Another vulnerability on HP Inkjet printer. An attacker could gain control of the printer and then use it as an entry point to access network environment (pivotting) and read sensitive information, according to CheckPoint Security.
POC
“We could reach this vulnerability by sending a huge XML (> 2GB) to the printer over TCP port 53048 thus triggering a stack-based buffer overflow. Exploiting this vulnerability then gave us full control over the printer, meaning that we could use this as a debugging vulnerability,” researchers wrote.
The expert explained that when sending a fax the OfficeJet printer it is used the TIFF image format. The sender’s fax broadcasts the .TIFF meta-data for the receiving fax machine to set transmission parameters such as page sizes. According to the ITU T.30 standard protocol, the receiver’s fax will have to analyze meta-data for data continuity and sanitation, but exports discovered that by sending a color fax, they noticed the sending/receiving machines used the image format .JPG instead of .TIFF.
“When we examined the code that handles the colourful faxes we found out another good finding: the received data is stored to a .jpg file without any check. In contrast to the .tiff case in which the headers are built by the receiver, in the .jpg case we controlled the entire file,” - “When the target printer receives a colourful fax it simply dumps its content into a .jpg file (“%s/jfxp_temp%d_%d.jpg” to be precise), without any sanitation checks.”
The vulnerable OfficeJet printers used a custom JPEG parser to parse the fax data, instead of using libjpeg, the developers implemented their own JPEG parser.
The experts examined the parser and discovered two stack-based buffer overflow vulnerabilities.
The vulnerabilities affect the HP all-in-one printers that support Group 3 (G3) fax protocols that are part of the ITU T.30 standard for sending and receiving color faxes.
The researchers devised an attack technique dubbed Faxploit, they demonstrated that once the attackers have compromised a fax machine they could leverage the NSA exploit EternalBlue for lateral movements.