Printer Security

Printers belong arguably to the most common devices we use. They are available in every household, office, company, governmental, medical, or education institution.

From a security point of view, these machines are quite interesting since they are located in internal networks and have direct access to sensitive information like confidential reports, contracts or patient recipes.

TL;DR: In this blog post we give an overview of attack scenarios based on network printers, and show the possibilities of an attacker who has access to a vulnerable printer. We present our evaluation of 20 different printer models and show that each of these is vulnerable to multiple attacks. We release an open-source tool that supported our analysis: PRinter Exploitation Toolkit (PRET) https://github.com/RUB-NDS/PRET

Full results are available in the master thesis of Jens Müller and our paper.

Furthermore, we have set up a wiki (http://hacking-printers.net/) to share knowledge on printer (in)security.
The highlights of the entire survey will be presented by Jens Müller for the first time at RuhrSec in Bochum.

Background

There are many cool protocols and languages you can use to control your printer or your print jobs. We assume you have never heard of at least half of them. An overview is depicted in the following figure and described below.

 

Device control

This set of languages is used to control the printer device. With a device control language it is possible to retrieve the printer name or status. One of the most common languages is the Simple Network Management Protocol (SNMP). SNMP is a UDP based protocol designed to manage various network components beyond printers as well, e.g. routers and servers.

Printing channel

The most common network printing protocols supported by printer devices are the Internet Printing Protocol (IPP), Line Printer Daemon (LPD), Server Message Block (SMB), and raw port 9100 printing. Each protocol has specific features like print job queue management or accounting. In our work, we used these protocols to transport malicious documents to the printers.

 

Job control language

This is where it gets very interesting (for our attacks). A job control language manages printer settings like output trays or paper size. A de-facto standard for print job control is PJL. From a security perspective it is very useful that PJL is not limited to the current print job as some settings can be made permanent. It can further be used to change the printer's display or read/write files on the device.

 

Page description language

A page description language specifies the appearance of the actual document. One of the most common 'standard' page description languages is PostScript. While PostScript has lost popularity in desktop publishing and as a document exchange format (we use PDF now), it is still the preferred page description language for laser printers. PostScript is a stack-based, Turing-complete programming language consisting of about 400 instructions/operators. As a security aware researcher you probable know that some of them could be useful. Technically spoken, access to a PostScript interpreter can already be classified as code execution.

 

Attacks

Even though printers are an important attack target, security threats and scenarios for printers are discussed in very few research papers or technical reports. Our first step was therefore to perform a comprehensive analysis of all reported and published attacks in CVEs and security blogs. We then used this summary to systematize the known issues, to develop new attacks and to find a generic approach to apply them to different printers. We estimated that the best targets are the PostScript and PJL interpreters processing the actual print jobs since they can be exploited by a remote attacker with only the ability to 'print' documents, independent of the printing channel supported by the device.

We put the printer attacks into four categories.

 

Denial-of-service (DoS)

Executing a DoS attack is as simple as sending these two lines of PostScript code to the printer which lead to the execution of an infinite loop:

Denial-of-service

%!
{} loop

Other attacks include:

• Offline mode. The PJL standard defines the OPMSG command which 'prompts the printer to display a specified message and go offline'.
• Physical damage. By continuously setting the long-term values for PJL variables, it is possible to physically destroy the printer's NVRAM which only survives a limited number of write cycles.
• Showpage redefinition. The PostScript 'showpage' operator is used in every document to print the page. An attacker can simply redefine this operator to do nothing.

Protection Bypass

Resetting a printer device to factory defaults is the best method to bypass protection mechanisms. This task is trivial for an attacker with local access to the printer, since all tested devices have documented procedures to perform a cold reset by pressing certain key combinations.
However, a factory reset can be performed also by a remote attacker, for example using SNMP if the device complies with RFC1759 (Printer MIB):

Protection Bypass

# snmpset -v1 -c public [printer] 1.3.6.1.2.1.43.5.1.1.3.1 i 6

Other languages like HP's PML, Kyocera's PRESCRIBE or even PostScript offer similar functionalities.

Furthermore, our work shows techniques to bypass print job accounting on popular print servers like CUPS or LPRng.

Print Job Manipulation

Some page description languages allow permanent modifications of themselves which leads to interesting attacks, like manipulating other users' print jobs. For example, it is possible to overlay arbitrary graphics on all further documents to be printed or even to replace text in them by redefining the 'showpage' and 'show' PostScript operators.

