16-Year-Old HP Printer-Driver Bug Impacts Millions of Windows Machines (threatpost.com) 106
An anonymous reader quotes a report from Threatpost: Researchers have released technical details on a high-severity privilege-escalation flaw in HP printer drivers (also used by Samsung and Xerox), which impacts hundreds of millions of Windows machines. If exploited, cyberattackers could bypass security products; install programs; view, change, encrypt or delete data; or create new accounts with more extensive user rights. The bug (CVE-2021-3438) has lurked in systems for 16 years, researchers at SentinelOne said, but was only uncovered this year. It carries an 8.8 out of 10 rating on the CVSS scale, making it high-severity.
According to researchers, the vulnerability exists in a function inside the driver that accepts data sent from User Mode via Input/Output Control (IOCTL); it does so without validating the size parameter. As the name suggests, IOCTL is a system call for device-specific input/output operations. "This function copies a string from the user input using 'strncpy' with a size parameter that is controlled by the user," according to SentinelOne's analysis, released on Tuesday. "Essentially, this allows attackers to overrun the buffer used by the driver." Thus, unprivileged users can elevate themselves into a SYSTEM account, allowing them to run code in kernel mode, since the vulnerable driver is locally available to anyone, according to the firm.
The printer-based attack vector is perfect for cybercriminals, according to SentinelOne, since printer drivers are essentially ubiquitous on Windows machines and are automatically loaded on every startup. "Thus, in effect, this driver gets installed and loaded without even asking or notifying the user," explained the researchers. "Whether you are configuring the printer to work wirelessly or via a USB cable, this driver gets loaded. In addition, it will be loaded by Windows on every boot. This makes the driver a perfect candidate to target since it will always be loaded on the machine even if there is no printer connected." Affected models and associated patches can be found here and here.
"While HP is releasing a patch (a fixed driver), it should be noted that the certificate has not yet been revoked at the time of writing," according to SentinelOne. "This is not considered best practice since the vulnerable driver can still be used in bring-your-own-vulnerable-driver (BYOVD) attacks." Some Windows machines may already have the vulnerable driver without even running a dedicated installation file, since it comes with Microsoft Windows via Windows Update.
According to researchers, the vulnerability exists in a function inside the driver that accepts data sent from User Mode via Input/Output Control (IOCTL); it does so without validating the size parameter. As the name suggests, IOCTL is a system call for device-specific input/output operations. "This function copies a string from the user input using 'strncpy' with a size parameter that is controlled by the user," according to SentinelOne's analysis, released on Tuesday. "Essentially, this allows attackers to overrun the buffer used by the driver." Thus, unprivileged users can elevate themselves into a SYSTEM account, allowing them to run code in kernel mode, since the vulnerable driver is locally available to anyone, according to the firm.
The printer-based attack vector is perfect for cybercriminals, according to SentinelOne, since printer drivers are essentially ubiquitous on Windows machines and are automatically loaded on every startup. "Thus, in effect, this driver gets installed and loaded without even asking or notifying the user," explained the researchers. "Whether you are configuring the printer to work wirelessly or via a USB cable, this driver gets loaded. In addition, it will be loaded by Windows on every boot. This makes the driver a perfect candidate to target since it will always be loaded on the machine even if there is no printer connected." Affected models and associated patches can be found here and here.
"While HP is releasing a patch (a fixed driver), it should be noted that the certificate has not yet been revoked at the time of writing," according to SentinelOne. "This is not considered best practice since the vulnerable driver can still be used in bring-your-own-vulnerable-driver (BYOVD) attacks." Some Windows machines may already have the vulnerable driver without even running a dedicated installation file, since it comes with Microsoft Windows via Windows Update.
The solution is obvious... (Score:1, Funny)
Re: (Score:2)
Stalkers stalking stalkers... it's stalkers all the way down.
Re: (Score:1)
Well it's just that this guy is also stalking me, and you're stalking me, so I just thought it was funny that you two were also stalking each other.
Re: (Score:2)
Careful, if you call him out he'll start digging through your comment history and make racist, sexist, and homophobic remarks (which I've been aggregating so I can show it to /.'s sponsors and say "This is the kind of platform you are giving money to")
Re: (Score:2)
That's because I don't owe you anything, my endgame is to trigger you into self-harming or smashing your monitor in order to start a rage cycle where the very thought of me sets you off. All the shit that I've put up with my entire life is nothing compared to the worst you could do to me.
Re: (Score:1)
You know that this is only going to embolden me, right?
Re: (Score:1)
Did you cut a deal with HP? How are you making money off this now?
Re: (Score:3, Insightful)
It's called a "joke", you bunch of haters. Honestly the bunch of you make Creimer seem kind of infamous. Like what did he do to you? Shit in your cereal? Or honestly, I have way expect you all to be hit alts her something, so the whole thing is like a huge internet gag.
