Hacking Printers - User contributions [en]

Memory access

2017-01-31T10:34:21Z

84.153.135.135:

If an attacker gains access to the printer's memory or [https://en.wikipedia.org/wiki/Non-volatile_random-access_memory NVRAM], she may be able to obtain sensitive data like passwords or printed documents. Write access to the memory might even lead to code execution.

== PJL (Brother) ==

For PJL, a vendor-specific command documented in the Brother laser printer product specifications <ref>''[http://www.undocprint.org/_media/formats/page_description_languages/brother_tech_reference_h_feb2004.pdf Brother Laser Printer Technical Reference Guide, Ver. H]'', Brother Industries Ltd., 2004</ref> and discussed by <ref>''[http://andreicostin.com/papers/Conf%20-%20Hack.lu%20-%202010%20-%20Luxembourg%20-%20AndreiCostin_HackingPrintersForFunAndProfit.pdf Hacking printers: for fun and profit]'', A. Costin, Hack.lu, 2010</ref> allows to ‘write data to or retrieve data from the specified address of the printer's NVRAM’. This functionality can be abused to access arbitrary NVRAM addresses using PJL as shown below, where <code>X</code> is an integer, which can be incremented to dump the whole NVRAM.

<syntaxhighlight lang=sh>
@PJL RNVRAM ADDRESS = X # read byte at location X
@PJL WNVRAM ADDRESS = X DATA = Y # write byte Y to location X
</syntaxhighlight>

This leads to disclosure of embedded web server passwords stored in the printer's NVRAM. Furthermore – if set – user PINs, passwords for POP3/SMTP as well as for FTP and Active Directory profiles can be obtained. For MFPs, the attacker can change the Scan-to-FTP settings so scanned documents are delivered to an attacker-controlled FTP server or she can exchange fax numbers in the address book whereby fax is sent to the attacker's fax number instead.

'''How to test for this attack?'''

The feasibility of this attack, which has been implemented as the ''nvram'' command in [[PRET]], can be tested as follows:

./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> nvram dump
Writing copy to nvram/printer
................................................................................
................................................................................
............................................MyS3cretPassw0rd....................
................................................................................

'''Who can perform this attack?'''

Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].

== PostScript (Xerox) ==

Certain Xerox printer models have a proprietary PostScript ''vxmemfetch'' operator built into, which allows an attacker to read arbitrary memory addresses. Using a PostScript loop, this feature can be easily used to dump the whole memory <ref>''[https://infocon.org/cons/Hack%20In%20Paris/Hack%20In%20Paris%202012/Slides/Andrei-PostScript%20Danger%20Ahead.pdf PostScript: Danger Ahead?!]'', A. Costin, Hack in Paris, 2012</ref> as show below:

<syntaxhighlight lang=postscript>
/counter 0 def 50000 {
/counter counter 1 add def
currentdict /RRCustomProcs /ProcSet findresource begin
begin counter 1 false vxmemfetch end end == counter
} repeat
</syntaxhighlight>

'''How to test for this attack?'''

Open a raw network connection (using ''netcat'' <ref>''[http://nc110.sourceforge.net/ Netcat – TCP/IP Swiss Army Knife]'', Hobbit, 1996</ref>, for example) to port 9100/tcp of the printer and send the PostScript code documented above.

'''Who can perform this attack?'''

Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].

----

Print job manipulation

2017-01-31T10:29:00Z

84.153.135.135: /* Content Replacement */

If an attacker can alter print jobs, she fundamentally undermines trust. A user cannot be sure anymore if the document viewed on screen is the same as the hard copy emerging from the printer. The impact depends on the context of the print job and can range from simple pranks to serious business impairment. Two PostScript based techniques are discussed below.

