A trio of vulnerabilities in enterprise print management software PrinterLogic offer attackers a route to remote code execution (RCE) on all connected endpoints, security researchers have revealed.
All assigned a CVSS rating of 8.1, the high severity flaws include object injection (CVE-2021-42631), hardcoded APP_KEY (CVE-2021-42635), and command injection (CVE-2021-42638) issues.
Researchers from The Paranoids, Yahoo’s vulnerability research team, achieved RCE on the web stack server via abuse of PrinterLogic’s single-click printer installation feature.
The bugs, discovered during research conducted between April and June 2021, were addressed by PrinterLogic vendor Vasion in security update 19.1.1.13-SP10, issued on January 21. All prior versions are vulnerable.
The update also addresses a raft of medium and low severity bugs uncovered by Yahoo’s security research arm.
Return on investment
Blaine Herro, a security researcher at Yahoo, says PrinterLogic makes for an appealing attack target, in part because it has an agent that can run on many or all endpoints, and install components on or configure endpoints with administrator-level permissions.
Moreover, “the vendor publishes a customer list, which shows exactly what the return on investment is for attackers,” continues Herro in a technical write-up. “If an attacker finds one vulnerability, [they can] extensively compromise over 140 high-profile organizations.”
However, the severity of the vulnerabilities at hand is lessened by attackers requiring a privileged network position via a VPN or applicable vulnerability in an appliance on the edge, except for internet-facing installations (which applies to few environments, says Herro).
PHP object injection
Herro detailed an exploit that begins with “a pretty classic example” of unauthenticated PHP object injection – a “historically” problematic bug class in PHP applications including ConcreteCMS, Magento, and Moodle.
Once the server is compromised and persistent access secured, attackers could move laterally into arbitrary workstations when users perform single-click installation, which prompts the PrinterLogic workstation client (PrinterInstallerClient) to pull down and install the relevant driver package.
Herro sets out how to control the contents of a driver package sent to an endpoint on macOS and Linux or Windows by manipulating the database, thereby gaining an arbitrary filesystem write on connected endpoints.
“The added bonus is that PrinterInstallerClient runs as root,” he adds.
There are “a few options across each platform that aren’t particularly difficult” for executing code on endpoints that receive driver packages, says the researcher. He explains how to do so on macOS by injecting a script among scheduled maintenance scripts run by the periodic service.
Abusing scoping criteria
Unsatisfied with duping potential marks into downloading a specific backdoored printer driver, the researchers unearthed a feature that enabled them to push drivers to arbitrary endpoints.
Specifically, printers can be deployed to endpoints running PrinterInstallerClient according to scoping criteria. This criteria includes hostnames, which can be specified as a wildcard, thereby scoping the printer to all endpoints that are clients of the web stack server.
This means attackers can achieve RCE “on all connected endpoints that are clients of the Web Stack server, or compromise select endpoints as they see fit, without requiring further user interaction,” says Herro.
He adds: “As your company grows in size, it’s only natural to reach for enterprise products that simplify management of key functionality that many of your employees use (in this case, printers). A byproduct of centralized management, however, is centralized risk.”
Source: https://portswigger.net/daily-swig/printerlogic-vendor-addresses-triple-rce-threat-against-all-connected-endpoints