Re: (Score:2)
Never, even trust a link from creimer. He used to salt his posts with affiliate links constantly. It was cancerous.
Whew! (Score:3)
One more reason not to buy HP printers anymore.
Re: (Score:2)
+1, I only buy Canon inkjet printers and not that HP crap.
Re: (Score:3)
+1, I only buy Canon inkjet printers and not that HP crap.
I buy whichever is cheaper. I use it until it runs out of ink, and then I throw it away and buy a new one.
Re: (Score:3)
Why not just get a laser printer instead of creating more e-waste and landfill?
It will be cheaper for you in the long run. I have a Ricoh one, full colour, takes refilled carts no problem. In hindsight I should have got a Brother as they are even better for low TCO, but the Ricoh was on sale at the time.
Re: (Score:2)
It depends very much on how much you print. If it's not much, and you need color, then inkjets are still cheaper.
Re: Whew! (Score:3)
Re: (Score:2)
Yes, Lexmark is truly one of the worst printer vendors. Along, of course, with the HP of today. Lexmark has pretty much always been bad, though, in different ways.
Re: Whew! (Score:2)
Re: (Score:2)
First iterations of products seem to be well-designed before they "cheapen it out".
Re: (Score:2)
I use to have one of those, they worked very well. However I replaced mine for a Solid Ink Printer then to a Laser mostly because of the time it took to print was way too long. Granted it was faster than the Dot Matrix I used previously. However I used that sucker new in High School and made some really impressive stuff at the time. I remember using Neopaint to do my Science Class Lab result papers, Where most students had to draw and color the results with markers, crayons or pencils I had a color graphi
Re: (Score:2)
Re: (Score:2)
Actually I have a BW Laser printer, because I don't print that much. My level of printing Inkjets are a waste, If I only print a few pieces of paper a year, my Inkjet would dry up and not work every time I print. I got a cheap small Samsung Laser Printer, and after a decade owning it, I had to replace the stock limited supply toner cartridge once (7 years ago).
Re: (Score:2)
I disagree. Inkjets dry out quickly. You only get a few months (maybe a year if you're lucky?) before the cartridges dry out and you have to replace them (or the printer in OPs case...). You can get a color laser printer, often with duplex printing, for about $300 (duplex seems to be standard sometimes, sometimes it's $50 more). An inkjet is going to be $100 probably, so after replacing it 3 times you're better off with the laser.
I have a Xerox color laser printer that I got close to 5 years ago and is stil
Re: (Score:2)
Actually if you don't print much and want to print color you are still better off getting a color laser printer. The toner doesn't dry out and clog the print head which is exactly what can happen if you use your inkjet infrequently.
The upfront cost will be greater but over time the laser printer will still be more cost efficient than an inkjet.
Re:Whew! (Score:5, Informative)
Good thing I have a Canon laser printer. :)
But Windows still ships with the HP drivers even when you don't use an HP printer, Ergo there is still a path to exploit this, even if you never had a HP printer -- if nothing else the attacker simply executes an Add Printer action (Which does not require privileges) and specifies a fake HP Network printer that doesn't exist in order to make sure the driver will be loaded.
Re: Whew! (Score:4, Funny)
> Good thing I have a Canon laser printer. :)
But Windows still ships with the HP drivers even when you don't use an HP printer, Ergo there is still a path to exploit this, even if you never had a HP printer
Holy shit dude never reveal that you've read the fucking article!
Re: Whew! (Score:2)
Re: (Score:2)
https://www.openprinting.org/d... [openprinting.org]
Re: (Score:2)
"You simply sent the postscript image to the printer."
A postscript file isn't an image, it is a program. Which means you have to worry about someone exploiting your printer: https://oaklandsok.github.io/p... [github.io]
Re: (Score:3)
It should probably be noted that MOST, perhaps all modern printers are PostScript printers, even HP Printers. You still need printer drivers and driver binaries --- Your hardware needs protocols for transmitting the PostScript data and Uploading fonts, etc, To the printer. Finally, you need a PCL (Printer command Language) file describing how to send commands to the printer -- because PostScript itself is not a command language And your computer needs custom extensions to have a way of issuing command
Re: (Score:2)
But you still buy Windows?
How the hell are admins supposed to be able.. (Score:2)
.. to do their jobs when we're spending all our time dealing with this sort of crap.
Re:How the hell are admins supposed to be able.. (Score:5, Insightful)
Microsoft is job security, not OS security
Re:How the hell are admins supposed to be able.. (Score:5, Funny)
Re:How the hell are admins supposed to be able.. (Score:5, Informative)
Or rather Linux has no printer drivers in the kernel and user-space drivers are typically _not_ run as root. As it should be in any sane design.