Information Disclosure

Printing over port 9100 provides a bidirectional channel, which can be used to leak sensitive information. For example, Brother based printers have a documented feature to read from or write to a certain NVRAM address using PJL:

Information Disclosure

@PJL RNVRAM ADDRESS = X

Our prototype implementation simply increments this value to dump the whole NVRAM, which contains passwords for the printer itself but also for user-defined POP3/SMTP as well as for FTP and Active Directory profiles. This way an attacker can escalate her way into a network, using the printer device as a starting point.
Other attacks include:

• File system access. Both, the standards for PostScript and PJL specify functionality to access the printers file system. As it seems, some manufacturers have not limited this feature to a certain directory, which leads to the disclosure of sensitive information like passwords.
  
• Print job capture. If PostScript is used as a printer driver, printed documents can be captured. This is made possible by two interesting features of the PostScript language: First, permanently redefining operators allows an attacker to 'hook' into other users' print jobs and secondly, PostScript's capability to read its own code as data allows to easily store documents instead of executing them.
  

• Credential disclosure. PJL passwords, if set, can easily retrieved through brute-force attacks due to their limited key space (1..65535). PostScript passwords, on the other hand, can be cracked extremely fast (up to 100,000 password verifications per second) thanks to the performant PostScript interpreters.
  

PRET

To automate the introduced attacks, we wrote a prototype software entitled PRET. The main idea of PRET is to facilitate the communication between the end-user and the printer. Thus, by entering a UNIX-like command PRET translates it to PostScript or PJL, sends it to the printer, and evaluates the result. For example, PRET converts a UNIX command ls to the following PJL request:

Information Disclosure

@PJL FSDIRLIST NAME="0:\" ENTRY=1 COUNT=65535

It then collects the printer output and translates it to a user friendly output.

PRET implements the following list of commands for file system access on a printer device:

Evaluation

As a highly motivated security researcher with a deep understanding of systematic analysis, you would probably obtain a list of about 20 - 30 well-used printers from the most important manufacturers, and perform an extensive security analysis using these printers.
However, this was not our case. To overcome the financial obstacles, we collected printers from various university chairs and facilities. While our actual goal was to assemble a pool of printers containing at least one model for each of the top ten manufacturers, we practically took what we could get. The result is depicted in the following figure:

The assembled devices were not brand-new anymore and some of them were not even completely functional. Three printers had physically broken printing functionality so it was not possible to evaluate all the presented attacks. Nevertheless, these devices represent a good mix of printers used in a typical university or office environment.

Before performing the attacks, we of course installed the newest firmware on each of the devices. The results of our evaluation show that we could find multiple attacks against each printer. For example, simple DoS attacks with malicious PostScript files containing infinite loops are applicable to each printer. Only the HP LaserJet M2727nf had a watchdog mechanism and restarted itself after about ten minutes. Physical damage could be caused to about half of the tested device within 24 hours of NVRAM stressing. For a majority of devices, print jobs could be manipulated or captured.

PostScript, PJL and PML based attacks can even be exploited by a web attacker using advanced cross-site printing techniques. In the scope of our research, we discovered a novel approach – 'CORS spoofing' – to leak information like captured print jobs from a printer device given only a victim's browser as carrier.
A proof-of-concept implementation demonstrating that advanced cross-site printing attacks are practical and a real-world threat to companies and institutions is available at http://hacking-printers.net/xsp/.

Our next post will be on adapting PostScript based attacks to websites.

