Researchers have identified several remote code execution vulnerabilities in PrinterLogic, the widely deployed enterprise print management tool, that when combined and used in conjunction with existing techniques, could allow an attacker to gain control of any of the endpoints on the network.
The vulnerabilities, which were identified by researchers on the Yahoo Paranoids Vulnerability Research Team, have been patched by the vendor, and a large chunk of vulnerable systems probably aren’t exposed to the Internet. But the ubiquity of the PrinterLogic package and the existence of adjacent vulnerabilities that can help an attacker reach an internal system, means the vulnerabilities present a serious risk for enterprises running vulnerable versions, which include PrinterLogic Web Stack versions 220.127.116.11 SP9 and lower.
PrinterLogic is designed to allow enterprises to manage and deploy printers across the organization. The system includes a Web Stack and an agent that is installed on endpoints in the organization. Researchers at Yahoo began looking at the PrinterLogic Web Stack in April and soon discovered a pre-authentication object injection vulnerability. They used a virtual machine running macOS as the client.
“This is a pretty classic example of PHP Object Injection. Attacker controlled input is taken from a GET parameter (param) and base64 decoded, then that input is used as the input to unserialize.The particular endpoint this code is based on is accessible without requiring authentication,” Blaine Herro of Yahoo Paranoids said in a post on the flaws.
“By supplying the payload as input to the API endpoint which exposes the vulnerable unserialize call, we achieve code execution as the IIS APPPOOL\DefaultAppPool user.”
After exploiting that vulnerability, an attacker could install a webshell or other persistence mechanism on a machine that has access to the Web Stack server. PrinterLogic uses a self-service portal to allow users to download the packages for each printer on the network. Those packages are stored in a database that’s attached to the Web Stack server, and an attacker who has exploited the initial vulnerability to get persistent access could change the contents of the database to include malicious code.
“If we can control the contents of a driver package that is delivered to an endpoint by manipulating the database, we effectively have an arbitrary filesystem write on connected endpoints. The added bonus is that PrinterInstallerClient runs as root,” Herro said.
“As part of our exploit we’ll craft a driver package that, when installed, writes a shell script or other implant to the periodic service’s daily directory. When the service fires, we’ll achieve code execution on the endpoint.”
This method would enable the attacker to deliver a malicious printer package to any user who requests it, but Herro discovered that by using the PrinterInstallerClient feature an attacker could push the malicious package to any connected endpoint on the network.
“With all pieces in place, we now understand that an attacker who compromises the Web Stack server itself can get remote code execution on all connected endpoints that are clients of the Web Stack server, or compromise select endpoints as they see fit, without requiring further user interaction,” Herro said.
In all, Herro discovered nine separate vulnerabilities in PrinterLogicWeb Stack, which the vendor, Vasion, patched on Jan. 21 in version 18.104.22.168 SP10.