Fuzzing a Printer: Pre-auth RCE in a Network IoT Device
Enterprise network printers are the unloved sibling of IoT security. Here's a walkthrough of the harness we built and the pre-auth RCE it found on its second night of runtime.
Table of Contents
Printers have three things going for them from an attacker’s perspective: they live on the corporate network, they trust far too much from far too many protocols, and nobody patches them. Over the last quarter we’ve been building out a fuzzing harness for enterprise MFPs.
The harness
We emulate the device’s firmware in a QEMU-based sandbox with a hooked network stack, then let AFL++ drive crafted PJL, SNMP, and IPP messages into the exposed listeners. The hard part isn’t the fuzzer. It’s the harness getting realistic enough that findings translate to the physical device.
The bug
A length-prefixed field in one of the less-loved management protocols isn’t bounded before being copied into a static buffer. Classic stack smash, no cookie. The crash reproduces on hardware on the first attempt.
Exploitation
The usual stack-cookie / ASLR / NX triple was… not a triple. No stack cookies. ASLR was weak enough to brute from the network. NX was enforced, so we ROP’d to a useful gadget that set up a shell over an existing admin-plane socket.
Disclosure is in progress. Advisory and CVE to follow.