The unusual "Error: Check Tray 1 Front Door" printer terminology OR how the "Front Door, Back Door" terminology _could be_ the perfect cover for a printer/MFP backdoor. ===== Intro ===== Few days ago, I have seen these stories: http://krebsonsecurity.com/2014/10/signed-malware-is-expensive-oops-for-hp/ http://www.scmagazine.com/hp-to-remove-digital-signature-that-code-signed-malware/article/376737/ While I think my stories below are not related to the above stories, I thought it's a good time and opportunity to share. At this moment, I am not claiming nor have conclusive direct evidence that HP delivered firmware/software with intended "backdoors", but the below findings and coincidences are strange, to say the least. Let me know if you have or find more details on the below. Andrei 12 Oct 2014 ============================= The "HP MIPIO Backdoor" Story ============================= Story: While working on the Firmware.RE project (see http://firmware.re/vulns and http://firmware.re/) and our paper at USENIX Security 2014 (https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/costin) an interesting alert for "backdoor" modules poped-up. It presented a list of HP firmware files for various printers/scanners/MFPs. While I didn't (and sadly still don't) have enough have time to go through deep analysis of the particularities of each firmwares below, I just wanted to share so that other researchers can pick-up the thing and perhaps continue digging. I have notified HP back in November 2013 about the potential "backdoor" in their firmwares. There were some back and forth emails, then a period of silence. HP also requested some more information which required more setup and testing effort from my side that I could not afford at the time. Given the USENIX (and other submissions) deadlines, I didn't follow-up on this issue with HP. I just didn't manage to reach a conclusive end on this issue with HP. Apparently, HP did some internal investigation on the issue though (see below the "disappered" firmwares). To help HP track down the issue, I suggested some sample firmwares where the "MIPIO backdoor" functionality can be found: ftp://ftp.hp.com/pub/networking/software/pfirmware/Garnet_20110630_2121197_170342.signed.bdl matches (sha256 c0fe60faab4de0ce3c990581d5ed8df3d382359b70b6bf7ab7f7b138968b9b43) For unknown reasons, HP TOOK DOWN the above files (and those firmwares "disappeared" from their FTP). The "dissapeared" include the one I mentioned to them as a sample, as well as all the other files. This means you cannot acces anymore: ftp://ftp.hp.com/pub/networking/software/pfirmware/Garnet_20110630_2121197_170342.signed.bdl But you can still see that some FTP index engines have snapshot-ed the file exsitence as well: http://ftplike.com/browser/ftp-boi.external.hp.com/ftp1/pub/networking/software/pfirmware/ (on the index page, search for Garnet_20110630_2121197_170342.signed.bdl and other firmware mentioned above) HOWEVER, there are firmware files from above "MIPIO backdoor" list, which HP still didn't remove (again for unknown reasons) and can be accessed on the FTP: ftp://ftp.hp.com/pub/networking/software/pfirmware/cljM551_2200643_228342.bdl ftp://ftp.hp.com/pub/networking/software/pfirmware/ljM575_2200643_228345.bdl the ONLY online-surviving on HP's FTP of "MIPIO Backdoor" (as of 28 Sep 2014): If there are researchers looking for an interesting topic, I would suggest digging more on this one. I just don't have the time to do that right now :(. PS: In case the software/firmware "disappears", there is a backup of it. The interesting functionality that poped-up: SCNR: Error: Back-door proxy select failed! MIPIO: Error. Backdoor select on unopened or non-bd channel MIPIO: Error: backdoor write full net request failed! MIPIO: Error: Back-door select failed! MIPIO: Error: Back-door mipio net open failed! Error. Backdoor select on unopened or non-bd channel Error: backdoor write full net request failed! Error: Back-door select failed! Error: failed to open backdoor net channel! Error: Back-door open failed the Back-door open failed init_mipio_handles(): Unable to get backdoor mipio handles Notes: "bd channel" apparently means "backdoor channel" "non-bd channel" apparently means "non-backdoor channel" importantly enough, I have seen this "BD" abbreviation