Authors of this Post

Jens Müller
Juraj Somorovsky

Vladislav Mladenov

Related posts

1. Pentest Tools Website Vulnerability
2. Hack Tools For Ubuntu
3. Best Pentesting Tools 2018
4. Github Hacking Tools
5. Hacking Tools Online
6. Top Pentest Tools
7. Install Pentest Tools Ubuntu
8. Black Hat Hacker Tools
9. Hak5 Tools
10. Hacking Tools Mac
11. Hacker Tools Free
12. Hack Website Online Tool
13. Hack Tools For Ubuntu
14. Github Hacking Tools
15. Hacking Tools 2020
16. Hacking Tools For Pc
17. Hacker Security Tools
18. Tools Used For Hacking
19. Hacking Tools Free Download
20. Hack Tool Apk No Root
21. Hacking Tools For Beginners
22. Hacker Tools Github
23. Hacker Tools Windows
24. Hack Tools For Pc
25. Hacking Tools For Windows
26. Termux Hacking Tools 2019
27. Hack Rom Tools
28. Wifi Hacker Tools For Windows
29. Hack Tools 2019
30. Hacking Tools Hardware
31. Hacking Tools For Mac
32. Hack Tools
33. Hacker Tools For Pc
34. Pentest Tools Kali Linux
35. Hacker Tools For Mac
36. Hack Tools For Ubuntu
37. Pentest Recon Tools
38. Hacking Tools For Windows Free Download
39. Hacking Tools
40. Hack Tools Download
41. Pentest Tools Website
42. Hack Tools
43. Tools Used For Hacking
44. Hack Website Online Tool
45. Hacking Tools Download
46. Game Hacking
47. Hacking Apps
48. Hacker Tools Software
49. Pentest Tools Tcp Port Scanner
50. Kik Hack Tools
51. What Are Hacking Tools
52. Hack Tools 2019
53. Hack Website Online Tool
54. Hacking Tools Hardware
55. Pentest Tools For Mac
56. Hacking Tools Hardware
57. Hack App
58. Hacking Tools For Windows
59. World No 1 Hacker Software
60. Hack Tools Github
61. World No 1 Hacker Software
62. Hacking Tools For Games
63. What Is Hacking Tools
64. Hack Rom Tools
65. Hack Tools For Games
66. How To Make Hacking Tools
67. Pentest Tools Open Source
68. Github Hacking Tools
69. Pentest Box Tools Download
70. Hack Tools For Windows
71. Hacking Tools Free Download
72. Hacker Tools Free
73. Hacking Tools For Mac
74. Pentest Tools Website
75. Usb Pentest Tools
76. New Hacker Tools
77. Hacking Tools For Windows 7
78. Hacker Tools For Windows
79. Hack And Tools
80. Pentest Tools Tcp Port Scanner
81. Hack Rom Tools
82. Hack Tool Apk
83. Hacker Tools Hardware
84. Pentest Tools Open Source
85. Hacking Tools For Windows
86. Pentest Tools Tcp Port Scanner
87. Pentest Reporting Tools
88. How To Install Pentest Tools In Ubuntu
89. Hacking Tools Free Download
90. Pentest Tools Subdomain
91. Hacker Tools Apk
92. Pentest Tools Linux
93. Pentest Tools For Mac
94. Hacking Tools Hardware
95. Physical Pentest Tools
96. Hack Tools
97. Hacking Tools 2019
98. Hacking Tools Download
99. Hacking Tools For Mac
100. Hack Tool Apk No Root
101. New Hacker Tools
102. Hacking Tools Free Download
103. Hak5 Tools
104. Hacker Tools Hardware
105. Pentest Tools Website
106. Hacking Tools And Software
107. Pentest Tools Alternative
108. Pentest Box Tools Download
109. Hack Tools For Games
110. Pentest Tools Free
111. Hack Apps
112. Hack Tools Github
113. Hacker Search Tools
114. Pentest Tools Find Subdomains
115. Hacking App
116. Pentest Tools Url Fuzzer
117. Hacker Tools For Pc
118. Hack Tools Online
119. Hacking Tools Windows
120. Nsa Hacker Tools
121. Pentest Tools Review
122. Hacking Tools For Kali Linux
123. Hacker Tools 2020
124. Computer Hacker
125. Hack Tools Download
126. Free Pentest Tools For Windows
127. Hacks And Tools
128. Pentest Tools Linux
129. Hacking Tools Windows 10
130. Pentest Tools Android
131. Free Pentest Tools For Windows
132. Hacking App
133. Hacker Tools List
134. Hackrf Tools
135. Pentest Tools List
136. What Are Hacking Tools
137. Hacking Tools Online
138. Tools 4 Hack
139. Hack Tools For Windows
140. Hacking App
141. Pentest Tools Website
142. Hack Tools
143. Pentest Tools List
144. Best Pentesting Tools 2018
145. Best Pentesting Tools 2018
146. Hack Tools Mac
147. What Is Hacking Tools
148. Pentest Tools Apk
149. How To Make Hacking Tools
150. Hacking Tools 2020
151. New Hacker Tools
152. Pentest Tools Website
153. Physical Pentest Tools
154. Hack Tools Github
155. Best Hacking Tools 2019
156. Hack Tools For Windows
157. Growth Hacker Tools
158. Computer Hacker
159. Hacker Tools For Ios
160. Hacking App
161. Pentest Recon Tools
162. Hacking Tools Download
163. Hack Tools Pc
164. Android Hack Tools Github