Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Arbitrary command execution and trivial password guessing on Brother printers
From: auto61149890 () hushmail me
Date: Fri, 08 Feb 2013 12:34:52 -0500

Tested on Brother HL5370 latest firmware so far, confirmed working against many others by Brother documentation

From Brother .de website -


Syntax for PJL JOB command includes -

"PASSWORD = password ( HL-1660e/2060/2400C/2400Ce/3400CN/1650/1670N/3260N/2460/7050/ 
0N only ) 
When the password is set by the DEFAULT command, modifying the NVRAM by using the DEFAULT or 
INITIALIZE commands is locked with the password. Sending the correct password with this command can 
unlock this until the EOJ command is executed. 
password = 0 to 65,535 Default value = 0 
When the printer receives the JOB command, the UEL command is not recognized as a job boundary until 
an EOJ command is received."

Guessing 16-bit password is very fast, and printer does not or can not? slow down password guessing. Worse, password is 
easily found or not necessary. from printer ROM "image" header -

12345X () PJL SUPERUSER PASSWORD=[any 16-bit sign value]
@PJL SUPERUSER PASSWORD=[any 16-bit sign value]
--> binary begins here

Have not tested past uploading arbitrary firm ware. This should be enough to worry. Probably no point to Brother 
network controller supporting https and snmp 3 now...

Brother snmp 3 support only short keys any way.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Arbitrary command execution and trivial password guessing on Brother printers auto61149890 (Feb 10)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]