These Popular Brother, Zink Label Printers Prove Extremely Hackable — Thanks to Ancient Software

Pseudonymous self-described "Bash witch" "Domi" stumbled upon a thermal label printer running a badly-outdated embedded Linux with an old-and-vulnerable copy of the CUPS printing subsystem — so set about reverse engineering the device.

"Our main character is a Brother-branded VC-500W," Domi explains. "When installing the printer, I learn that it's exposing a downright medieval version of CUPS. It's an experience similar to taking out an old Android phone out of a drawer and being astonished at how dated the UI looks. This has ticked off something in my brain that immediately made me want to dig deeper, because… a brand new device? Shipping with a 2012 build of CUPS? Something's fishy."

Digging deeper into the device, which is a rebadged version of the Zink Wedge, sdomi found areas of considerable concern — not least of which was a browser-based setup process that appeared at-risk for command injection and the DHCP lease for which delivered some worrying details about just how old the software running on the embedded system was.

"There's a CUPS version that's 10+ years old, Linux kernel almost old enough to drink, all of that crawling on an ARMv5," Domi writes. "On a device that's still in production, which you can buy right now."

The age of the CUPS version installed meant it was vulnerable to long-known exploits, including one that allows for read/write access to arbitrary files. Using this, Domi was able to gather more information — though that browser-based setup system proved the most easily exploited part of the system, allowing for command injection to run as the root user.

Sadly, experimentation delivered a broken installation, requiring an in-depth analysis of a downloadable firmware upgrade and the physical disassembly of the unit in order to access the UART bus. Once the printer had been unbricked, Domi was able to deliver a proof-of-concept exploit to enable SSH access and set a root password.

"Having root access, one can implement workarounds for those security issues to make the whole device a little bit less pwnable," Domi notes. "So I'd argue that if you have the device - hack it, disable remote CUPS config edit, and disable lighttpd entirely. This should make it secure-ish, at least against the vulns I outlined."

The full project write-up is available on Domi's website, while the proof-of-concept exploit is in a Git repository under an unspecified license; developer Linux Groh has further expanded on Domi's efforts by porting Kiesel, a "toy JS [JavaScript] engine," to the printer.