Take control of HP OfficeJet Printers via FAX (POC video included)

HP OfficeJet Printers were hijacked via a malicious fax, once the printer has read the fax, the attacker can get access to the underlying network.

That’s what researchers from security company CheckPoint demonstrated during the Def Con conference in Las Vegas.

“We were able to achieve the vulnerability by sending a large XML file of more than 2GB to the printer over TCP port 53048, which caused a stack-based buffer overflow, giving us full control over the printer”, the researchers said. The problem is caused by the way the printers handle jpg files.

In a ground breaking new discovery, Check Point researchers show how cyber criminals could infiltrate any home or organization’s entire IT network using nothing more than a mere fax number. While fax machines may seem outdated, millions of companies and individuals worldwide still rely on it as a main method of communication to conduct their business.

Normally, the OfficeJet printer uses the tiff format when receiving a fax.

The headers are then drawn up and checked by the receiving party. However, when a color fax is sent, the printer uses a JPG file. With a JPG file, the sender has complete control over the entire file.

As soon as the receiving printer receives a color fax, the entire content is placed in a jpg file without further checking.

References:

  • youtube.com/watch?v=1VDZTjngNqs
  • security.nl/posting/573286/HP+OfficeJet+Printers+waren+door+malafide+fax+over+te+nemen
  • research.checkpoint.com/sending-fax-back-to-the-dark-ages/