== Content Overlay ==

[[File:Overlay.jpg|thumb|Smiley overlay attack on others' jobs]]

One simple way to manipulate the appearance of printouts is to use overlays. PCL has a documented function to put overlay macros on top of a document. Unfortunately, this feature is limited to the current print job and cannot be made permanent. PostScript does not offer such functionality by default, however it can be programmed into by [[PostScript#Operator redefinition|redefining]] the ''showpage'' operator which is contained in every PostScript document to print the current page. The attacker can hook in there, execute her own code and then call the original version of the operator. Therefore she can overlay all pages to be printed with a custom ''EPS'' file. This hack can be used to add arbitrary graphics or fonts to hard copies of a document. It is handy to play pranks like putting ‘hax0r slogans’ on all sheets – but also for legitimate tasks such as creating letterheads. Pranks range from occasional coffee stains on the sheets of a particular user to the simulation of a near empty toner cartridge. It is also possible to completely alter the appearance of a document by overlaying a blank page and then adding custom content. For a more advanced attack, imagine the victim wants to sell a good to the attacker. Both parties agree on a price and receive a digital copy of the sales agreement. As the attacker knows the exact location of the price in the document, by manipulating the victim's printer she can add a blank rectangle here, including a lower price. If the printout is not re-checked before the contract is signed, the victim might need a good lawyer. This attack works even if the contract document was digitally signed and verified by a print server, because the file itself remains untouched. Obviously, such an approach can only be successful if PostScript is used as printer driver and no ''StartJobPassword'' (see [[credential disclosure]]) is set.

'''How to test for this attack?'''

Use [[PRET]]'s ''cross'' or ''overlay'' commands in ''ps'' mode, then disconnect and print an arbitrary document:

./pret.py -q printer ps
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> overlay overlays/smiley.eps
printer:/> cross whoa "HACKED"
printer:/> exit

'''Who can perform this attack?'''

Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].

== Content Replacement ==

Even if an attacker can put an overlay above existing documents, she will not be able to alter specific values in the original document unless its exact structure is known. Sometimes ones does not only want to add custom content, but to parse and replace parts of the existing document. Especially replacing text seems to be an attractive function, introducing new possibilities to the attacker as she can go for targeted manipulation or randomly transpose digits and introduce misspellings. The problem of replacing text in PostScript files can be reduced to the problem of extracting strings from the rendered document. This is not trivial, because strings can be dynamically built by the PostScript program itself. Hence, simple parsing and replacing within the document source code is not an option. This issue has been discussed by <ref name="nevill1997extracting">''[https://pdfs.semanticscholar.org/494d/24a72be788a91a6ca45373c2d33013f33395.pdf Extracting Text from PostScript]'', C. Nevill-Manning, T. Reed and others, 1997</ref>. They use a PostScript interpreter with a redefined ''show'' operator to index documents for the New Zealand Digital Library Project (NZDLP). The ''show'' operator accepts a string as input, which is painted to a certain location of the current page. By redefining the operator, text can elegantly be extracted. This approach can also be used for targeted searching and replacing in strings immediately before they are painted. While this scheme sounds good in theory and was ‘surprisingly effective on the 40,000 technical reports’ <ref name="nevill1997extracting"/> of the NZDLP, it depends on the PostScript code quality generated either directly by an application or by a printing system like CUPS. For example, the approach is successful for ''LaTeX'' based PostScript documents which are directly sent to the printer while it fails for PostScript files generated by ''GIMP'' <ref>''[https://www.gimp.org/ GIMP – GNU Image Manipulation Program]'', S. Kimball and P. Mattis</ref> which instead of strings creates raster graphics of their representation. The same issue occurs for any document format – even PostScript itself – when processed by CUPS. Theoretically such language constructs could also be parsed and should be subject of further research.

'''How to test for this attack?'''

Use [[PRET]]'s ''replace'' command in ''ps'' mode, then disconnect and print a PostScript document containing ‘DEF’:

./pret.py -q printer ps
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> replace "ABC" "DEF"
printer:/> exit

'''Who can perform this attack?'''

Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].

