This is a big blow to our attempt to gain remote code execution. Without access to the Linux filesystem, the odds of replacing a binary or getting a Bash script executed are greatly diminished. At this point, our only hope is that the 0:/ filesystem is writable and that a file written there can get executed in some way.
You now have write access to a location that likely contains startup scripts. You are so close to remote code execution. Now you just need to write a script and figure out how to reboot the printer so the script will get executed.
Remote Code Execution vulnerability in HP inkjet printers
[German]HP has published a warning about a buffer overflow vulnerability in the firmware of various printer models (Inkjet, Laserjet Pro and HP PageWide Pro printers) on September 21, 2022. One vulnerability even potentially allows remote code execution (RCE). Firmware updates for the affected printer models are now available.
There are two serious vulnerabilities in various HP printers, as HP discloses in security advisory ish_6839789-6839813-16 dated September 21, 2022. Certain HP printing products are potentially vulnerable to a buffer overflow and/or remote code execution. It affects the following vulnerabilities:
HP is not disclosing details about the two vulnerabilities. HP has since released firmware updates to address the vulnerabilities for the affected devices. To get the updated firmware, go to HP's software and driver downloads page. Then, the firmware update can be searched for by entering the printer model. According to HP, various inkjet printers (HP DeskJet), Laserjet Pro printers and HP PageWide Pro printers are affected. Details can be found in the security notice (the page takes quite a long time to load).
The vulnerability exists due to buffer overflow when handling malicious input. A remote unauthenticated attacker can send a specially crafted file, trigger memory corruption and execute arbitrary code with elevated privileges.
CVE-2022-3942is a vulnerability rated with a CVSS scoreof 8.4 out of 10. As HP puts it: Certain HP Print products and Digital Sending products may be vulnerable to potential remote code execution and buffer overflow with use of Link-Local Multicast Name Resolution.
"Two security vulnerabilities have been identified with certain HP Inkjet printers. A maliciously crafted file sent to an affected device can cause a stack or static buffer overflow, which could allow remote code execution," wrote HP's PSRT in a security bulletin..
It's giving researchers remote access to "a set of enterprise multifunction printers and invited researchers to focus on the potential for malicious actions at the firmware level including cross-site request forgery (CSFR), RCE, and cross-site scripting flaws (XSS)."
Another vulnerability (CVE-2018-5409) exists in how PrinterLogic Print Management executes software updates. The software executes code without sufficiently verifying the origin and integrity of the code, which could allow an attacker can execute malicious code by compromising the host server, performing DNS spoofing or modifying the code in transit.
Security flaws continue to plague printers. In 2018, researchers at Check Point found a vulnerability that allowed an attacker to compromise a multi-function printer with fax capabilities, simply by sending a fax. In August, HP patched hundreds of inkjet models vulnerable to two remote code-execution flaws.
Hewlett Packard has disclosed two potentially dangerous vulnerabilities in the firmware of various enterprise printer models that could be abused by attackers to run arbitrary code on affected printer models remotely.if(typeof ez_ad_units!='undefined')ez_ad_units.push([[336,280],'securityonline_info-medrectangle-3','ezslot_1',115,'0','0']);__ez_fad_position('div-gpt-ad-securityonline_info-medrectangle-3-0');The vulnerability (CVE-2022-28721), rated as critical in severity with a 9.8 CVSS scale is a buffer overflow, caused by improper bounds checking that allows for the potential execution of arbitrary code remotely on affected over 60 printer models.Image: HPif(typeof ez_ad_units!='undefined')ez_ad_units.push([[336,280],'securityonline_info-medrectangle-4','ezslot_3',121,'0','0']);__ez_fad_position('div-gpt-ad-securityonline_info-medrectangle-4-0');The security flaw affects more than 60 printer models ranging from HP inkjet printers, HP LaserJet Pro printers, and HP PageWide Pro printers. To exploit the CVE-2022-28721 flaw, a remote attacker could send a specially-crafted request to overflow a buffer and execute arbitrary code on the system.The second flaw (CVE-2022-28722) rated as high in severity with a 7.1 CVSS scale is also a buffer overflow that allows a local attacker could overflow a buffer and execute arbitrary code on the system.