in some other cases of backdoors SCNR apparently means the scanner board different people/teams worked on this functionality given the 'backdoor' is spelled in so many various ways MIPIO stands for "Memory & Internet Protocol Input/Output" as can be seen from the few LinkedIn profiles which advertise that so MIPIO looks like a "feature" of the HP then why MIPIO tries to open a backdoor net as in "MIPIO: Error: Back-door mipio net open failed!" personally I would not believe that the "MIPIO backdoor" was planted by a malware which infiltrated HP developer's computers (as in the story of http://krebsonsecurity.com/2014/10/signed-malware-is-expensive-oops-for-hp/) Affected firmware: Binary file cljCM4540_20111216_2131305_192065.signed.bdl matches Binary file cljCM4540_2200643_228337.bdl matches Binary file cljCM4540fw_20110604_2121197_170338.signed.bdl matches Binary file cljCM4540MFP_20101217_113774_118961.signed.bdl matches Binary file cljCM4540mfp_20110329_2110194_149409.signed.bdl matches Binary file cljCP5525_20110329_2110194_149410.signed.bdl matches Binary file cljCP5525_20111216_2131305_192066.signed.bdl matches Binary file cljCP5525_2200643_228338.bdl matches Binary file cljCP5525fw_20110630_2121197_170342.signed.bdl matches Binary file cljM551_20110811_2131029_189663.signed.bdl matches Binary file cljM551_2200643_228342.bdl matches Binary file Coral_20110603_2121197_170338.signed.bdl matches Binary file Garnet_20110630_2121197_170342.signed.bdl matches Binary file ljM4555_20111216_2131305_192067.signed.bdl matches Binary file ljM4555_2200643_228339.bdl matches Binary file ljM4555fw_20110604_2121197_170340.signed.bdl matches Binary file ljM4555mfp_20110329_2110194_149411.signed.bdl matches Binary file ljM525_2200643_228344.bdl matches Binary file ljM575_2200643_228345.bdl matches Binary file ljM601_602_603_20110811_2131029_189665.signed.bdl matches Binary file ljM601_602_603_2200643_228341.bdl matches Binary file Mamba_20110604_2121197_170340.signed.bdl matches Binary file sj7000n_20110323_2110194_149408.signed.bdl matches Binary file SJ7000n_FW_62463_12379.bdl matches Binary file sj8500_2200643_228340.bdl matches Binary file sj8500_2200648_228389.bdl matches =============================== The "HP public IP routes" Story =============================== Story: Back in December 2012, I have notified HP that I had some non-public reports that HP devices were trying to access the following public IP addresses (which belong to HP): 156.152.79.229 156.152.79.230 156.152.79.233 156.152.79.234 HP stated they could not reproduce the issue and that the devices should not "leak" packets to those IP addresses that would reach public networks. The only reasons HP used those addresses is that those are under HP control and in theory should not conflict with any private network setup should any such "leak" of packets occur. Back in time I could not forward the "leak" packets reports to HP, and since HP could not reproduce the issue (or at least I was told so), the issue was closed withou a conclusive end after few back and forth emails. I took some look at the firmware files of some suspected devices and found that each major component/board of the MFP is assigned a "hostname" and an IP address (which happens to be in the range of HP's public IP addresses). So, on one end a given board/cpb (like printer, scanner, etc.) is a "/dev/mipio" (see above the MIPIO story). On the other end a given board/cpb is a "hostname" with a public IP address. See below for details. I am not sure how the public IP address, the "/dev/mipio" (from here) and the "MIPIO: Error: Back-door mipio net open failed!" play well together, but it raises more questions than answers. PS: In case the software/firmware "disappears", there is a backup of it. This is from an init /etc/rc script: ifconfig /dev/mipio0 fwscanner netmask 255.255.255.252 mtu 16370 up ifconfig /dev/mipio0 fwprinter netmask 255.255.255.252 mtu 16370 up ifconfig /dev/mipio0 fwprinter2 netmask 255.255.255.252 mtu 16370 up ifconfig /dev/mipiob0 ioasic netmask 255.255.255.252 mtu 16370 up This is from the /etc/hosts: 127.0.0.1 localhost mailhost loghost #10.20.30.40 fwprinter #10.20.30.41 fwscanner #10.20.30.42 fwdebug 156.152.79.229 fwprinter 156.152.79.230 fwscanner cpb 156.152.79.233 fwprinter2 156.152.79.234 