----

Software packages

2017-01-31T10:12:56Z

84.153.135.135:

In the recent years, printer vendors have started to introduce the '''possibility to install custom software on their devices'''. The format of such ‘printer apps’ is proprietary and SDKs are not available to the public. The feature of writing customized software which runs on printers was intended and is reserved for resellers and contractors, not for end-users. Hereby a printer fleet can be adapted to the special needs and business processes of a company; document solution providers can easily integrate printers into their management software. One popular example is ''NSi AutoStore'' <ref>''[http://www.notablesolutions.com/products/nsi-autostore/ NSi AutoStore]'', Nuance Communications, Inc.</ref> which can be installed on many MFPs and automatically uploads scanned or copied documents to predefined locations. Obviously, the feature to run custom code on a printer device is a potential security threat. Furthermore code signing of software packages is potentially harder than it is for [[Firmware updates|firmware]] as software is not only written by the printer manufacturer but by a broader range of developers who need to be in possession of the secret key to sign their software. Therefore it is logical to include the secret key in SDKs which are protected by being exclusively available from developer platforms. This article is an effort to systematically gather information on vendor-specific software platforms/SDKs.

== Vendors ==
In the following a rough outline on the software platforms provided by major printer vendors to extend functionality of their devices is given.

=== HP (Chai/OXP) ===

HP introduced their ‘Chai Appliance Platform’ platform in 1999 to run Java applications on LaserJet printers. While an SDK had been open to the public at first <ref>''[https://www.heise.de/newsticker/meldung/Java-API-fuer-HP-Drucker-54026.html Java API für HP-Drucker]'', heise online, 2001</ref>, access was later restricted to members of HP's developer network. Chai servlets which come as <code>.jar</code> files which originally needed to be certified and signed by HP before they would be accepted by a printer device. <ref name="phenoelit2002embedded">''Attacking Networked Embedded Devices'', Black Hat USA, FX and FtR of Phenoelit, 2002</ref> discovered a flaw in the deployment process: by installing ''EZloader'' – an alternative loader software provided by HP which had already been signed – they were able to upload and run their own, unsigned Java packages. As it seems, code signing was completely dropped by HP for later Chai versions: <ref name="mueller2016printers">''Exploiting Network Printers'', J. Müller, 2016, p. 59</ref> were able to write and execute a proof-of-concept printer malware which listens on port 9100 and uploads incoming documents to an FTP server before printing them. Their code is based on <ref>''Distribuição Balanceada de Jobs em uma Rede de Impressoras'', L. Waechter, 2005</ref> who extended the device to support load-balancing and included the required SDK files and proprietary Java libraries in their demonstration. With the libraries, arbitrary Java code can be complied and executed on older HP LaserJets by uploading the <code>.jar</code> files to a ‘hidden’ URL: <code>http://printer/hp/device/this.loader</code>. This attack can be carried out if no password has yet been set for the embedded web server. Otherwise, the password must first be retrieved from <code>/dev/rdsk_jdi_cfg0</code> with PostScript (see [[file system access]]) or bypassed by resetting the device to [[factory defaults]]. A web attacker can upload the <code>.jar</code> file using [https://en.wikipedia.org/wiki/Cross-site_request_forgery CSRF] if the victim is currently logged into the printer's embedded web server. For newer devices, HP uses the web services based ‘Open Extensibility Platform’ ([https://developers.hp.com/oxp/ OXP]) instead of Chai for which no SDK is publicly available.

=== Canon (MEAP) ===

The ‘Multifunctional Embedded Application Platform’ ([http://www.developersupport.canon.com/faq/335#t335n18 MEAP]) is a Java-based software platform introduced by Canon in 2003 for their imageRunner series and extended to web services in 2010. Third party developers can obtain the MEAP [http://developersupport.canon.com/content/meap-sdk-0 SDK] for a fee of ''$5,000'' which is certainly out of scope for research purposes.

