'[FD] Hacking Printers Advisory 6/6: Multiple vendors physical NVRAM damage via PJL commands'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] Hacking Printers Advisory 6/6: Multiple vendors physical NVRAM damage via PJL commands
From:       Jens Müller <jens.a.mueller () rub ! de>
Date:       2017-01-30 12:44:07
Message-ID: 588F3517.2070604 () rub ! de
[Download RAW message or body]

TL;DR:  In the scope of academic research on printer security, various
vulnerabilities in network printers and MFPs have been discovered. This
is advisory 6 of 6 of the `Hacking Printers' series. Each advisory
discusses multiple issues of the same category. This post is about
putting printers out of their misery and destorying the NVRAM through
ordinary print jobs. The attack can be performed by anyone who can
print, for example through USB or network. Given enough time, it can
even be carried out by a malicious website, using cross-site printing
techniques (see
http://hacking-printers.net/wiki/index.php/Cross-site_printing).

=====================[ Physical NVRAM Damage ]========================

-------------------------[ Affected Devices ]-------------------------

Various printers are likely to be affected as the vulnerability is based
on PJL, a generic printing language supported by most laser printers.
The vulnerability has been verfied for the devices listed below:

- Brother MFC-9120CN (Firmware version: K.1.06)
- Brother DCP-9045CDN (Firmware version: G.1.10)
- Konica Minolta bizhub 20p (Firmware version: 3.11)
- Lexmark E360dn (Firmware version: NR.APS.N645)
- Lexmark C736dn (Firmware version: NR.APS.N644)
- Dell 5130cdn (Firmware version: 201402240935)
- Dell 1720n (Firmware version: NM.NA.N099)
- HP LaserJet M2727nfs (Firmware version: 20140702)

Vendors informed: 2016-10-17

--------------------[ Vulnerability Description ]---------------------

Long-term settings for printers and other embedded devices are stored in
non-volatile memory (NVRAM) which is traditionally implemented either as
EEPROM or as flash memory. Both components have a limited lifetime (at
least about 100,000 write cycles). However, PJL print jobs themselves
can change long-term settings like the number of copies:

----------------------------------------------------------------------
@PJL DEFAULT COPIES=X
----------------------------------------------------------------------

Doing this a lot of times on purpose can lead to physical destruction of
the NVRAM. By continuously setting the long-term value for the number of
copies (with different values for X each time) for 24 hours, eight out
of twenty tested printer indicated a corrupt NVRAM: The Brother
MFC-9120CN, the Brother DCP-9045CDN and the Konica bizhub 20p showed
error code E6 (EEPROM error), but everything worked fine after a reboot.
The Lexmark E360dn and the Lexmark C736dn became unresponsive and showed
error code 959.24 (EEPROM retention error). After a restart, both
devices recovered but only accepted between a dozen and several hundreds
of long-term values to be set until the same behaviour could be observed
again. The Dell 5130cdn, the Dell 1720n and the HP LaserJet M2727nfs
completely refused to set any long-term values anymore. Note that
PostScript also allows an attacker to write to the NVRAM using ordinary
print jobs by setting values like /WaitTimeout or /StartJobPassword
using the `setpagedevice' operator. This can even be done in a
PostScript program loop, making things extremely fast...

-------------------------[ Proof of Concept ]-------------------------

A Python based proof of concept software entitled Printer Exploitation
Toolkit (PRET) has been published. The attack can be reproduced as follows:

$ git clone https://github.com/RUB-NDS/PRET.git
$ cd PRET
$ ./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> destroy
Warning: This command tries to cause physical damage to the
printer NVRAM. Use at your own risk. Press CTRL+C to abort.
Starting NVRAM write cycle loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM!
Dave, stop. Stop, will you? Stop, Dave. Will you stop, Dave?
[... wait for about 24 hours ...]
I'm afraid. I'm afraid, Dave. Dave, my mind is going...
NVRAM died after 543894 cycles, 18:46:11

-----------------------[ Further Information ]------------------------

Information on this bug/feature of PJL and PostScript can be found at:
http://hacking-printers.net/wiki/index.php/Physical_damage

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread] 