Difference between revisions of "Factory defaults"

From Hacking Printers
Jump to: navigation, search
(Created page with "Resetting a device to factory defaults is a security-critical functionality as it overwrites protection mechanisms like user-set passwords. This can usually be done by pressin...")
 
(PostScript)
 
(12 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Resetting a device to factory defaults is a security-critical functionality as it overwrites protection mechanisms like user-set passwords. This can usually be done by pressing a special key combination on the printer's control panel. Performing such a cold reset only takes seconds and therefore is a realistic scenario for local attackers or penetration testers, who can for example sneak into the copy room at lunchtime. However, physical access to the device is not always an option. The question comes up, if printer vendors have implemented the possibility to perform factory resets on-line using printer control or page description languages.
+
Resetting a device to factory defaults is a security-critical functionality as it overwrites protection mechanisms like user-set passwords. This can usually be done by pressing a special key combination on the printer's control panel. Performing such a cold reset only takes seconds and therefore is a realistic scenario for local attackers or penetration testers, who can for example sneak into the copy room at lunchtime. However, physical access to the device is not always an option. The question comes up, if printer vendors have implemented the possibility to perform factory resets on-line using printer control or page description languages. They have, as discussed in this article.
  
 
== SNMP ==
 
== SNMP ==
  
The Printer-MIB <ref>''[https://www.ietf.org/rfc/rfc3805.txt RFC3805: Printer MIB v2]'', R. Bergman, I. McDonald and H. Lewis, 2004</ref> defines the ''prtGeneralReset'' Object (OID 1.3.6.1.2.1.43.5.1.1.3.1) which allows an attacker to restart the device (''powerCycleReset(4)''), reset the NVRAM settings (''resetToNVRAM(5)'') or restore factory defaults (''resetToFactoryDefaults(6)'') using [[SNMP]]. Resetting the device to factory default can be accomplished using ''snmpset'' command as shown below:
+
The Printer-MIB <ref>''[https://www.ietf.org/rfc/rfc3805.txt RFC3805: Printer MIB v2]'', R. Bergman, I. McDonald and H. Lewis, 2004</ref> defines the ''prtGeneralReset'' Object (OID 1.3.6.1.2.1.43.5.1.1.3.1) which allows an attacker to restart the device (''powerCycleReset(4)''), reset the NVRAM settings (''resetToNVRAM(5)'') or restore factory defaults (''resetToFactoryDefaults(6)'') using [[SNMP]]. This feature/attack is supported by a large variety of printers and removes all protection mechanisms like user-set passwords for the embedded web server. While protection mechanisms can be efficiently bypassed, a practical drawback of this approach is that all static IP address configuration will be lost. If no [https://de.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol DHCP] service is available, the attacker will not be able to reconnect to the device anymore after resetting it to factory defaults.
  
  $ snmpset -v1 -c public printer 1.3.6.1.2.1.43.5.1.1.3.1 i 6
+
'''How to test for this attack?'''
  
This feature/attack is supported by a large variety of printers and removes all protection mechanisms like user-set passwords for the embedded web server. While protection mechanisms can be efficiently bypassed, a practical drawback of this approach is that all static IP address configuration will be lost. If no [[DHCP]] service is available, the attacker will not be able to reconnect to the device anymore after resetting it to factory defaults.
+
Resetting the device to factory default can be accomplished using ''snmpset'' command as shown below:
  
== PML ==
+
<syntaxhighlight lang=sh>
 +
snmpset -v1 -c public printer 1.3.6.1.2.1.43.5.1.1.3.1 i 6
 +
</syntaxhighlight>
  
In many scenarios an attacker does not have the capabilities to perform SNMP requests because of firewalls or unknown SNMP community strings. On HP devices however, SNMP can be transformed into its [[PML]] representation and embed the request within a legitimate print job. This allows to restart and/or reset the device to factory defaults as shown below:
+
'''Who can perform this attack?'''
  
  @PJL DMCMD ASCIIHEX="040006020501010301040106"
+
Anyone who can send network packets to port 161/udp of the printer device.
  
=== How to test this attack? ===
+
== PML/PJL ==
 +
 
 +
In many scenarios an attacker does not have the capabilities to perform SNMP requests because of firewalls or unknown SNMP community strings. On HP devices however, SNMP can be transformed into its [[PML]] representation and embed the request within a legitimate print job. This allows an attacker to restart and/or reset the device to factory defaults within ordinary print jobs as shown below:
 +
 
 +
@PJL DMCMD ASCIIHEX="040006020501010301040106"
 +
 
 +
'''How to test for this attack?'''
  
