This Week in Security: Printing Shellz, Ms-officecmd, and AI Security

f-secure researchers have developed an impressive new attack, using HP printers as an unexpected attack surface. Printing Shellz (PDF) is a one-click attack, where simply visiting a malicious webpage will have a shell and reverse proxy installed on a printer on the same network. The demo below uses a cross-site printing (XSP) attack to send the malicious print job to the printer without any further interaction.

The vulnerability used to get a foot in the door lies in the way Type 2 fonts are parsed. The character strings used in these font descriptors are essentially tiny little programs that run on the printer to define each symbol in the font. It is not surprising that the interpreters of these small programs, being obscure and easily forgotten, are full of fragmentary code and vulnerabilities. The HP printer they’re going after is no exception, and here the load the operator is the culprit. This command was officially removed from the Type 2 specification, possibly due to the security challenge it poses, but older parsers may still support it. Load is little more than a memcpy(), and since the parser does not properly validate arguments, this allows for arbitrary memory overwrites. The researchers chose to overwrite a function pointer of another function, giving them the ability to access any code gimmick they could find. Through the judicious use of longjmp() function, they could build a fake stack and access it directly, which would lead to the execution of arbitrary code.

There is quite a long section on how they reverse engineered the printer firmware update file format, to determine which models were still vulnerable to the attack. This turned out to be an unnecessary distraction, as an extraction tool was already available. Let this be a lesson to all of us, use a search engine before spending hours doing work that someone else may have already done and published. The conclusion of their research was that 38 different HP printers were vulnerable to the attack. Updates are available and the circumstances of this vulnerability make exploitation more likely. First of all, the writing here is quite good, and one would expect the exploit to be recreated fairly easily by interested parties. Second, updating printer firmware is often a hassle, so it’s likely that unpatched devices will be ubiquitous for years to come.


Remote code execution exploits are sometimes extremely difficult, and then there are instances like ms-officecmd. This is yet another example of the operating system mishandling URI schemes. [Fabian Bräunlein] and [Lukas Euler] were looking through the URI handlers in Windows 10, and found the ms-officecmd scheme. A bit of exploration revealed that the schema was expecting JSON arguments, which got them really excited, as it involved complexity.

Once they figured out the right JSON format for the URI scheme, they started looking for a way to abuse it. The vulnerability they found is launching Teams with the --gpu-launcher flag. This flag allows you to specify an arbitrary application to run on startup. Using Chromium-derived browsers, a popup asks for permission to run the URI. On the other hand, Edge and legacy IE11 allow a Javascript click() command to trigger the link and call the URI without user interaction. Microsoft reviewed the bug report and closed it, saying, “Unfortunately, your report appears to rely on social engineering to accomplish this, which would not meet the definition of a security vulnerability.” Fortunately, this misunderstanding was quickly dispelled, but the first patch did not fix the problem and Microsoft paid 10% of what the vulnerability should have been worth. The zero-click vulnerability has been fixed, but it’s still too easy to inject commands into the URI field.

AI detects strange TLS certificates

NCC Group apparently misses the good old days, when TLS encryption usually meant traffic was valid. OK, maybe it’s never been easier. All the same, [Margit Hazenbroek] noted that malware sometimes hides its activity inside TLS, but when you actually look at the TLS certificate being used, it tends to look odd. The given example of Ryuk ransomware is good – the organization listed is “lol”. It’s pretty obvious to a human that this is odd, but it’s not really practical to check every certificate used on your network.

We have a tool that might be able to do an automated test for weirdness, machine learning. If we could provide enough good examples of valid and questionable certificates, an AI model might be able to flag questionable certificates in real time. Using Half-Space-Trees, a clever way to classify the weirdness of a given example. NCC Group was successful in trials and has now rolled out the idea in its SECOPS centers. With the availability of open source ML frameworks, very little prevents us from re-implementing the idea ourselves or using AI for other similar tasks.

No more NPM wickedness

The stream of rotten NPM packages doesn’t seem to stop, as 17 more have just been removed from the repository. Most of them are the typosquatting garden variety that we have already seen. At least one, however, uses the dependency confusion attack, where the malicious package has the same name as a proprietary package, in the hope that the target’s build tools will grab the malicious version instead of their own. private package. It’s also worth noting that several of these malicious packages attempt to steal Discord tokens, while many simply grab environment variables, hoping to find secrets.

air gaps

And finally, if you enjoy reading about high complexity malware, and you probably do given that you’re here reading this column, then you’ll enjoy ESET’s 15-year summary of the leap from air. There’s none of the hypothetical magic you might expect from APT groups. Everything in nature uses the humble USB drive to take the leap. While Stuxnet was certainly the most famous, it was not the first malware of its kind deployed. The overview is excellent and reminds us that the simplest of devices, the USB key, can be so effective.

Comments are closed.