F-Secure found that HP multi-function printers (MFPs) have unlocked shells on the communications board connectors. A malicious actor with physical access to the device might be able to place a temporary or persistent implant via those interfaces. This would allow them to gain control over the printer software, steal documents that are being scanned or printed, attack other printers using a remote code execution vulnerability in the font parser, or move laterally through the network infrastructure.
The module exploits a path traversal via Jetdirect to gain arbitrary code execution by writing a shell script that is loaded on startup to /etc/profile.d. Then, the printer is restarted using SNMP. Impacted printers: HP PageWide Managed MFP P57750dw HP PageWide Managed P55250dw HP PageWide Pro MFP 577z HP PageWide Pro 552dw HP PageWide Pro MFP 577dw HP PageWide Pro MFP 477dw HP PageWide Pro 452dw HP PageWide Pro MFP 477dn HP PageWide Pro 452dn HP PageWide MFP 377dw HP PageWide 352dw HP OfficeJet Pro 8730 All-in-One Printer HP OfficeJet Pro 8740 All-in-One Printer HP OfficeJet Pro 8210 Printer HP OfficeJet Pro 8216 Printer HP OfficeJet Pro 8218 Printer Please read the module documentation regarding the possibility for leaving an unauthenticated telnetd service running as a side effect of this exploit.
Some Brother printers had a critical heap overflow bug in their IPP implementation, and a stack buffer overflow flaw in their cookie-handling code. Both of these were RCE bugs. NCC Group found multiple vulnerabilities in several HP printers, including cross-site scripting and buffer overflow flaws.
The printers also had several other less severe bugs, including XSS and CSRF flaws, and a path traversal vulnerability that allowed attackers to check for the existence of files on the printer and then retrieve them.
Xerox printers suffered from critical buffer overflows in their implementations of Google Cloud Print and IPP, and in their web servers. These could all lead to remote code execution or denial of service attacks. They also exhibited XSS and CSRF bugs.
In December 2021, Apache disclosed CVE-2021-44228, a remote code execution vulnerability that was assigned a risk severity of 10 which is the highest possible risk score. The source of this vulnerability is Log4J, a logging library commonly used by a wide variety of...
The JSOF research lab has discovered a series of zero-day vulnerabilities in a widely used low-level TCP/IP software library developed by Treck, Inc. The 19 vulnerabilities, given the name Ripple20, affect hundreds of millions of devices (or more) and include multiple remote code execution vulnerabilities. The risks inherent in this situation are high. Just a few examples: data could be stolen off of a printer, an infusion pump behavior changed, or industrial control devices could be made to malfunction. An attacker could hide malicious code within embedded devices for years. One of the vulnerabilities could enable entry from outside into the network boundaries; and this is only a small taste of the potential risks.
All of the six vulnerabilities are privilege escalation flaws that can allow for arbitrary code execution in System Management Mode (SMM) which runs at a higher level of privileges that the operating system (OS) and the hypervisor.
Hackers can use the security flaws to trick users into visiting a malicious website, which is an act known as a cross-site printing attack. The website then prints a document on the printer that gives the attacker code execution rights. With this power, the hacker can steal information from the multifunction printer, including printed, scanned and faxed documents.
A remote attacker could exploit this vulnerability to take control of an affected system. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services.Does win2PDF use this software?
Commonly used office printers and multi-function devices can be exploited to leak information and execute code, presenting multiple attack vectors that are often overlooked, a security researcher has found.
Sending a long username to the LPD service on the above devices crashes the printer, requiring manual restart to bring it back up. Müller said with correct shellcode and return address, the vulnerability could be used for remote code execution. More printers than the above are likely to be vulnerable, he said. 2ff7e9595c
Kommentare