report, and closed it saying, “Unfortunately your report appears to rely on social engineering to accomplish, which would not meet the definition of a security vulnerability.” Thankfully that misunderstanding was quickly cleared up, but the first patch didn’t fix the issue, and Microsoft paid 10% of what the vulnerability should have been worth. The zero-click vulnerability has been fixed, but it’s still too easy to inject commands into the URI field.

AI Detects Weird TLS Certificates

NCC Group apparently misses the good old days, when TLS encryption generally meant traffic was valid. OK, maybe it was never that simple. Regardless, [Margit Hazenbroek] noted that malware sometimes hides its activity inside TLS, but when you actually look at the TLS certificate in use, it tends to look odd. The example given of the Ryuk ransomware is a good one — the organization listed is “lol”. It’s pretty obvious to a human that this is strange, but it’s not exactly practical to check every certificate used on your network.

We do have a tool that might be able to do an automated test for weirdness, Machine Learning. If we could provide enough good examples of valid certificates and questionable ones, an AI model might be able to flag questionable certs in real time. Using Half-Space-Trees, a clever way to classify the oddness of a given example. NCC Group has had success at trials, and has now deployed the idea in their SECOPS centers. With the availability of open source ML frameworks, very little stops any of us from re-implementing the idea ourselves, or using AI for other, similar tasks.

More NPM Malice

The stream of rotton NPM packages doesn’t seem to be abating, as 17 more were just removed from the repository. Most of them are the garden variety typosquatting that we’ve seen before. At least one, however, is using the dependency confusion attack, where the malicious package is named the same as a proprietary package, in the hopes that the target’s build tools will grab the malicious version instead of their own private package. Also interesting is that several of these malicious packages are attempting to steal Discord tokens, while many just grab environment variables, hoping to find secrets.

Air Gaps

And finally, if you get your kicks from reading about high complexity malware, and you probably do given that you’re here reading this column, then you’ll appreciate ESET’s 15-year summary of jumping the air-gap. There’s none of the hypothetical wizardry you might expect from APT groups. Everything found in the wild uses the lowly USB key to make the jump. While Stuxnet was certainly the most famous, it wasn’t the first such malware program deployed. The overview is great, and serves as a reminder that the simplest of devices, the USB drive, can be so effective.

18 thoughts on “This Week In Security: Printing Shellz, Ms-officecmd, And AI Security

  1. One thing I am curious about is whether those wierd certs were signed by a trusted CA. They should not have been and if they were not, then you need to figure out why your systems are trusting them. The whole point of TLS is the trust chain, if you are trusting self signed cert, that is your issue.

  2. If you don’t pay bug bounties, then bugs will not be getting reported, someone else will buy them or use them.

    I’m looking forward to a time when all apps are running in their own VM, assuming of course the hardware does that properly. Although with the amount of cores now available we may just dedicate 1 or 2 cores per app.

    All printers are terrible, some are worse. But the OS shouldn’t just print from un trusted apps with no dialog. And the browser should not be a trusted app. (I know I know, thats how we use ‘apps’ now, from the cloud, its still terrible. Come to think of it maybe this is how people can stand to use windows with 4gb of ram on an eMMC or spinny drive, they expect this level of performance)

    1. Even if you dedicated core for each app they are presumably sharing the same memory resources, data storage devices, I would suggest it doesn’t really protect from all that much, nor really do hardware VM – though they are great for many things, certainly should be better than just running that risky program etc..

      In the end nothing is really safe, but if you really want to separate your applications you want a heap of separate SOC (and very simple ones at that) isolated from each other, with no access to the wider data structures themselves – and in many cases no access to anything at all outside of the netboot image they were fed and the highly sanitised return pipe to the master that set them going – being properly distinct SOC you can then actually verify they are not doing anything they shouldn’t much more easily, even more so if you dial them back to simple operating methods so its easy to understand how the entirely thing works…

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.