# HP SmartInstall updates non-secure-verified and non-origin-verified are enabled by default for non-privileged users
# Discovery date: 10 Jan 2011
# Report date: 21 Jan 2012
# Author: Andrei Costin (andrei@andreicostin.com)
# CVE: Not Avail yet
# Other SecAdv number: ACSA-2012-11

##### Affected module #####
HP SmartInstall

##### Affected devices #####
HP LaserJet P1100 Printer Series (tested on HP LJ P1102w)
HP LaserJet P1560 Printer Series
HP LaserJet P1600 Printer Series
HP LaserJet M1130 Printer Series
HP LaserJet M1210 Printer Series (eg. HP LaserJet Pro M1217nfw MFP.

##### Affected software #####
HP LaserJet P1100/P1560/P1600 Printer Series Smart Install Update Utility
HP LaserJet M1130/M1210 Printer Series Smart Install Update Utility

##### Related URLs #####
"SmartInstall introduction"
http://h30429.www3.hp.com/?fr_story=f8850019bdd767e22d303c02f2f1df06d6e45b48&rf=sitemap
http://www.hp.com/sbso/productivity/printing/smart-install.html
http://www.hp.com/hpinfo/newsroom/press_kits/2010/plugandprint/pdf/Smart_Install_FAQ.pdf

"HP LaserJet P1100/P1560/P1600 Printer Series Smart Install Update Utility"
http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareDescription.jsp?lang=en&cc=us&prodTypeId=18972&prodSeriesId=4110408&prodNameId=4110409&swEnvOID=1005&swLang=8&mode=2&taskId=135&swItem=bi-80482-6

"HP LaserJet M1130/M1210 Printer Series Smart Install Update Utility"
http://bizsupport1.austin.hp.com/bizsupport/TechSupport/SoftwareDescription.jsp?lang=en&cc=us&prodTypeId=18972&prodSeriesId=4292047&swItem=Im-80804-2&prodNameId=4075466&swEnvOID=4022&swLang=8&mode=4&idx=2

##### Reprod. #####
100%

##### Introduction #####
HP LaserJets feature Smart Install, which eliminates the need for a software installation CD! Plus, they come network-ready and with no limit on the number of devices you can connect.

No need to install or keep track of a software CD. Because the printer's driver is stored in the printer's flash memory, there's no need for a software installation CD. Simply connect the printer to your computer with a USB cable, install, and print! Additional users will use its IP address to connect.

##### Details #####
The default configuration of the [Affected devices] enables the SmartInstall Update functionality, which allows both local and remote attackers to write to specific printer's flash memory area, by using a USB connection or a session on TCP port 9100, so to upload a crafted rogue and perhaps malicious CD-image.

The above can lead to the fact that [Affected devices] can become USB-based or NET-based infection sources (targeting other Winows-based devices) within the targeted environment, be it network-based or air-gaped one.

The following separate flaws were identified:
 - enabled by default (both TCP/9100 and USB)
 - no privilege separation on who can do SmartInstall updates
 - does not implement or at least verify secure-hashing i.e. authenticated&authorized origins of the updates

Usually, the updates for SmartInstall module of the affected devices come in below forms from the vendor site:
 - LJM1130_M1210_SI_Update.exe
 - LJP1100_P1560_P1600_SI_Update.exe

However, since it's just an installer wrapper, only the following files are relevant:
 - FWUpdate.exe
 - Properties.ini
 - SmartInstall.pkg

The overview of the "SmartInstall update process" is as follows:
a. FWUpdate.exe check the Properties.ini and the installed printers on the machine running FWUpdate.exe
b. If a supported printer is found, FWUpdate.exe connects to the corresponding printers via corresponding configured connections (USB or TCP/9100)
c. FWUpdate.exe checks the DATECODE of the SmartInstall returned by the printer and if that DATECODE is strictly older (i.e. string_DATECODE_printer < string_DATECODE_pkg) than the DATECODE in the SmartInstall.pkg, it procedes to the update

The attacker has just to modify the SmartInstall.pkg to contain a specific ISO format image. The image can be created with MFISOFS.

The SmartInstall.pkg delivered by HP are even exposing the exact command line to use:
 - mkisofs 2.01-bootcd.ru -o ..\P1100siImage\siImage\@SI_image.iso -udf -J -R ..\P1100siImage\SIFiles

As a demonstration, I have modified the following 2 files:
 - SmartInstall.pkg - didn't modify the DATECODE, but just modified several harmless things to prove the vulnerability
 - FWUpdate.exe - patched so that it skips step (c.) from the above "SmartInstall update process", so that the SmartInstall.pkg can be installed regardless of their DATECODE, i.e. allows version rollback as well

##### Attack scenarios #####
1. An attacker connects to the printer (USB or more-likely network), connects to it's spool port (more-likely 9100) and dumps the malicious SmartInstall.pkg

2. An attacker lures the victim to run a non-malicious program (eg. game executable, slides presentation executable, etc.) which silently connect from the local machine to USB or NET connected [Affected device], and dumps the malicious SmartInstall.pkg

3. An attacker lures the victim to "print" a specially crafted document, that is actually the spool-job containing the malicious SmartInstall.pkg


##### Flaw type(s) #####
1. High-privilege operations enabled by default
2. High-privilege operations allowed to non-privileged users
3. Rogue upgate packages can be installed on affected devices


##### Flaw category(s) #####
1. Secure misconfiguration
2. Non-separation of privilege levels
3. Missing or non-secure verification of origin and integrity of the updates


##### Mitigation #####
N/A at the moment


##### Disclosure timelines #####
2011-01-10 - Discovered
2012-01-24 - Reported