Multiple vulnerabilities discovered in popular printer models

Published: 2017-02-02
Last Updated: 2017-02-02 02:11:50 UTC
by Rick Wanner (Version: 1)
2 comment(s)

Researchers from University Alliance Ruhr have announced that they have discovered vulnerabilities in popular laser printers including models from HP, Lexmark, Dell, Brother, Konica and Samsung. The announced vulnerabilities have a range of effects, but could permit the contents of print jobs to be captured, permit delivery of buffer overflow exploits, password disclosure or even damage to the printer.

The vulnerabilities are in PostScript and Printer Job Language (PJL) and have been around for decades, exploiting limitations of the languages used by most printers. The vulnerabilities can definitely be exploited from the local network, but it is possible that a malicious website could also use cross-site scripting to exploit the vulnerabilities.

It is estimated that up to 60,000 currently deployed printers may be vulnerable.

More information on the research can be found at hacking-printers.net

The researchers have also developed and set of tools called the Printer Exploitation Toolkit (PRET) which can be used to launch the attacks against these vulnerabilities.

The vulnerability disclosures are:

PostScript printers vulnerable to print job capture

Various HP/OKI/Konica printers file/password disclosure via PostScript/PJL

HP printers restoring factory defaults through PML commands

Multiple vendors buffer overflow in LPD daemon and PJL interpreter

Brother printers vulnerable to memory access via PJL commands

Multiple vendors physical NVRAM damage via PJL commands

I am still digging, but so far I have not been able to find any vendor responses to these vulnerability advisories. If you see any please comment on this diary or through our contact page.

 

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

2 comment(s)

Comments

https://kur0sec.org/print - A few more details
http://neseso.com/advisories/NESESO-2017-0111.pdf

another

Diary Archives