=== Xerox/Dell (EIP) ===

The ‘Extensible Interface Platform’ ([http://www.office.xerox.com/eip/enus.html EIP]) <ref>''[http://www.it-executive.nl/images/downloads/Extensible%20Interface.pdf From Peripheral To Platform: MFP Software Development Tools and Xerox's Extensible Interface Platform]'', B. Bissett, 2016</ref> was announced in 2006 by Xerox for various MFPs. The architecture – which is also supported by a few rebadged Dell devices – is based on web services technology. The [http://www.office.xerox.com/eip/enus.html SDK] is freely available for registered developers.

=== Brother (BSI) ===

The ‘Brother Solutions Interface’ ([https://www.brother-usa.com/lp/civ/bsi.aspx BSI]) is an XML-based web architecture launched in 2012 for scanners, copiers and printers. Access to the [https://www.brother-usa.com/lp/civ/home.aspx SDK] is available to licensed developers.

=== Lexmark (eSF) ===

The ‘Embedded Solution Framework’ ([http://www.lexmark-emea.com/usa/BSD_solution_catalouge.pdf eSF]) was launched in 2006 for Lexmark MFPs. The SDK to develop Java applications is reserved for ‘specially qualified partners’. According to <ref>''[http://media.lexmark.com/www/doc/en_US/Security_White_Paper_Final_Q12014.pdf Security Features of Lexmark Multi-Function and Single Function Printers]'', Lexmark International, 2013, p. 6</ref> ‘these applications must be digitally signed by Lexmark before being adopted’ using 2048-bit RSA signatures.

=== Samsung (XOA) ===

The ‘eXtensible Open Architecture’ ([http://samsungprintingsolutions.com/2015/02/can-samsungs-extensible-open-architecture-xoa/ XOA]) was introduced by Samsung in 2008 and comes in two flavours: the XOA-E Java virtual machine and the web services based XOA-Web. The [http://xoapartnerportal.com/ SDK] is only available to Samsung resellers.

=== Ricoh (ESA) ===

The ‘Embedded Software Architecture’ ([https://www.ricoh.com/esa/ ESA]) <ref>''[http://ricoh.com/esa/pdf/white_letter.pdf White Paper: Embedded Software Architecture SDK]'', Ricoh Company, Ltd., 2014</ref> was launched by Ricoh in 2004. The Java based [http://www.ricoh-developer.com/content/device-sdk-type-j-sdkj-overview SDK/J] is available to developers after a registration.

=== Kyocera/Utax (HyPAS) ===

The ‘Hybrid Platform for Advanced Solutions’ ([http://usa.kyoceradocumentsolutions.com/americas/jsp/Kyocera/hypas_overview.jsp HyPAS]) <ref>''[http://www.officeproductnews.net/sites/default/files/imce/KyoceraWhitepaper_0.pdf Kyocera's HyPAS Technology – A Whitepaper]'', Kyocera Corp., 2013</ref> has been released by Kyocera in 2008. Applications are based either on Java or on web services. The [https://www.kyoceradocumentsolutions.eu/index/document_solutions/HyPAS/hypas_developer_partner.html SDK] is only available for members of the ‘HyPAS Development Partner Programme’ and applications have to be approved by Kyocera.

=== Konica Minolta (bEST) ===

The ‘bizhub Extended Solution Technology’ ([https://best.kmbs.us/ bEST]) <ref>''[http://www.biz.konicaminolta.com/technologies/best/pdf/bEST_Whitepaper.pdf Konica Minolta's bizhub Extended Solution Technology (bEST) Software Development Platform for MFPs]'', B. Bissett, 2009</ref> which is based on web services was introduced by Konica Minolta in 2009. Access to the [https://best.kmbs.us/pages/levels.php SDK] requires ‘platinum membership level’ in the developer program for a fee of ''$4,000'' which is out of scope for independent researchers.

=== Toshiba (e-BRIDGE) ===

The ‘e-BRIDGE Open Platform’ ([http://www.estudio.com.sg/solutions_ebridge.aspx e-BRIDGE]) was released by Toshiba in 2008 to customize their high-end MFPs based on web services technology. An SDK is not available to the general public.

