(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Researchers from University Alliance Ruhr have announced that they have discovered vulnerabilities in popular laser printers including models from HP, Lexmark, Dell, Brother, Konica and Samsung. The announced vulnerabilities have a range of effects, but could permit the contents of print jobs to be captured, permit delivery of buffer overflow exploits, password disclosure or even damage to the printer.

The vulnerabilities are in PostScript and Printer Job Language (PJL) and have been around for decades, exploiting limitations of the languages used by most printers. The vulnerabilities can definitely be exploited from the local network, but it is possible that a malicious website could also use cross-site scripting to exploit the vulnerabilities.

It is estimated that up to 60,000 currently deployed printers may be vulnerable.

More information on the research can be found at hacking-printers.net

The researchers have also developed and set of tools called the Printer Exploitation Toolkit (PRET) which can be used to launch the attacks against these vulnerabilities.

The vulnerability disclosures are:

PostScript printers vulnerable to print job capture

Various HP/OKI/Konica printers file/password disclosure via PostScript/PJL

HP printers restoring factory defaults through PML commands

Multiple vendors buffer overflow in LPD daemon and PJL interpreter

Brother printers vulnerable to memory access via PJL commands

Multiple vendors physical NVRAM damage via PJL commands

I am still digging, but so far I have not been able to find any vendor responses to these vulnerability advisories. If you see any please comment on this diary or through our contact page.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Cisco Email Security Appliance for AsyncOS CVE-2017-3818 Remote Security Bypass Vulnerability
Cisco cBR Series Converged Broadband Routers CVE-2017-3824 Denial of Service Vulnerability
EMC Smarts Network Configuration Manager CVE-2017-2767 Remote Code Execution Vulnerability
bitlbee-libpurple CVE-2016-10188 Denial of Service Vulnerability
EMC Smarts Network Configuration Manager CVE-2017-2768 Remote Security Bypass Vulnerability
Apache Groovy CVE-2016-6497 Information Disclosure Vulnerability
BitlBee CVE-2016-10189 Denial of Service Vulnerability
Brocade Virtual Traffic Manager CVE-2016-8201 Cross Site Request Forgery Vulnerability
BitlBee Incomplete Fix CVE-2017-5668 Denial of Service Vulnerability
BlackBerry Enterprise Server CVE-2016-3130 Information Disclosure Vulnerability

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
[security bulletin] HPSBST03588 rev 1. - HPE StoreVirtual 4000 Storage and StoreVirtual VSA Software running LeftHand OS, Remote Arbitrary Command Execution
Bzrtp CVE-2016-6271 Man in the Middle Spoofing Vulnerability
Cisco Security Advisory: Cisco Prime Home Authentication Bypass Vulnerability
Zimbra Collaboration Suite CVE-2016-4019 Unspecified Security Vulnerability
[SECURITY] [DSA 3779-1] wordpress security update
HexChat CVE-2016-2233 Stack-Based Buffer Overflow Vulnerability
Huawei EMUI Directory Traversal and Command Injection Vulnerabilities
Zimbra Collaboration Suite CVE-2016-3999 Multiple Unspecified Cross-Site Scripting Vulnerabilities
ESA-2017-003: EMC Network Configuration Manager (NCM) Multiple Vulnerabilities
Atlassian JIRA CVE-2016-6285 Cross Site Scripting Vulnerabiliy
Google Android CVE-2016-0823 Information Disclosure Vulnerability
Linux Kernel 'net/rds/recv.c' Local Information Disclosure Vulnerability
Ecava IntegraXor CVE-2016-8341 Multiple SQL Injection Vulnerabilities
BINOM3 Electric Power Quality Meter Multiple Security Vulnerabilities
Mp3splt 'options_manager.c' Denial of Service Vulnerability
Mp3splt 'cue.c' Null Pointer Dereference Denial of Service Vulnerability
IBM Tivoli Key Lifecycle Manager CVE-2016-6105 Security Bypass Vulnerability
McAfee Agent CVE-2017-3896 Remote Denial of Service Vulnerability
IBM License Metric Tool and BigFix Inventory CVE-2016-8967 Information Disclosure Vulnerability

While hunting for interesting cases, I found the following phishing email mimicking an UPS delivery notification:

When you click on the link, you are redirected to the following URL:


Where zzzzzzzzzz is the Base64 encoded email address of the victim. This link delivers a malicious Microsoft Word file with a macro:

# oledump.py file.tmp
  1:       113 \x01CompObj
  2:      4096 \x05DocumentSummaryInformation
  3:      4096 \x05SummaryInformation
  4:      4096 1Table
  5:     46803 Data
  6:       525 Macros/PROJECT
  7:        86 Macros/PROJECTwm
  8: M   10403 Macros/VBA/ThisDocument
  9:      8458 Macros/VBA/_VBA_PROJECT
 10: m    1156 Macros/VBA/blush
 11:       839 Macros/VBA/dir
 12: M   16661 Macros/VBA/fruitage
 13:        97 Macros/blush/\x01CompObj
 14:       288 Macros/blush/\x03VBFrame
 15:       102 Macros/blush/f
 16:     12296 Macros/blush/o
 17:     72591 WordDocument

The analysis reveals a malicious file delivering Hancitor[1]. It width:500px" />

It looks that the file visitor.txt contains all the victims who clicked on the link because the file was growing during my investigations. While redacting this diary, the file contains 11587 lines:

The second interesting file is called block.txt and contains IP addresses (1833 lines). It looks to be addresses used by major companies like Google or Amazon. I presume that visitors coming from one of these IP addresses won width:600px" />

Ill now have a deeper look at the list of blocked IP addresses and see if the content could be useful for another diary.

[1] https://www.virustotal.com/en/file/82e3ec80dde9adb2be1c3abe27c37940b3e0ff3b7f2b80b39e10aae540b1fb7a/analysis/
[2] https://isc.sans.edu/forums/diary/HancitorPonyVawtrak+malspam/21919

ISC Handler - Freelance Security Consultant

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
[security bulletin] HPESBHF03700 rev.1 - HPE iMC PLAT, Remote Disclosure of Information, Denial of Service (DoS)
[SECURITY] [DSA 3778-1] ruby-archive-tar-minitar security update
[security bulletin] HPESBGN03696 rev.1 - HPE Helion Eucalyptus, Remote Escalation of Privilege
Internet Storm Center Infocon Status