From Hacking Printers
Jump to: navigation, search

Typical printers range from classical dot matrix to inkjet or laser printers used at home or in corporate environments. The printing hardware is not addressed in detail in this wiki as from a security perspective it seems less relevant [1]. This page aims to give an introduction to fundamental software printing technologies, including network printing protocols, printer control and page description languages.

High-level overview

Sending a document to a network printer may involve various protocols and languages. A schematic relationship regarding the encapsulation of printer languages is given below.

Encapsulation of printer languages

The network printing protocol acts as a channel to deploy print jobs which either contain the page description language directly or first invoke a printer/job control language to change settings like paper trays. From a security point of view this encapsulation is interesting, especially because functionality is overlapping. For example an – each time different – username can be set in IPP, PJL and PostScript. If something is restricted in one layer, it may be allowed in the next one. While network printing protocols are discussed in this wiki, the focus is mainly on printer languages, particularly PJL and PostScript.

Related articles: Attack carriers

Network printing protocols

Sending data to a printer device can be done by USB/parallel cable or over a network. This wiki focuses on network printing but most of the presented attacks can also be performed against local printers. There are various exotic protocols for network printing like Novell's NCP or AppleTalk. In the Windows world, SMB/CIFS printer shares have become quite popular. Furthermore, some devices support printing over generic protocols such as FTP or HTTP file uploads. The most common printing protocols supported directly by network printers however are LPD, IPP, and raw port 9100 printing. Network printing protocols can be attacked directly, for example by exploiting a buffer overflow in the printer's LPD daemon. In many attack scenarios however, they only act as a carrier/channel to deploy malicious Printer language code. Note that a network printer usually supports multiple protocols to ‘print’ a document which broadens the attack surface.

Related articles: LPD, IPP, Raw, SMB

Printer Control Languages

A job control language manages settings like output trays for the current print job. While it usually sits as an optional layer in-between the printing protocol and the page description language, functions may be overlapping. Examples of vendor-specific job control languages are CPCA, XJCL, EJL and PJL – which is supported by a variety of printers and will be discussed below. In addition, printer control and management languages are designed to affect not only a single print job but the device as a whole. One approach to define a common standard for this task was NPAP. However, it has not established itself and is only supported by Lexmark. Other printer manufacturers instead use SNMP or its PJL-based metalanguage PML.

Related articles: PJL, PML, SNMP, UEL

Page Description Languages

A page description language (PDL) specifies the appearance of the actual document. It must however be pointed out that some PDLs offer limited job control, so a clear demarcation between page description and printer/job control language is not always possible. The function of a ‘printer driver’ is to translate the file to be printed into a PDL that is understood by the printer model. Note that some low cost inkjet printers do not support any high level page description language at all. So called host-based or GDI printers only accept simple bitmap datastreams like ZJS while the actual rendering is done by the printer driver. There are various proprietary page description languages like Kyocera's PRESCRIBE, SPL, XES, CaPSL, RPCS, ESC/P which is mostly used in dot matrix printers or HP-GL and HP-GL/2 which have been designed for plotters. Support for direct PDF and XPS printing is also common on newer printers. The most common ‘standard’ page description languages however are PostScript and PCL.

Related articles: PCL, PostScript

  1. Even though some newspapers claimed hackers could set laser printers on fire by overheating them.