=== Sharp (OSA) ===

The ‘Open Systems Architecture’ ([http://siica.sharpusa.com/Document-Systems/Sharp-OSA OSA]) <ref>''[http://www.kelo-kopiertechnik.de/uploads/prospekte/loesungen/Prospekt OSA.pdf Sharp OSA – Informationen für Sharp Fachhändler]'', Sharp K.K., 2009</ref> was announced by Sharp in 2004. The [http://sharp-partners.com/us/PartnerPrograms/DeveloperProgram/tabid/722/Default.aspx SDK] used to develop web services is fee-based and applications need to be validated by Sharp before they can be installed on an MFP.

=== Oki (sXP) ===

The ‘smart eXtendable Platform’ ([http://www.oki.com/en/press/2014/09/z14053e.html sXP]) <ref>''[http://www.oki.com/en/otr/2016/n227/pdf/otr-227-R05.pdf Office Solution with Multifunction Printer]'', N. Toshiyuki and T. Ito, Oki Electric Industry Co., Ltd., 2016</ref> which is based on web services was launched by Oki Data in 2013 for their MFP devices. Oki does not publish any information regarding an official developer program or publicly available SDK.

== Results ==

On older HP laser printers, arbitrary Java bytecode can be executed as demonstrated by <ref name="phenoelit2002embedded"/> and <ref name="mueller2016printers"/>. Security is based on the password of the embedded web server which can be easily retrieved with PostScript or bypassed by restoring factory defaults. It is hard to make a reasoned statement on the security of other software platforms because of lacking access to the SDK and/or proper technical documentation. A comparison of platforms, applied technologies and – where known – software package deployment procedures is given below:

{| class="wikitable" style="text-align:center"
|-
! Vendor !! Platform !! Embedded Java !! Web services !! Deployment
|-
| style="text-align:left;" | HP
| style="text-align:left;" | Chai/OXP || ✔ || ✔
| style="text-align:left;" | web server
|-
| style="text-align:left;" | Xerox/Dell
| style="text-align:left;" | EIP || || ✔
| style="text-align:left;" | unknown
|-
| style="text-align:left;" | Canon
| style="text-align:left;" | MEAP || ✔ || ✔
| style="text-align:left;" | unknown
|-
| style="text-align:left;" | Brother
| style="text-align:left;" | BSI || || ✔
| style="text-align:left;" | unknown
|-
| style="text-align:left;" | Lexmark
| style="text-align:left;" | eSF || ✔ ||
| style="text-align:left;" | unknown
|-
| style="text-align:left;" | Samsung
| style="text-align:left;" | XOA || ✔ || ✔
| style="text-align:left;" | web server
|-
| style="text-align:left;" | Ricoh
| style="text-align:left;" | ESA || ✔ ||
| style="text-align:left;" | unknown
|-
| style="text-align:left;" | Kyocera/Utax
| style="text-align:left;" | HyPAS || ✔ || ✔
| style="text-align:left;" | USB drive
|-
| style="text-align:left;" | Konica Minolta
| style="text-align:left;" | bEST || || ✔
| style="text-align:left;" | unknown
|-
| style="text-align:left;" | Toshiba
| style="text-align:left;" | e-Bridge || || ✔
| style="text-align:left;" | unknown
|-
| style="text-align:left;" | Sharp
| style="text-align:left;" | OSA || || ✔
| style="text-align:left;" | unknown
|-
| style="text-align:left;" | Oki
| style="text-align:left;" | sXP || || ✔
| style="text-align:left;" | unknown
|-
|}

'''How to test for this attack?'''

Obtain an SDK and write your own proof-of-concept application or find a ‘printer app’ which already does what you want (for example, automatically upload scanned documents to FTP). Also check which protection mechanisms exist to install custom software on the device.

'''Who can perform this attack?'''

Dependend on how software packages are deployed.

----