Credential disclosure
Password Disclosure
SNMP
Ancient HP printers (manufactured 2003 and earlier) had a bug which allowed an attacker to retrieve the password for the embedded web server through SNMP requests. The vulnerable OID to be requested (.iso.org.dod.internet.private.enterprises.hp.nm.system.net-peripheral.net-printer.generalDeviceStatus.gdPasswords) was even documented by HP. Other vendors may have similar SNMP based issues. Penetration testers may find flaws by studying the various publicly available MIBs which are released by most printer manufacturers.
How to test this attack?
To test this attack, the snmpset tool can be used as shown below:
snmpget -v1 -c public printer iso.3.6.1.4.1.11.2.3.9.1.1.13.0
iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = Hex-STRING: 41 41 41 00 …
Vulnerable devices will return the password in hex-decimal (here: AAA), while newer devices do only respond with zerobytes.
Who can perform this attack?
Anyone who can send network packets to port 161/udp of the printer device.
Pass-Back
One remarkable class of attacks to be mentioned is pass-back attacks were ‘an MFP device is directed into authenticating [...] against a rogue system rather than the expected server’ [1]. This works in setups where an MFP verifies users by requesting and external LDAP server. Note that the password to access the LDAP server is stored on the MFP itself. If the MFP allows an attacker to change the address of the LDAP server while keeping the old password, whenever someone (for example, the attacker itself) tries to authenticate with the MFP, the MFP leaks the original LDAP password to the attacker-controlled server. This example shows that passwords resident on printers may not only harm the device itself if integrated into a company's network. Printers and MFPs – which may offer insufficient protection – are therefore a good starting point in network penetration tests.
How to test this attack?
Check if you can change printer settings like the LDAP hostname without setting a new password.
Who can perform this attack?
Usually anyone who can access the printer's embedded web server. This may include CRSF attacker, if the web application running on the printer has no CSRF protection.
Brute-Force Attacks
Besides credentials leaked from sources like SNMP, the printer's embedded web server, file system or memory access, printing languages offer limited passwords protection mechanisms themselves. Breaking such mechanisms has a priority in this wiki because it focuses on printer-specific weaknesses. Furthermore, whilst the routines to set the password for a printer's embedded web server differ from model to model they are standardized for both, PJL and PostScript. Although it is not very common for end-users or even administrators to set or actually know about these passwords, if enabled they can break some of the attacks discussed in this wiki. Attackers should therefore have a motivation to crack or bypass them if necessary.
PJL
PJL offers the possibility to set a password to lock access to the printer's hard disk and/or control panel. The standard however allows only numerical values ranging from 1 to 65,535 as key space [2]. Brute-force attacks as proposed by [3] thus seem feasible.
An evaluation of brute-force attacks against PJL and PostScript passwords is given in \autoref{par:eval-credential-disclosure}. In the prototype implementation, the \texttt{lock} and \texttt{unlock} commands are used for setting and cracking passwords.
In addition to web server passwords which can be obtained by memory or file system access as previously described, printer language credentials themselves are a valuable target as they are required for some of the attacks described in this work. For example, PJL disk lock as shown in \autoref{lst:pjl-passwd} is the defense mechanism propagated by HP against PJL file system access, including known path traversal vulnerabilities \cite{hp2010pjl}. PJL passwords however are vulnerable to brute-force attacks because of their limited 16 bit key size as demonstrated by \cite{phenoelit2002embedded} who were able to unlock the disk protection within six hours in the worst case. With PJL interpreters having gotten faster while the PJL standard was never updated and still limits passwords to numerical values ranging from 1 to 65535 \cite{hp1997pjl}, cracking time has efficiently decreased. The devices in our test printer pool, could verify between 50 and 1,000 passwords per second leading to average cracking times between 30 seconds and ten minutes as shown in \autoref{tab:cracking-results}.
\begin{lstlisting}[caption=PJL control panel and disk lock\label{lst:pjl-passwd}]
@PJL JOB PASSWORD=0 @PJL DEFAULT PASSWORD=12345 @PJL DEFAULT DISKLOCK=ON @PJL DEFAULT CPLOCK=ON
\end{lstlisting}
How to test this attack?
The lock and unlock commands of PRET can be used to test brute-force attacks against PJL passwords:
./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> lock 999 PIN protection: ENABLED Panel lock: ON Disk lock: ON printer:/> unlock No PIN given, cracking. PIN protection: DISABLED Panel lock: OFF Disk lock: OFF
Who can perform this attack?
Any anyone who can print, for example through USB drive or cable, Port 9100 printing or Cross-site printing. Feedback from the printer is not required because attackers can blindly remove the password protection by including all 65535 possible combinations in a single print job.
PostScript
PostScript offers two types of passwords: one to change long-term system settings, the other to permanently alter the PostScript environment. The standard makes no explicit statement about key sizes, however both passwords are of type string which means up to 65,535 characters [4]. On the other hand, for simple passwords brute-force is very fast as passwords can be verified within a PostScript program running on the printer device itself. Performance can therefore be compared to offline cracking.
PostScript has similar protection mechanisms: The SystemParamsPassword is used to change print job settings like paper size while the StartJobPassword is required to exit the server loop and therefore permanently alter the PostScript environment. The checkpassword operator which takes either an integer or a string as input checks for both passwords at once [5]. The key size is very large: PostScript strings can contain arbitrary ASCII characters and have a maximal length of 65,565 [6] which theoretically allows 524,280 bit passwords. On the positive side (from an attackes point of view) brute-force attacks against PostScript passwords can be performed extremely fast because the PostScript interpreter can be programmed to literally crack itself. A simple PostScript password cracker testing for numerical values as passwords is given below:
/min 0 def /max 1000000 def
statusdict begin {
min 1 max
{dup checkpassword {== flush stop} {pop} ifelse} for
} stopped pop
\end{lstlisting}
Tested printers were capable of performing between 5,000 and 100,000 password verifications per second. Such enormous cracking rates can be achieved because a printer's RIP is highly optimized for fast processing of PostScript code. Brother based devices are exceptions as BR-Script only accepts one password per second but also checks for the very first character of the password only which effectively limits the key size to 256 characters or 8 bit. As it seems, Kyocera's KPDL does not support permanent PostScript passwords at all.
How to test this attack?
In case of numeric (integer) passwords, the lock and unlock commands of PRET can be used to test brute-force attacks against PostScript passwords:
./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> lock 999 printer:/> unlock No password given, cracking. Found password: 999
Who can perform this attack?
Any anyone who can print, for example through USB drive or cable, Port 9100 printing or Cross-site printing. Feedback from the printer is not required because attackers can blindly remove the password protection by cracking it in a single print job.
- ↑ Anatomy of a Pass-Back-Attack: Intercepting Authentication Credentials Stored in Multifunction Printers, D. Heiland and M. Belton, 2011
- ↑ Printer Job Language Technical Reference Manual, HP Inc., 1997, ch. 6-21
- ↑ Attacking Networked Embedded Devices, Black Hat USA, FX and FtR of Phenoelit, 2002
- ↑ PostScript Language Reference Manual, 3rd Edition, Adobe Systems Inc., 1999, p. 739
- ↑ PostScript Language Reference Manual Supplement for Version 2016, Adobe Systems Inc., 1995, p. 194
- ↑ PostScript Language Reference Manual, 3rd Edition, Adobe Systems Inc., 1999, p. 739
