Hacking Printers - User contributions [en]

Bibliography

2017-01-30T15:55:04Z

134.147.202.176: /* Research by date */

== Research by date ==

=== 2017 ===

'''SoK: Exploiting Network Printers''' ([https://www.nds.rub.de/media/ei/veroeffentlichungen/2017/01/30/printer-security.pdf PDF])
 by Jens Müller, Juraj Somorovsky, Vladislav Mladenov | Blogpost: [http://web-in-security.blogspot.de/2017/01/printer-security.html]

=== 2016 ===

'''Exploiting Network Printers: A Survey of Security Flaws in Laser Printers and Multi-Function Devices''' ([https://www.nds.rub.de/media/ei/arbeiten/2017/01/30/exploiting-printers.pdf PDF])
 by Jens Müller, Juraj Somorovsky, Vladislav Mladenov | Proof-of-concept code: [https://github.com/RUB-NDS/PRET]

'''PWN Xerox Printers (...again): About Hardware Attacks and Insecure Cloning''' ([https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/xerox_phaser_6700_white_paper.pdf PDF])
 by Peter Weidenbach, Raphael Ernst

=== 2014 ===

'''A Large-Scale Analysis of the Security of Embedded Firmwares''' ([https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-costin.pdf PDF])
 by Andrei Costin, Jonas Zaddach, Aurélien Francillon, and Davide Balzarotti | Video: [https://www.youtube.com/watch?v=5gf6mFz1rPM]

'''Hacking Canon Pixma Printers - Doomed Encryption''' ([http://www.contextis.com/resources/blog/hacking-canon-pixma-printers-doomed-encryption/ HTML])
 by Michael Jordon

=== 2013 ===

'''Embedded Devices Security and Firmware Reverse Engineering''' ([http://s3.eurecom.fr/docs/bh13us_zaddach.pdf PDF])
 by Jonas Zaddach, Andrei Costin

'''Research Report on the Security of MFPs''' ([https://www.ipa.go.jp/security/jisec/apdx/documents/20130312report_E.pdf])
 by IPA Information-technology Promotion Agency, Japan

=== 2012 ===

'''PostScript: Danger Ahead?!'''
 by Andrei Costin | Slides: [https://infocon.org/cons/Hack%20In%20Paris/Hack%20In%20Paris%202012/Slides/Andrei-PostScript%20Danger%20Ahead.pdf] | Video: [https://www.youtube.com/watch?v=ygcs0m5C9ZI]

=== 2011 ===

'''Print Me If You Dare: Firmware Modification Attacks and the Rise of Printer Malware'''
 by Ang Cui, Salvatore Stolfo | Slides: [http://ids.cs.columbia.edu/sites/default/files/CuiPrintMeIfYouDare.pdf] | Video: [https://www.youtube.com/watch?v=njVv7J2azY8]

'''Printers gone Wild (PrintFS PJL filesystem)'''
 by Ben Smith | Video: [http://www.securitytube.net/video/1395] | Proof-of-concept code: [http://www.remote-exploit.org/articles/printfs/index.html]

'''From Printer to Pwnd: Leveraging Multifunction Printers During Penetration Testing'''
 by Deral Heiland | Slides: [http://foofus.net/goons/percx/defcon/P2PWND.pdf] | Video: [https://www.youtube.com/watch?v=PH4pTCmKgOg] | Proof-of-concept code: [https://github.com/percx/Praeda]

'''From Patched to Pwned: Attacking Xerox's Multifunction Printers Patch Process''' ([http://foofus.net/goons/percx/Xerox_hack.pdf PDF])
 by Deral Heiland

=== 2010 ===

'''Hacking Printers for Fun and Profit'''
 by Andrei Costin | Slides: [http://andreicostin.com/papers/Conf%20-%20Hack.lu%20-%202010%20-%20Luxembourg%20-%20AndreiCostin_HackingPrintersForFunAndProfit.pdf] | Video: [https://www.youtube.com/watch?v=R56ZXErKCeE]

'''Juste une imprimant?'''
 by NBS System | Slides: [http://www.ossir.org/jssi/jssi2010/1A.pdf]

=== 2006 ===

'''Hacking Network Printers''' ([http://www.irongeek.com/i.php?page=security/networkprinterhacking HTML])
 by Adrian Crenshaw (Irongeek)

=== 2002 ===

'''Understanding, Reversing, and Hacking HP Printers''' ([http://search.lores.eu/realicra/hp_slobo.htm HTML])
 by Slobotron

'''Printer Exploration (PFT and Hijetter, libPJL, ChaiPortScan, ChaiCrack)'''
 FtR of Phenoelit, FX of Phenoelit | Proof-of-concept code: [http://www.phenoelit.org/hp/index.html]

