Information Security News
Researchers from University Alliance Ruhr have announced that they have discovered vulnerabilities in popular laser printers including models from HP, Lexmark, Dell, Brother, Konica and Samsung. The announced vulnerabilities have a range of effects, but could permit the contents of print jobs to be captured, permit delivery of buffer overflow exploits, password disclosure or even damage to the printer.
The vulnerabilities are in PostScript and Printer Job Language (PJL) and have been around for decades, exploiting limitations of the languages used by most printers. The vulnerabilities can definitely be exploited from the local network, but it is possible that a malicious website could also use cross-site scripting to exploit the vulnerabilities.
It is estimated that up to 60,000 currently deployed printers may be vulnerable.
More information on the research can be found at hacking-printers.net
The researchers have also developed and set of tools called the Printer Exploitation Toolkit (PRET) which can be used to launch the attacks against these vulnerabilities.
The vulnerability disclosures are:
I am still digging, but so far I have not been able to find any vendor responses to these vulnerability advisories. If you see any please comment on this diary or through our contact page.
-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
While hunting for interesting cases, I found the following phishing email mimicking an UPS delivery notification:
When you click on the link, you are redirected to the following URL:
Where zzzzzzzzzz is the Base64 encoded email address of the victim. This link delivers a malicious Microsoft Word file with a macro:
# oledump.py file.tmp 1: 113 \x01CompObj 2: 4096 \x05DocumentSummaryInformation 3: 4096 \x05SummaryInformation 4: 4096 1Table 5: 46803 Data 6: 525 Macros/PROJECT 7: 86 Macros/PROJECTwm 8: M 10403 Macros/VBA/ThisDocument 9: 8458 Macros/VBA/_VBA_PROJECT 10: m 1156 Macros/VBA/blush 11: 839 Macros/VBA/dir 12: M 16661 Macros/VBA/fruitage 13: 97 Macros/blush/\x01CompObj 14: 288 Macros/blush/\x03VBFrame 15: 102 Macros/blush/f 16: 12296 Macros/blush/o 17: 72591 WordDocument
The analysis reveals a malicious file delivering Hancitor. It width:500px" />
It looks that the file visitor.txt contains all the victims who clicked on the link because the file was growing during my investigations. While redacting this diary, the file contains 11587 lines:
The second interesting file is called block.txt and contains IP addresses (1833 lines). It looks to be addresses used by major companies like Google or Amazon. I presume that visitors coming from one of these IP addresses won width:600px" />
Ill now have a deeper look at the list of blocked IP addresses and see if the content could be useful for another diary.
ISC Handler - Freelance Security Consultant