Linux may have _interface_ drivers in the kernel, but these will not be written by the vendor in most cases and they will have gotten at least some review from the kernel team. Not perfect. Kernel drivers are a known and ongoing problem in Linux as well. In theory, drivers should always be sand-boxed. Unfortunately, that is hard to do and may fail its purpose when the sandbox is configured wrongly. And, as drivers may need hardware access, there is no way to just use a generic sandbox.
The bottom line is that Linux makes this kind of screw-up somewhat hard but not impossible. Microsoft more or less invites it though.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I was only referencing the historic problems Linux had with getting printers to work ever.
Well, you should always check hardware for compatibility before assuming it works with some system.
Re: How the hell are admins supposed to be able.. (Score:2)
Re: How the hell are admins supposed to be able.. (Score:1)
Re: (Score:2)
This _is_ part of the job of admins. And yes, this is crap as well. But imagine what would happen to many Windows admins if MS suddenly learned how to write an OS....
Re: (Score:2)
This _is_ part of the job of admins. And yes, this is crap as well. But imagine what would happen to many Windows admins if MS suddenly learned how to write an OS....
+5 Insightful.
We had an entire department of them for Windows maintenance. A counterintuitive as is sounds - there is a vested interest in having Windows being exactly what it is.
In the meantime, security on the user level is getting onerous. I have some innocent programs Windows insists are trojans that you have to jump through hoops to install and use, but Microsoft politely ships you ancient and ongoing security flaws as standard stuff.
Re: (Score:2)
Anything involving the word "admin" implies a business of a suitable size to have one. That also implies networked printers. That means a couple things. One the printers are on their own network. Two that also means there's a print server on the same network, but fire-walled against the rest.
Re: (Score:2)
How the hell does it open-up a portal that allows free-access to the system?
it doesn't. the driver already runs in privileged mode, it is trusted and signed code expected to be well behaving. except it contains a buffer overrun vulnerability that can be exploited to execute arbitrary code in its privileged process space.
this is really basic stuff ... may i ask what "system-level programming" you have actually done?
Re: (Score:2)
this is really basic stuff ... may i ask what "system-level programming" you have actually done?
Not everyone here is a programmer. Me for instance. I'm RF and optics. I know just enough programming to write uncomplicated stuff and to understand when the programmers are trying to bullshit me. But no one would call me a real programmer.
Re: (Score:2)
totally fair, but the post says he has actually done "system programming". i'm just curious what system programming you can do without understanding the very basic workings of a cpu or the concept of an execution stack.
Re: (Score:2)
sigh. actually exploiting a buffer overrun is not the same as understanding the principle which is pretty straightforward and has been known for half a century already, as has privilege escalation.
if you read the post again carefully you'll spot several other assumptions that are basically incompatible with having done any form of systems programming whatsoever, especially parts about "somehow instantly elevates a process to 'god-level'" and "a data error ... either stops safely, or signals an error and the
Re: (Score:2)
if you read the post again carefully you'll spot several other assumptions that are basically incompatible with having done any form of systems programming whatsoever,
Hey - he calls himself a cabbage head. I'll accept it!
Look at the stack (Score:5, Interesting)
> but surely if a process suffers a data-error (which, surely is exactly what a buffer-overrun is?), it either stops safely, or signals an error and then stops anyway.
A buffer overrun is only going to throw an error if it's triggered by a cat walking on the keyboard - of random bytes get written to whatever is after the buffer. If the extra bytes are *chosen*, it's arbitrary code execution.
Take a look at the standard stack layout. But "upside down", with memory addresses going up. You have the local variables, then the saved stack pointer EBP, then RIP - the address of the code to execute on return!
Where is that buffer? Probably a local variable. So writing past the end of it means you overwrite EBP and RIP. Whatever you write 4-8 bytes past the buffer, that'll be used as the address of the next code to execute. Let's write the address of system() or exec() in the standard library, shall we? :)
With modem code, there might be a canary in between EBP and RIP. Okay, so either leak the canary and overwrite it with the same value, or - just overwrite EBP. EBP is used as the address of base of the stack after the return. What's found after the base of the stack? The RIP that's used to return from the NEXT function! So in EBP, write the address of the middle of your buffer. In that buffer, put the address of of system() or exec() or whatever you want to get a shell.
Re: (Score:2)
> but surely if a process suffers a data-error (which, surely is exactly what a buffer-overrun is?), it either stops safely, or signals an error and then stops anyway.
A buffer overrun is only going to throw an error if it's triggered by a cat walking on the keyboard - of random bytes get written to whatever is after the buffer. If the extra bytes are *chosen*, it's arbitrary code execution.
