cbcvebase.
CVE-2017-2741
published 2018-01-23

CVE-2017-2741: A potential security vulnerability has been identified with HP PageWide Printers, HP OfficeJet Pro Printers, with firmware before 1708D. This vulnerability…

PriorityP279critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
84.89%
99.7th percentile
A potential security vulnerability has been identified with HP PageWide Printers, HP OfficeJet Pro Printers, with firmware before 1708D. This vulnerability could potentially be exploited to execute arbitrary code.

Affected

38 ranges· showing 25
VendorProductVersion rangeFixed in
hpd3q15a_firmware< 1708d1708d
hpd3q15b_firmware< 1708d1708d
hpd3q15d_firmware< 1708d1708d
hpd3q16a_firmware< 1708d1708d
hpd3q16b_firmware< 1708d1708d
hpd3q16c_firmware< 1708d1708d
hpd3q16d_firmware< 1708d1708d
hpd3q17a_firmware< 1708d1708d
hpd3q17c_firmware< 1708d1708d
hpd3q17d_firmware< 1708d1708d
hpd3q19a_firmware< 1708d1708d
hpd3q19d_firmware< 1708d1708d
hpd3q20a_firmware< 1708d1708d
hpd3q20b_firmware< 1708d1708d
hpd3q20c_firmware< 1708d1708d
hpd3q20d_firmware< 1708d1708d
hpd3q21a_firmware< 1708d1708d
hpd3q21c_firmware< 1708d1708d
hpd3q21d_firmware< 1708d1708d
hpd9l20a_firmware< 1708d1708d
hpd9l21a_firmware< 1708d1708d
hpd9l63a_firmware< 1708d1708d
hpd9l64a_firmware< 1708d1708d
hpj3p68a_firmware< 1708d1708d
hpj6u55a_firmware< 1708d1708d

Detection & IOCsextracted from sources · hover to see the quote

port9100
port161
path0:/../../rw/var/etc/profile.d/
other1.3.6.1.2.1.43.5.1.1.3.1
snort
alert tcp any any -> $HOME_NET 9100 (msg:"ET EXPLOIT HP Printer Attempted Path Traversal via PJL"; flow:established,to_server; content:"@PJL FS"; depth:7; content:"NAME="; distance:0; pcre:"/^\s*[\x22\x27][^\x22\x27]{0,128}\x2e\x2e/Ri"; reference:url,www.tenable.com/blog/rooting-a-printer-from-security-bulletin-to-remote-code-execution; reference:cve,2017-2741; classtype:attempted-admin; sid:2024404; rev:5; metadata:created_at 2017_06_16, cve CVE_2017_2741, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)
  • Detect PJL path traversal attempts by matching '@PJL FS' followed by 'NAME=' containing '..' sequences on port 9100 (JetDirect/PJL port).
  • The exploit writes a shell script to /etc/profile.d/ via PJL FSDOWNLOAD using a path traversal string '0:/../../rw/var/etc/profile.d/' to achieve persistence on reboot.
  • After writing the payload, the attacker triggers a printer reboot via SNMP SET on OID 1.3.6.1.2.1.43.5.1.1.3.1 (prtGeneralReset) with value 4 (powerCycleReset). Monitor SNMP SET requests to this OID.
  • A successful exploit may leave an unauthenticated telnetd service running as a side effect; monitor for unexpected telnetd processes or open telnet ports on printer devices.
  • The default Metasploit payload for this exploit is 'cmd/unix/bind_busybox_telnetd', which binds a telnetd listener on the printer. Hunt for unexpected inbound connections to printer IPs post-reboot.
  • The Metasploit module drops a randomly named .sh script (8 random alpha chars) into /etc/profile.d/ and removes it after execution; look for transient .sh files in /etc/profile.d/ on HP printer filesystems.
  • ·The SNMP community string used in the PoC is 'public' (default). Printers with non-default SNMP community strings will not be restartable via this method, potentially stalling the exploit at the reboot step.
  • ·The Metasploit module uses a WfsDelay of 180 seconds to wait for the printer to reboot and execute the payload; detection/response windows should account for this delay between exploit delivery and callback.
  • ·The exploit requires the PJL port (default 9100) to be reachable and SNMP (default UDP 161) to be accessible from the attacker; network segmentation of printer management ports mitigates exposure.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.