fwengine fusion ioasic All the above public IP addresses belong to "Hewlett-Packard Company": http://www.ip-adress.com/ip_tracer/156.152.79.229 http://www.ip-adress.com/ip_tracer/156.152.79.230 http://www.ip-adress.com/ip_tracer/156.152.79.233 http://www.ip-adress.com/ip_tracer/156.152.79.234 Affected models: HP CM8060 MFP ScanJet SJ8500 HP Color LaserJet CP5520 cLaserJet LJ CP5525 LaserJet LJ M4555 LaserJet LJ M4555 MFP cLaserJet LJ CM4540 MFP cLaserJet LJ CM4540 LaserJet LJM9040 MFP LaserJet LJM9050 MFP HP Color LaserJet CM4540 MFP LaserJet LJ CM6040 MFP ScanJet SJ7000n LaserJet LJ M525 LaserJet LJ M575 cLaserJet LJ 3500 Affected firmware files: Binary file ./pub/networking/software/pfirmware/cm80x0mfpfw_80_004_0.rfu matches Binary file ./pub/networking/software/pfirmware/sj8500_2200643_228340.bdl matches Binary file ./pub/networking/software/pfirmware/Garnet_20110630_2121197_170342.signed.bdl matches Binary file ./pub/networking/software/pfirmware/cljCP5525fw_20110630_2121197_170342.signed.bdl matches Binary file ./pub/networking/software/pfirmware/ljM4555mfp_20110329_2110194_149411.signed.bdl matches Binary file ./pub/networking/software/pfirmware/Mamba_20110604_2121197_170340.signed.bdl matches Binary file ./pub/networking/software/pfirmware/ljM4555_20111216_2131305_192067.signed.bdl matches Binary file ./pub/networking/software/pfirmware/cljCM4540mfp_20110329_2110194_149409.signed.bdl matches Binary file ./pub/networking/software/pfirmware/cljCM4540fw_20110604_2121197_170338.signed.bdl matches Binary file ./pub/networking/software/pfirmware/ljM9040-50mfpfw_51_210_9.rfu matches Binary file ./pub/networking/software/pfirmware/Coral_20110603_2121197_170338.signed.bdl matches Binary file ./pub/networking/software/pfirmware/cljCP5525_20111216_2131305_192066.signed.bdl matches Binary file ./pub/networking/software/pfirmware/ljM4555fw_20110604_2121197_170340.signed.bdl matches Binary file ./pub/networking/software/pfirmware/cljCM4540MFP_20101217_113774_118961.signed.bdl matches Binary file ./pub/networking/software/pfirmware/cljCM4540_20111216_2131305_192065.signed.bdl matches Binary file ./pub/networking/software/pfirmware/ljCM6040mfpfw_52_210_9.rfu matches Binary file ./pub/networking/software/pfirmware/cm80x0mfpfw_78_004_0.rfu matches Binary file ./pub/networking/software/pfirmware/cljCM4540_2200643_228337.bdl matches Binary file ./pub/networking/software/pfirmware/cljCP5525_2200643_228338.bdl matches Binary file ./pub/networking/software/pfirmware/SJ7000n_FW_62463_12379.bdl matches Binary file ./pub/networking/software/pfirmware/sj8500_2200648_228389.bdl matches Binary file ./pub/networking/software/pfirmware/cm80x0mfpfw_75_020_0.rfu matches Binary file ./pub/networking/software/pfirmware/cm80x0mfpfw_79_005_0.rfu matches Binary file ./pub/networking/software/pfirmware/cm80x0mfpfw_77_018_0.rfu matches Binary file ./pub/networking/software/pfirmware/ljM525_2200643_228344.bdl matches Binary file ./pub/networking/software/pfirmware/ljM575_2200643_228345.bdl matches Binary file ./pub/networking/software/pfirmware/cljCP5525_20110329_2110194_149410.signed.bdl matches Binary file ./pub/networking/software/pfirmware/sj7000n_20110323_2110194_149408.signed.bdl matches Binary file ./pub/networking/software/pfirmware/ljM4555_2200643_228339.bdl matches Binary file ./pub/printers/software/clj3500fw_usb_r144_00.tar matches ============================================================================= The "HP Backdoor JetDirect microcode via HP JetDirect Download Manager" Story ============================================================================= Story: Back in January 2012, I reported to Secunia the following: ACSA-2012-04 - HP JetDirect Download Manager for Windows antivirus trigger suspicious file http://andreicostin.com/secadv/ACSA-2012-04.txt Jumping ahead, Secunia confirmed that from their point of view the “HP JetDirect Download Manager” is not backdoored/infected. Nevertheless, I’m posting the details for the interested ones. My suspicions lied within the below functionality. It was very methodically developed and the naming was consistent and clean. Code: "Model found in backdoor file!" "FirmwareFileManager::ReadFirmwareBackDoorFile" "FirmwareFileManager::ReadBackDoorfile" PS: In case the software/firmware "disappears", there is a backup of it.