Printing Shellz

What do you get when you combine a hardware hacker (Alexander), a red teamer who wants to learn hardware security (Timo), and a spare HP multi-function printer? Two happy hackers, unconventional zero-days, new tooling for the F-Secure red team - and for you a detailed write-up of the journey.

This paper will walk you through the steps of our journey, from how we discovered the vulnerabilities, how we lovingly crafted the exploits and provides mitigation advice also. The vulnerabilities that were discovered affect more than 150 HP multi-function printers (MFPs).

If your appetite isn't whet enough already, here is a video that shows the printer being exploited and compromised via a malicious website. The exploit starts a SOCKS proxy on the MFP, allowing the attacker to move laterally through the network infrastructure. An alternative attack vector is - you guessed it - to simply print a maliciously crafted document.

PS The affected printers and the vulnerabilities described in the paper are different from our Pwn2Own Austin 2021 exploit. Once the patch for the Pwn2Own vulnerabilities is available we'll publish another detailed write-up for those issues.