Bibliography

2017-01-30T15:51:14Z

134.147.202.176:

== Research by date ==

=== 2016 ===

'''Exploiting Network Printers: A Survey of Security Flaws in Laser Printers and Multi-Function Devices''' ([https://www.nds.rub.de/media/ei/arbeiten/2017/01/30/exploiting-printers.pdf PDF])
 by Jens Müller, Juraj Somorovsky, Vladislav Mladenov | Proof-of-concept code: [https://github.com/RUB-NDS/PRET]

'''PWN Xerox Printers (...again): About Hardware Attacks and Insecure Cloning''' ([https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/xerox_phaser_6700_white_paper.pdf PDF])
 by Peter Weidenbach, Raphael Ernst

=== 2014 ===

'''A Large-Scale Analysis of the Security of Embedded Firmwares''' ([https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-costin.pdf PDF])
 by Andrei Costin, Jonas Zaddach, Aurélien Francillon, and Davide Balzarotti | Video: [https://www.youtube.com/watch?v=5gf6mFz1rPM]

'''Hacking Canon Pixma Printers - Doomed Encryption''' ([http://www.contextis.com/resources/blog/hacking-canon-pixma-printers-doomed-encryption/ HTML])
 by Michael Jordon

=== 2013 ===

'''Embedded Devices Security and Firmware Reverse Engineering''' ([http://s3.eurecom.fr/docs/bh13us_zaddach.pdf PDF])
 by Jonas Zaddach, Andrei Costin

'''Research Report on the Security of MFPs''' ([https://www.ipa.go.jp/security/jisec/apdx/documents/20130312report_E.pdf])
 by IPA Information-technology Promotion Agency, Japan

=== 2012 ===

'''PostScript: Danger Ahead?!'''
 by Andrei Costin | Slides: [https://infocon.org/cons/Hack%20In%20Paris/Hack%20In%20Paris%202012/Slides/Andrei-PostScript%20Danger%20Ahead.pdf] | Video: [https://www.youtube.com/watch?v=ygcs0m5C9ZI]

=== 2011 ===

'''Print Me If You Dare: Firmware Modification Attacks and the Rise of Printer Malware'''
 by Ang Cui, Salvatore Stolfo | Slides: [http://ids.cs.columbia.edu/sites/default/files/CuiPrintMeIfYouDare.pdf] | Video: [https://www.youtube.com/watch?v=njVv7J2azY8]

'''Printers gone Wild (PrintFS PJL filesystem)'''
 by Ben Smith | Video: [http://www.securitytube.net/video/1395] | Proof-of-concept code: [http://www.remote-exploit.org/articles/printfs/index.html]

'''From Printer to Pwnd: Leveraging Multifunction Printers During Penetration Testing'''
 by Deral Heiland | Slides: [http://foofus.net/goons/percx/defcon/P2PWND.pdf] | Video: [https://www.youtube.com/watch?v=PH4pTCmKgOg] | Proof-of-concept code: [https://github.com/percx/Praeda]

'''From Patched to Pwned: Attacking Xerox's Multifunction Printers Patch Process''' ([http://foofus.net/goons/percx/Xerox_hack.pdf PDF])
 by Deral Heiland

=== 2010 ===

'''Hacking Printers for Fun and Profit'''
 by Andrei Costin | Slides: [http://andreicostin.com/papers/Conf%20-%20Hack.lu%20-%202010%20-%20Luxembourg%20-%20AndreiCostin_HackingPrintersForFunAndProfit.pdf] | Video: [https://www.youtube.com/watch?v=R56ZXErKCeE]

'''Juste une imprimant?'''
 by NBS System | Slides: [http://www.ossir.org/jssi/jssi2010/1A.pdf]

=== 2006 ===

'''Hacking Network Printers''' ([http://www.irongeek.com/i.php?page=security/networkprinterhacking HTML])
 by Adrian Crenshaw (Irongeek)

=== 2002 ===

'''Understanding, Reversing, and Hacking HP Printers''' ([http://search.lores.eu/realicra/hp_slobo.htm HTML])
 by Slobotron

'''Printer Exploration (PFT and Hijetter, libPJL, ChaiPortScan, ChaiCrack)'''
 FtR of Phenoelit, FX of Phenoelit | Proof-of-concept code: [http://www.phenoelit.org/hp/index.html]

Cross-site printing

2017-01-30T13:01:33Z

134.147.202.176:

Cross-site printing (XSP) attacks empower a web attacker to access the printer device as demonstrated by <ref>''[http://helpnetsecurity.com/dl/articles/CrossSitePrinting.pdf Cross Site Printing]'', A. Weaver, 2007</ref> who use a hidden Iframe to send HTTP POST requests to port 9100/tcp of a printer within the victim's internal network. The HTTP header is either printed as plain text or discarded based on the printer's settings. The POST data however can contain arbitrary print jobs like [[PostScript]] or [[PJL]] commands to be interpreted. In the following, the idea of cross-site printing is adapted and improved which enables a web attacker to perform most attacks described in wiki obtaining captured print jobs, using the victim's web browser acts as a carrier.

