Sunday, December 8, 2019

PJLink Authentication and Security

I've already wrote one article about PJLink protocol https://g33ksblog.blogspot.com/2017/03/pjlink-network-control-for-projector.html

PJLink is a protocol developed by JBMIA for controlling projectors (and presentation displays for example from NEC) via LAN connections
It use get and set commands. You can get or set several thinks, Power on/off or get the status. Input for video and audio source. Volume and if it's projector you can work also with lens and apertur.
More documentation can be find here: http://pjlink.jbmia.or.jp/english/




Here we will concentrate in Authentication and Security.
There are two possibilities
  1. there is no authentication and PJLink device start the communication with: PJLINK 0
  2. there is authentication and PJLink device start communication with PJLINK 1 4bytes random number
The authentication process is as follows(schematics below):
  1. PJLink device send PJLINK 1 4bytes random number
  2. PJLink clinet will concatenate this 4bytes random number and password and do MD5 hash
  3. PJLink client will send MD5 Hash and command to PJLink device
  4. PJLink device do same MD5 Hash generation and compare the result with client response to verify password and either respond with command result or error message
To obtain access to PJLink device with authentication there two ways.
  1. as per point 4 above PJLink device is doing MD5(random number + password) => which means it have a password plain text (or symetricaly encrypted) somewhere localy, hence if you have other access to device you might be able to get it.
  2. we can simply do brute force attack and guess password (here  are scripts to do word list based brute force attack) the problem is that every login using random salt, which means you need to find really correct password (collision is no help)


No comments: