PRL-2010-02

#####################################################################################

Application:    Xerox WorkCentre PJL Daemon Buffer Overflow

Platforms:   Xerox WorkCentre 4150

Exploitation:   Denial of Services

{PRL}:   2010-02

Author:   Francis Provencher (Protek Research Lab’s)

Website:   http://www.protekresearchlab.com/

Twitter:   @ProtekResearch

#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) The Code

#####################################################################################

=================
1) Introduction
=================

Xerox acquired the Tektronix Color Printing and Imaging Division, including the Phaser brand, in 2000.

The Phaser brand has become a key component of Xerox’s office product portfolio, and the company

continues to expand the product line. One of the more important aspects of the acquisition of the

Tektronix divisions is that Xerox decided to keep the Tektronix staff and support services, as Tektronix

is a well known name for high-performance and high-quality printers. This was a very important move

for Xerox since Tektronix had a very good marketing campaign, attending all major tradeshows and

excellent customer service.
Source; Wikipedia

#####################################################################################

====================
2) Report Timeline
====================

2010-03-01  Vendor Contacted

#####################################################################################

======================
3) Technical details
======================

During a brief assessment we performed on a Xerox Phaser 3635 MFP it was discovered that PJL daemon

implementation contains a weakness related to robustness of their PJL protocol handling. Attacker can crash

the whole printer services (LPD, HTTP..) with a crafted packet with an overly long “INQUIRE LPARM”.

Recovering from the denial-of-service condition requires power cycling the device. Due to the black box nature

of this Proof of concept attack, we are unable to know if remote code execution is possible.

#####################################################################################

===========
4) The Code
===========

Here

###############################################################################