[[File:XSP-deployment-channel.png|420px|Deployment of (potentially malicious) print jobs with XSP]]

== Enhanced cross-site printing ==

Instead of Iframes, we use XMLHttpRequest (XHR) JavaScript objects as defined in <ref>''[https://www.w3.org/TR/XMLHttpRequest/ The XMLHttpRequest Object]'', A. van Kesteren and D. Jackson, W3C, Working Draft, 2007</ref> to perform HTTP POST requests to internal printers. A limitation of the cross-site printing approach discussed so far is that data can only be send to the device, not received because of the same-origin policy <ref>''[https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy The Same Origin Policy]'', J. Ruderman, 2001</ref>. This opts out all information disclosure attacks. To bend the restrictions of the same-origin policy, cross-origin resource sharing (CORS) <ref>''[https://www.w3.org/TR/cors/ Cross-Origin Resource Sharing]'', A. van Kesteren and others, W3C, Working Draft, 2010</ref> can be used – if the web server explicitly allows it by sending a special HTTP header field. In the scenario of cross-site printing, however, we have full control of what the requested ‘web server’ – which actually is a printer [https://en.wikipedia.org/wiki/Raster_image_processor RIP] accessed over port 9100/tcp – sends back to the browser. By using PostScript output commands we can simply emulate an HTTP server running on port 9100/tcp and define our own HTTP header to be responded – including arbitrary CORS <code>Access-Control-Allow-Origin</code> fields which instruct the web browser to allow JavaScript access to this resource and therefore punch a hole into the same-origin policy. A schematic overview of the attack is given below:

[[File:Cross-site-printing.png|900px|Advanced cross-site printing with CORS spoofing]]

In such an enhanced variant of XSP – combined with CORS spoofing – a web attacker has full access to the HTTP response which allows her to extract arbitrary information like captured print jobs from the printer device. A proof-of-concept JavaScript snipplet is shown below:

<syntaxhighlight lang=postscript>
job = "\x1B%-12345X\r\n"
+ "%!\r\n"
+ "(HTTP/1.0 200 OK\\n) print\r\n"
+ "(Server: PostScript HTTPD\\n) print\r\n"
+ "(Access-Control-Allow-Origin: *\\n) print\r\n"
+ "(Connection: close\\n) print\r\n"
+ "(Content-Length: ) print\r\n"
+ "product dup length dup string cvs print\r\n"
+ "(\\n\\n) print\r\n"
+ "print\r\n"
+ "(\\n) print flush\r\n"
+ "\x1B%-12345X\r\n";

var x = new XMLHttpRequest();
x.open("POST", "http://printer:9100");
x.send(job);
x.onreadystatechange = function() {
if (x.readyState == 4)
alert(x.responseText);
};
</syntaxhighlight>

== Limitations of cross-site printing ==

Note that [[PCL]] as page description language is not applicable for CORS spoofing because it only allows one single number to be echoed. [[PJL]] likewise cannot be used because unfortunately it prepends <code>@PJL ECHO</code> to all echoed strings, which makes it impossible to simulate a valid HTTP header. This however does not mean that enhanced XSP attacks are limited to [[PostScript]] jobs: PostScript can be used to respond with a spoofed HTTP header and the [[UEL]] can further be invoked to switch the printer language. This way a web attacker can also obtain the results for PJL commands. Two implementation pitfalls exist which deserve to be mentioned: First, a correct <code>Content-Length</code> for the data to be responded needs determined with PostScript. If the attacker cannot predict the overall size of the response and chunked encoding as well is not an option, she needs to set a very high value and use padding. Second, adding the <code>Connection: close</code> header field is important, otherwise HTTP/1.1 connections are kept alive until either the web client or the printer device triggers a timeout, which means the printer will not be accessible for some time.

