Cатсн²² (in)sесuяitу / ChrisJohnRiley

Printers Gone Wild!

Ben Smith

Printers are everywhere… they are ubiquitous!

Everybody seems to ignore them. They get plugged in, and just work!

HP Basics

Listens on tcp/9100

Admin page on 80/443

Many have hard disks!

HP printers have 3 passwords

• Web admin
• Telnet (same as the wedadmin)
• PJLPassword

PJLPassword can be used to lockout the console, make disks read-only etc…

PJLPassword is weak… no brute-force protections

PJL is unathenticated and widely supported, going away, but will be here for a while.

SNMP can be disabled through the Web Admin, however encoding them specially they will still answer SNMP requests over port 9100

Google search “PJL DMINFO ASCIIHEX” for more info

Overview

PJL (Printer Job Langauge)

Sets up printer for jobs

Created by HP, used in many other devices

Really old!

Fun PJL commands

• FSUPLOAD (not an upload)
• FSDOWNLOAD (not a download)
• FSDIRLIST
• FSDELETE
• RDYMESSAGE
• DMINFO ASCIIHEX

There’s een lots of research before (Hijetter etc…)

Bringing that into the modern environment with printFS

printFS

Python tool for covert file systems using HP printers

Distributes files over multiple printers

Uses the printer RAM disks or physical disks

Works on any supported printer via network or the internet!

All stored files are compressed/encrypted and saved using random filenames

All files are stored twice with different names and keys to improve redundancy (files in RAM disk are lost on restart)

Supports panic mode (panic) remotely reboots every device in the file table to destroy the data

pfsScanner

multithreaded scanner

Scans printers to see if necessary commands are supported to use printFS

Scans are randomized in the order that functions are run and the timing between them

Test upload files are random data and given random names

Entire scan peppered with random sleeps

pyPJL

Main support lib

Used by all tools

Implements most of the documented PJL commands

printJack

A support tool for doing nasty funny things

User interface to the PJL password cracker

Mass control panel lock/unlock

Mass RamDisk/Disk Lock/Unlock

Pass printing (toner is cheap!)

pyPJLpass

Support class for printjack

Brute-forces all possible password combinations in about 2 hours (single thread)

So now it’s threaded to check multiple printers… all communicate together until one valid password is found (password reuse)

Other fun stuff to do to PJL

• Mass reboot loop
• Mass connect to port 9100 and remain connected (blocking)
• Animated LCD messages
• SE LCD messages (please call xxxxx)
• Mass disk lock
• Mass printing
• Mass control panel locking

Limitations

Can only upload files form the directory you are running printFS from

Known issue where some printers won’t respond to pfsScanner if they’re offline

To ensure that printers can still print when being scanned, dynamic class is used (generating huge traffic)

Code Release

Remote-exploit.org will receive it within the next week

Links:

• Shmoocon Schedule –> HERE
• Talk synopsis –> HERE
• HP PML faq –> HERE