exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Hacking Printers Advisory 5

Hacking Printers Advisory 5
Posted Jan 31, 2017
Authored by Jens Mueller

This post is about resetting a printer to factory defaults through ordinary print jobs, therefore bypassing all protection mechanisms like user-set passwords.

tags | advisory
SHA-256 | c0d3ac08f94bc071adf9e63784f30829f42fad0694c4e352f9eb78b9c01cd3f8

Hacking Printers Advisory 5

Change Mirror Download
TL;DR:  In the scope of academic research on printer security, various
vulnerabilities in network printers and MFPs have been discovered. This
is advisory 5 of 6 of the `Hacking Printers' series. Each advisory
discusses multiple issues of the same category. This post is about
resetting a printer to factory defaults through ordinary print jobs,
therefore bypassing all protection mechanisms like user-set passwords.
The attack can be performed by anyone who can print, for example through
USB or network. It can even be carried out by a malicious website, using
cross-site printing techniques (see
http://hacking-printers.net/wiki/index.php/Cross-site_printing).

========================[ Factory Defaults ]==========================

-------------------------[ Affected Devices ]-------------------------

This vulnerability has been verfied for the devices listed below:

- HP LaserJet 4200N (Firmware version: 20050602) a PML based attacks
- HP LaserJet 4250N (Firmware version: 20150130) a PML based attacks
- HP LaserJet P2015dn (Firmware version: 20070221) a PML based attacks
- HP LaserJet M2727nfs (Firmware version: 20140702) a PML based attacks
- HP LaserJet 3392 AiO (Firmware version: 20120925) a PML based attacks
- HP LaserJet CP1515n (Firmware version: 20120110) a PML based attacks
- Lexmark X264dn (Firmware version: NR.APS.N645) a SNMP only
- Lexmark E360dn (Firmware version: NR.APS.N645) a SNMP only
- Lexmark C736dn (Firmware version: NR.APS.N644) a SNMP only
- Dell 1720n (Firmware version: NM.NA.N099) a SNMP only
- Kyocera FS-C5200DN (Firmware version: 2011.05.16) a SNMP only

Further HP printers are likely to be affected.
Vendor informed: 2016-10-17

--------------------[ Vulnerability Description ]---------------------

The `Printer-MIB' (RFC3805) defines the prtGeneralReset Object (OID
1.3.6.1.2.1.43.5.1.1.3.1) which allows an attacker to restore factory
defaults (resetToFactoryDefaults(6)) using SNMP (port 161/udp). This is
a legitimate feature, but can also be used by an attacker to
remove/bypass protection mechanisms like user-set passwords for the
embedded web server, PJL and PostScript if the default/public SNMP
community string has not been changed:

----------------------------------------------------------------------
snmpset -v1 -c public printer 1.3.6.1.2.1.43.5.1.1.3.1 i 6
----------------------------------------------------------------------

In many scenarios an attacker does not have the capabilities to perform
SNMP requests because of firewalls or unknown SNMP community strings. On
HP devices however, she can transform SNMP into its PML representation
and embed the request within a legitimate print job:

----------------------------------------------------------------------
@PJL DMCMD ASCIIHEX="040006020501010301040106"
----------------------------------------------------------------------

This way, anyone who can print can reset the device to factory defaults
and hereby remove any protection mechanisms.

-------------------------[ Proof of Concept ]-------------------------

A Python based proof of concept software entitled Printer Exploitation
Toolkit (PRET) has been published. The attack can be reproduced as follows:

$ git clone https://github.com/RUB-NDS/PRET.git
$ cd PRET
$ ./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> reset

Note that if your printer does not restart and restore factory defaults,
it may still be vulnerable to SNMP based attacks as mentioned above.

-----------------------[ Further Information ]------------------------

Information on this bug/feature of SNMP and PML can be found at:
http://hacking-printers.net/wiki/index.php/Factory_defaults
https://tools.ietf.org/html/rfc3805


Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    0 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close