If the printer device supports plain text printing the HTTP request header of the XHR is printed out as hard copy – including the <code>Origin</code> header field containing the URL that invoked the malicious JavaScript, thus making it hard for an attacker to stay silent. This is unavoidable, as we do not gain control over the printer – and under some circumstances can disable printing functionality – until the HTTP body is processed and the HTTP header has already been interpreted as plain text by the printer device. If reducing noise is a priority, the attacker can however try to first disable printing functionality with proprietary PJL commands as proposed in [[Document processing#PJL_jobmedia|PJL jobmedia]] using other potential XSP channels like IPP, LPD, FTP or the printer's embedded web server. While all protocols could successfully be tested to deploy print jobs using variants of cross-protocol scripting as described by <ref>''[http://www.remote.org/jochen/sec/hfpa/hfpa.pdf The HTML Form Protocol Attack]'', J. Topf, BugTraq posting, 2001</ref> and <ref>''[https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/inter-protocol_exploitation.pdf Inter-Protocol Exploitation]'', W. Alcorn, NGSSoftware Insight Security Research (NISR), 2007</ref> they have some drawbacks beyond not providing feedback using spoofed CORS headers:

* Cross-protocol access to LPD and FTP ports is blocked by various web browsers
* Parameters for direct printing over the embedded web server are model-specific
* The IPP standard requires the <code>Content-type</code> for HTTP POST requests being set to <code>application/ipp</code> <ref>''[https://tools.ietf.org/html/rfc2910 RFC2910 – Internet Printing Protocol/1.1: Encoding and Transport]'', R. Herriot, 2000</ref> which cannot be done with XHR objects – it is however up to the implementation to actually care about incorrect types

A comparison of cross-site printing channels is given in below:

{| class="wikitable" style="text-align:center"
|-
! Channel !! No Feedback !! Unsolicited printouts !! Standardized !! Blocked by
|-
| Raw || - || ✔ || ✔ || -
|-
| Web || ✔ || - || - || -
|-
| IPP || ✔ || - || ✔ || -
|-
| LPD || ✔ || - || ✔
| style="text-align:left;" | FF, Ch, Op
|-
| FTP || ✔ || - || ✔
| style="text-align:left;" | FF, Ch, Op, IE
|-
|}

One major problem of XSP is to find out the correct address or hostname of the printer. Our approach is to abuse WebRTC <ref>''[https://www.w3.org/TR/webrtc/ WebRTC 1.0: Real-time Communication Between Browsers]'', D. Bergkvist and D. Burnett and C. Jennings, W3C, Working Draft, 2014</ref> which is implemented in most modern browsers and has the feature to enumerate IP addresses for local network interfaces. Given the local IP address, XHR objects are further used to open connections to port 9100/tcp for all 253 remaining addresses to retrieve the printer product name using PostScript and CORS spoofing which only takes seconds in our tests. If the printer is on the same subnet as the victim's host its address can be detected solely using JavaScript. WebRTC is in development for Safari and supported by current versions of Firefox, Chrome and Microsoft Edge. Internet Explorer has no WebRTC support, but VBScript and Java can likewise be used to leak the local IP address. If the address of the local interface cannot be retrieved, we apply an intelligent brute-force approach: We try to connect to port 80 of the victim's router using XHR objects. For this, a list of 115 default router addresses from various Internet-accessible resources was compiled. If a router is accessible, we scan the subnet for printers as described before.

== Proof-of-concept ==

A proof-of-concept implementation demonstrating that advanced cross-site printing attacks are practical and a real-world threat to companies and institutions is available at [http://hacking-printers.net/xsp/ hacking-printers.net/xsp/]. It was successfully tested on Firefox 48, Chrome 52, Opera 39 and Internet Explorer 10. It is worth noting that the [https://torproject.org/projects/torbrowser.html.en Tor Browser] blocks the attack because it tries to connect to all addresses – including local ones – through the Tor network meaning XSP requests never reach the intranet printer.

→ ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[Port 9100 printing]], [[BeEF]]

----

PFT

2017-01-09T18:36:41Z

134.147.202.176: Created page with "While printer manufacturers added various proprietary featured to PostScript and PJL, their standards -- and in particular the possibility to access the file system -- date ba..."

While printer manufacturers added various proprietary featured to PostScript and PJL, their standards -- and in particular the possibility to access the file system -- date back to the 80s \cite{press1985postscript} and 90s \cite{hp1997pjl}. For PJL, this issue has first been demonstrated by \cite{phenoelit2002embedded} who wrote the ''PFT and Hijetter''\footnote{FtR of Phenoelit, \textit{PFT and Hijetter}, \url{http://www.phenoelit.org/hp/}, Jun. 2016} programs to perform file operations on HP LaserJets using legitimate PJL commands which heavily inspired [[PRET]].

tbd: a

The Hijetter gives you the opportunity to explore printers via their PJL interface. This includes access to the environment variables the file system and the display of the target. You might play around with these elements in order to improve or decrease the performance and usability of a printer.
This was the first attempt of a Perl coder to use VC++.

crack the password,
dump and set PJL environment variables

pft Printer Job Language library and tool

http://m.blog.csdn.net/article/details?id=46874173