 
On HP printers, restarting or resetting the device can easily be reproduced using [[PRET]]:
 
On HP printers, restarting or resetting the device can easily be reproduced using [[PRET]]:
Line 25: Line 33:
 
  printer:/> reset
 
  printer:/> reset
 
  printer:/> restart
 
  printer:/> restart
 +
 +
'''Who can perform this attack?'''
 +
 +
Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].
  
 
== PostScript ==
 
== PostScript ==
  
PostScript offers a similar feature: The ''FactoryDefaults'' system parameter, ‘a flag that, if set to true immediately before the printer is turned off, causes all nonvolatile parameters to revert to their factory default values at the next power-on’ <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 751</ref>. Restarting the printer on the other hand can be accomplished by SNMP and PML as described above. It must be noted that PostScript itself also has the capability to restart its environment but it requires a [[Credential disclosure|valid password]]. The PostScript interpreter however can be put into an infinite loop as discussed in [[eval-transmission-channel]] which forces the user to manually restart the device and thus reset the PostScript password.
+
PostScript offers a similar feature: The ''FactoryDefaults'' system parameter, ‘a flag that, if set to true immediately before the printer is turned off, causes all nonvolatile parameters to revert to their factory default values at the next power-on’ <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 751</ref>. Restarting the printer on the other hand can be accomplished by SNMP and PML as described above. It must be noted that PostScript itself also has the capability to restart its environment but it requires a [[Credential disclosure|valid password]]. The PostScript interpreter however can be put into an infinite loop as discussed in [[document processing]] DoS attacks which forces the user to manually restart the device and thus reset the PostScript password.
  
Reset device to factory defaults (PostScript)
+
Reset PostScript system parameters to factory defaults:
  << /FactoryDefaults true >> setsystemparams
+
  
Restart the PostScript interpreter and VM:
+
<syntaxhighlight lang=postscript>
  true 0 startjob systemdict /quit get exec
+
<< /FactoryDefaults true >> setsystemparams
 +
</syntaxhighlight>
  
=== How to test this attack? ===
+
Restart the PostScript interpreter and virtual memory:
 +
 
 +
<syntaxhighlight lang=postscript>
 +
true 0 startjob systemdict /quit get exec
 +
</syntaxhighlight>
 +
 
 +
'''How to test for this attack?'''
  
 
Restarting or resetting a printer's PostScript interpreter can easily be reproduced using [[PRET]]:
 
Restarting or resetting a printer's PostScript interpreter can easily be reproduced using [[PRET]]:
Line 46: Line 64:
 
  printer:/> reset
 
  printer:/> reset
 
  printer:/> restart
 
  printer:/> restart
 +
 +
'''Who can perform this attack?'''
 +
 +
Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].
  
 
== PRESCRIBE ==
 
== PRESCRIBE ==
Line 51: Line 73:
 
For Kyocera devices, the PRESCRIBE page description languages may be used to reset the device to factory default from within ordinary print jobs using one of the commands shown below: <!-- may autorize first, using default machine passwords: !R! ACNT "ADMN", "5200"; -->
 
For Kyocera devices, the PRESCRIBE page description languages may be used to reset the device to factory default from within ordinary print jobs using one of the commands shown below: <!-- may autorize first, using default machine passwords: !R! ACNT "ADMN", "5200"; -->
  
  !R! KSUS "AUIO", "CUSTOM:Admin Password = 'admin00'";  CMMT "Drop the security level, reset password";
+
!R! KSUS "AUIO", "CUSTOM:Admin Password = 'admin00'";  CMMT "Drop the security level, reset password";
  !R! ACNT "REST";                                      CMMT "Reset account code admin password";
+
!R! ACNT "REST";                                      CMMT "Reset account code admin password";
  !R! EGRE;                                              CMMT "Reset the engine board to factory defaults";
+
!R! EGRE;                                              CMMT "Reset the engine board to factory defaults";
  !R! SIOP0,"RESET:0";                                  CMMT "Reset configuration settings";
+
!R! SIOP0,"RESET:0";                                  CMMT "Reset configuration settings";
  
 +
'''How to test for this attack?'''
  
----
+
Open a raw network connection (using ''netcat'' <ref>''[http://nc110.sourceforge.net/ Netcat – TCP/IP Swiss Army Knife]'', Hobbit, 1996</ref>, for example) to port 9100/tcp of the printer and send the commands documented above.
  
 +
'''Who can perform this attack?'''
  
 +
Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].
  
