The fax flaws could be exploited by attackers during the receiving handshake.

“We could reach this vulnerability by sending a huge XML (> 2GB) to the printer over TCP port 53048 thus triggering a stack-based buffer overflow. Exploiting this vulnerability then gave us full control over the printer, meaning that we could use this as a debugging vulnerability,” researchers wrote.

The expert explained that when sending a fax the OfficeJet printer it is used the TIFF image format. The sender’s fax broadcasts the .TIFF meta-data for the receiving fax machine to set transmission parameters such as page sizes. According to the ITU T.30 standard protocol, the receiver’s fax will have to analyze meta-data for data continuity and sanitation, but exports discovered that by sending a color fax, they noticed the sending/receiving machines used the image format .JPG instead of .TIFF.

“When we examined the code that handles the colourful faxes we found out another good finding: the received data is stored to a .jpg file without any check. In contrast to the .tiff case in which the headers are built by the receiver, in the .jpg case we controlled the entire file,” researchers noted. “When the target printer receives a colourful fax it simply dumps its content into a .jpg file (“%s/jfxp_temp%d_%d.jpg” to be precise), without any sanitation checks.”

The vulnerable OfficeJet printers used a custom JPEG parser to parse the fax data, instead of using libjpeg, the developers implemented their own JPEG parser.

The experts examined the parser and discovered two stack-based buffer overflow vulnerabilities.

HP also released security patches for both vulnerabilities tracked as CVE-2018-5925 and CVE-2018-5924.

“Two security vulnerabilities have been identified with certain HP Inkjet printers. A maliciously crafted file sent to an affected device can cause a stack or static buffer overflow, which could allow remote code execution.” reads the security advisory published by HP.