lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20130208173453.24C88E6726@smtp.hushmail.com>
Date: Fri, 08 Feb 2013 12:34:52 -0500
From: auto61149890@...hmail.me
To: full-disclosure@...ts.grok.org.uk
Subject: Arbitrary command execution and trivial password
	guessing on Brother printers

Tested on Brother HL5370 latest firmware so far, confirmed working against many others by Brother documentation

>>From Brother .de website -

http://qr.cx/zCt9

Syntax for PJL JOB command includes -

"PASSWORD = password ( HL-1660e/2060/2400C/2400Ce/3400CN/1650/1670N/3260N/2460/7050/ 
1850/1870N/5040/5050/5070N/5140/5150D/5170DN/2600CN/2700CN/3450CN/6050/6050D/6050DN/805
0N only ) 
When the password is set by the DEFAULT command, modifying the NVRAM by using the DEFAULT or 
INITIALIZE commands is locked with the password. Sending the correct password with this command can 
unlock this until the EOJ command is executed. 
password = 0 to 65,535 Default value = 0 
When the printer receives the JOB command, the UEL command is not recognized as a job boundary until 
an EOJ command is received."

Guessing 16-bit password is very fast, and printer does not or can not? slow down password guessing. Worse, password is easily found or not necessary. from printer ROM "image" header -

12345X@PJL SUPERUSER PASSWORD=[any 16-bit sign value]
@PJL DEFAULT LANGSELECT=1
@PJL SUPERUSEROFF
@PJL SUPERUSER PASSWORD=[any 16-bit sign value]
@PJL WNVRAMBIT ADDRESS=288161793 DATA=1
@PJL SUPERUSEROFF
@PJL SET PAGEPROTECT=OFF
@PJL ENTER LANGUAGE=PCL
--> binary begins here

Have not tested past uploading arbitrary firm ware. This should be enough to worry. Probably no point to Brother network controller supporting https and snmp 3 now...

Brother snmp 3 support only short keys any way.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