<!--
 
% Resetting a printer device to factory defaults to bypass protection mechanisms as proposed in \autoref{sub:factory-defaults} is trivial for a physical/local attacker (AM1). All tested printers (see \autoref{tab:test-printers}) have documented procedures to perform a cold reset by pressing certain key combinations or setting a jumper. For network attackers (AM2) and web attackers (AM3), things are more complicated as discussed below.\\
 
  
% PML and PostScript based attacks can be performed in AM1, AM2 and AM3 because they are deployed over the printing channel while SNMP is available solely in AM2. % performing the reset procedure.
+
----
 
+
% Resetting a device to factory defaults and therefore bypassing protection mechanisms can be performed by a local attacker for all models in the test printer pool, by web attacker for models supporting PML, PostScript or PRESCRIBE and additionally for SNMP by a network attacker a
+
-->
+

Latest revision as of 12:29, 25 June 2017

Resetting a device to factory defaults is a security-critical functionality as it overwrites protection mechanisms like user-set passwords. This can usually be done by pressing a special key combination on the printer's control panel. Performing such a cold reset only takes seconds and therefore is a realistic scenario for local attackers or penetration testers, who can for example sneak into the copy room at lunchtime. However, physical access to the device is not always an option. The question comes up, if printer vendors have implemented the possibility to perform factory resets on-line using printer control or page description languages. They have, as discussed in this article.

SNMP

The Printer-MIB [1] defines the prtGeneralReset Object (OID 1.3.6.1.2.1.43.5.1.1.3.1) which allows an attacker to restart the device (powerCycleReset(4)), reset the NVRAM settings (resetToNVRAM(5)) or restore factory defaults (resetToFactoryDefaults(6)) using SNMP. This feature/attack is supported by a large variety of printers and removes all protection mechanisms like user-set passwords for the embedded web server. While protection mechanisms can be efficiently bypassed, a practical drawback of this approach is that all static IP address configuration will be lost. If no DHCP service is available, the attacker will not be able to reconnect to the device anymore after resetting it to factory defaults.

How to test for this attack?

Resetting the device to factory default can be accomplished using snmpset command as shown below:

snmpset -v1 -c public printer 1.3.6.1.2.1.43.5.1.1.3.1 i 6

Who can perform this attack?

Anyone who can send network packets to port 161/udp of the printer device.

PML/PJL

In many scenarios an attacker does not have the capabilities to perform SNMP requests because of firewalls or unknown SNMP community strings. On HP devices however, SNMP can be transformed into its PML representation and embed the request within a legitimate print job. This allows an attacker to restart and/or reset the device to factory defaults within ordinary print jobs as shown below:

@PJL DMCMD ASCIIHEX="040006020501010301040106"

How to test for this attack?

On HP printers, restarting or resetting the device can easily be reproduced using PRET:

./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> reset
printer:/> restart

Who can perform this attack?

Anyone who can print, for example through USB drive or cable, Port 9100 printing or Cross-site printing.

PostScript

PostScript offers a similar feature: The FactoryDefaults system parameter, ‘a flag that, if set to true immediately before the printer is turned off, causes all nonvolatile parameters to revert to their factory default values at the next power-on’ [2]. Restarting the printer on the other hand can be accomplished by SNMP and PML as described above. It must be noted that PostScript itself also has the capability to restart its environment but it requires a valid password. The PostScript interpreter however can be put into an infinite loop as discussed in document processing DoS attacks which forces the user to manually restart the device and thus reset the PostScript password.

Reset PostScript system parameters to factory defaults:

<< /FactoryDefaults true >> setsystemparams

Restart the PostScript interpreter and virtual memory:

true 0 startjob systemdict /quit get exec

How to test for this attack?

Restarting or resetting a printer's PostScript interpreter can easily be reproduced using PRET:

./pret.py -q printer ps
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> reset
printer:/> restart

Who can perform this attack?

Anyone who can print, for example through USB drive or cable, Port 9100 printing or Cross-site printing.

PRESCRIBE

For Kyocera devices, the PRESCRIBE page description languages may be used to reset the device to factory default from within ordinary print jobs using one of the commands shown below:

!R! KSUS "AUIO", "CUSTOM:Admin Password = 'admin00'";  CMMT "Drop the security level, reset password";
!R! ACNT "REST";                                       CMMT "Reset account code admin password";
!R! EGRE;                                              CMMT "Reset the engine board to factory defaults";
!R! SIOP0,"RESET:0";                                   CMMT "Reset configuration settings";

How to test for this attack?

Open a raw network connection (using netcat [3], for example) to port 9100/tcp of the printer and send the commands documented above.

Who can perform this attack?

Anyone who can print, for example through USB drive or cable, Port 9100 printing or Cross-site printing.



  1. RFC3805: Printer MIB v2, R. Bergman, I. McDonald and H. Lewis, 2004
  2. PostScript Language Reference Manual, 3rd Edition, Adobe Systems Inc., 1999, p. 751
  3. Netcat – TCP/IP Swiss Army Knife, Hobbit, 1996