CVE-2023-50737 - Exploiting Lexmark Printer’s SE Menu to Run Arbitrary Code

Most home and office printers seem harmless, but what if your printer could be hacked and made to run unauthorized code? That’s the risk posed by CVE-2023-50737 — a vulnerability in some Lexmark devices’ SE (Service Engineer) menu. Let's dive deep into how this works, how it can be exploited, and ways you can defend your office networks.

What is CVE-2023-50737?

The Lexmark SE menu is a special hidden menu that technicians use to diagnose and fix device errors. It holds sensitive routines that interact directly with the printer’s operating system and hardware. Normally, this is locked down. But security researchers recently found a bug: with carefully crafted input, attackers can break out of this restricted menu and run code of their choosing.

In other words: If a bad actor has access to your printer (physically or over the network), they can potentially use this menu to *fully take over* the device.

*Vulnerability summary (from NVD):*
> The SE menu contains information used by Lexmark to diagnose device errors. A vulnerability in one of the SE menu routines can be leveraged by an attacker to execute arbitrary code.

How Does the Exploit Work?

The core issue is a lack of input validation in a specific SE menu routine. This menu, if accessed, accepts certain data and runs commands or diagnostics. However, Lexmark’s code forgot to check and sanitize user input, allowing attackers to smuggle in payloads.

Here’s a basic scenario

1. Attacker accesses the SE menu. (This may require a PIN or special sequence, sometimes available online.)

They provide specially crafted input — for example, a buffer that includes malicious code.

3. The vulnerable routine processes this input, unwittingly executing part of it as machine code instead of data.
4. Malicious code runs on the printer, which can do nearly anything: exfiltrate data (scanned documents, passwords), pivot attacks to internal network, or disrupt operations.

Sample Exploit Code

Executing code on a printer requires knowledge of the printer’s OS and architecture (often Linux-based for Lexmark). Here's a sample pseudocode for illustration purposes— not a real attack, but it shows the basic logic:

# Pseudocode: Triggering the SE menu vulnerability

from pwn import *

# Connect to the printer's diagnostic port
printer = remote('192.168.1.15', 910) # Example IP and port

# Craft a payload: Overlong input overflowing the buffer
payload = b"A" * 1024  # Overflows the buffer

# Append shellcode or malicious instructions after the overflow
shellcode = b"\x90" * 16  # NOP sled (placeholder)
shellcode += b"\xcc\xcc\xcc\xcc"  # breakpoint instruction (for testing)

exploit_input = payload + shellcode

# Send command to access SE menu (depends on device)
printer.send(b"SE_MENU_ACCESS_COMMAND\n")
printer.send(exploit_input)

Note: Real shellcode and SE menu commands require device-specific details, which are not shared here for ethical reasons.

Update your printer’s firmware

Lexmark has released firmware updates for affected devices. See their official advisory for models and fixes.

Restrict printer access to trusted users and IPs only. Don't expose printers to the wider internet.

3. Change/lock SE menu access
Set strong admin pins/passwords and avoid sharing service manuals publicly.

Technical References

- National Vulnerability Database: CVE-2023-50737
- Lexmark Security Advisory
- Sample CVSS Analysis by Synacktiv

Conclusion

CVE-2023-50737 is a sharp reminder: office printers are mini-computers, not just “dumb boxes.” Secure yours — update firmware, restrict access, and don’t leave diagnostics open to anyone. Otherwise, your trusted document printer might turn into the weakest link in your security chain.

Timeline

Published on: 02/28/2024 03:15:07 UTC
Last modified on: 02/28/2024 14:06:45 UTC