Well, actually it is going to cause an error in almost all cases, except for carefully crafted attack code. That is one reason it is usually easy to find by (structured) fuzzing or code-scanners like Fortify. Also, buffer overrun and underrun tests are part of any sane set of unit-tests and any sane code does check for this twice: 1) in the input validation code and 2) when writing the actual buffer. If you do that, buffer over-/underrun becomes a rare issue. Many "coders" do not have an engineering mind-se
Re: (Score:2)
> Well, actually it is going to cause an error in almost all cases, except for carefully crafted attack code.
If you run gcc on "some bytes", or do php "file", it'll throw an error "in almost all cases". Almost all sequences of bytes aren't valid code, in any language. Just like almost all sets of letters will have an error if you try to read them as English. Let's try it out with some letters:
Mthoggejfje
Sure enough, that's an error in English.
That's true if you truly consider ALL possible sets of bytes.
T
Re: (Score:2)
somehow instantly elevates a process to 'god-level'.
The driver is running in kernel space. Any vulnerability will get you high-level privileges.
Re: (Score:1)
Actual list of new drivers (Score:2)
Re: (Score:2)
If you have a really old HP printer (laserjet 2/3) , you can just copy a file directly to it...
Re: Actual list of new drivers (Score:2)
Re: (Score:2)
You know, I can do that with my current OKI and on Linux I simply push a .ps file via netcat. I only need some stupid driver on Windows.
Re: (Score:2)
CUPS probably supports the old printer. Just set up a VM, install linux and Samba and set up a postscript printer.
Because Windows is easier. :)
Drivers in the Kernel ... (Score:5, Insightful)
Re:Drivers in the Kernel ... (Score:4, Insightful)
Well, the other issue is we have yet another example of an exploit made possible because the user is trusted to provide the length of the data being passed.
Re:Drivers in the Kernel ... (Score:4, Informative)
The problem is that providing data length is like "binary protocol 101". Pretty much any non-text data file on your computer will make use of "data size, actual data" approach. Unfortunately the only way you can handle it is to verify the input data correctness and handle (or let the used technology handle) the invalid input
Re: (Score:2)
Anybody that does not validate input or fails to validate all moves to buffers for size has no business writing production code. This does not only apply to C code.
Re: (Score:2)
The problem is stopping at the 101 level. You're supposed to go on from there. That's introduction, not completion.
Re:Drivers in the Kernel ... (Score:5, Informative)
I don't think that's the issue here; printer drivers aren't in kernel space any more. The problem is lots of crap running as SYSTEM, rather than having a capability model of what it can do.
Re: (Score:2)
Probably. May take MS another 20 or 30 years to get that idea. Of course, UNIX had done it for decades, bit MS things they are so great they do not need to learn from others. Result is that they do not learn.
Re: (Score:1)
Cups/Apple has effectively fixed printer drivers for non-Windows users(e.g. Linux, MacOS, BSD). It supports 99.9% of printers out there. https://www.cups.org/ [cups.org]
I doubt driver issues will ever get addressed on Windows(it’s not just printers) because software backwards comparability is too important fo
IOT = (Score:2)
Idiots Orchestrated This
Hashtag (Score:2)
Funny (Score:1)
I blame driver bloat (Score:5, Insightful)
Back when I and the world were both young, printer drivers came on a disc and contained a couple kilobytes of code that allowed the computer to communicate with a printer.
Today, they come on DVDs filled to the b... no, actually, they come as multi-GB downloads that install printer driver, a "printing suite" nobody cares about, a bunch of other "utility" programs with questionable to dubious value, and of course a buttload of spyware to ensure you're buying their cartridges instead of some third party ink and toner.
Guess what: Some of that rubbish nobody could possibly want on their PC is prone to have security issues. Twice so if that's basically the function of the whole shit.
So? (Score:2)
Re: (Score:1)
Hmmm.
On the HP site, it looks like its (some of) their laser printers ... none of the typical 'home' ranges get a mention.
SD
100 more drivers on the wall to go (Score:4, Interesting)
Re: (Score:2)
It gets much worse (Score:2)
Sounds so silly. (Score:3)
List of affected printers (Score:4, Informative)
This https://support.hp.com/us-en/d... [hp.com] is the HP link that actually lists the devices affected. The one in the article makes you search manually.
Drive-by, or trojan? (Score:2)
At the present time, are there any known "drive-by" exploits that can be triggered indirectly (say, by allowing Explorer to parse a file that's merely present, or by vising a web page with malicious content), or does it still at least require that users actively DO something to initiate actual printing that requires some degree of social engineering to trick users into initiating?
Trojans are bad, especially with nontechnical users (particularly if they can trigger actions remotely on OTHER people's computer
F'n ugly clunky software. (Score:4, Insightful)
Sweet Nostalgia (Score:2)
Just seeing "strncpy" makes me feel young again. I thought compilers flagged that as insecure more than 16 yrs ago, but am not a real coder so don't know. Laser C forever!