Difference between revisions of "PML"
(One intermediate revision by one other user not shown) | |||
Line 1: | Line 1: | ||
'''TBD: This article needs further explanation''' | '''TBD: This article needs further explanation''' | ||
− | The Printer Management Language (PML) is a proprietary language to control HP printers. It basically combines the features of [[SNMP]] with [[PJL]]. Publicly available documentation has not been released, however parts of the standard were leaked by the [https://en.wikipedia.org/wiki/LPRng LPRng] project: the '''PJL Passthrough to PML and SNMP User’s Guide''' defines defines PML as ‘an object-oriented request-reply printer management protocol’ <ref>''[http://ftp.icm.edu.pl/packages/lprng/RESOURCES/SNMPDesignJetpassthru.pdf PJL Passthrough to PML and SNMP User's Guide]'', HP Inc., 2000, p. 11</ref> and gives an introduction to the basics of the syntax. PML is embedded within PJL and can be used to read and set SNMP values on a printer device. This is especially interesting if a firewall blocks access to SNMP services (161/udp), but an attacker is still able to print using one of the various techniques discussed in [[ | + | The Printer Management Language (PML) is a proprietary language to control HP printers. It basically combines the features of [[SNMP]] with [[PJL]]. Publicly available documentation has not been released, however parts of the standard were leaked by the [https://en.wikipedia.org/wiki/LPRng LPRng] project: the '''PJL Passthrough to PML and SNMP User’s Guide''' defines defines PML as ‘an object-oriented request-reply printer management protocol’ <ref>''[http://ftp.icm.edu.pl/packages/lprng/RESOURCES/SNMPDesignJetpassthru.pdf PJL Passthrough to PML and SNMP User's Guide]'', HP Inc., 2000, p. 11</ref> and gives an introduction to the basics of the syntax. PML is embedded within PJL and can be used to read and set SNMP values on a printer device. This is especially interesting if a firewall blocks access to SNMP services (161/udp), but an attacker is still able to print using one of the various techniques discussed in [[attack carriers]]. The use of PML within a print job retrieving the <code>hrDeviceDescr</code> value (OID 1.3.6.1.2.1.25.3.2.1.3, textual description of a device) is demonstrated below: |
<syntaxhighlight lang=sh> | <syntaxhighlight lang=sh> | ||
Line 8: | Line 8: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
− | The rear part of string responded by the printer, <code>6870204c617365724a65742034323530</code> is | + | The rear part of string responded by the printer, <code>6870204c617365724a65742034323530</code> is hexadecimal for <code>hp LaserJet 4250</code> – equivalent to the [[SNMP|snmpget example]]. As can be seen, it is possible to invoke (a subset of) SNMP commands over PJL via PML. A security-sensitive use of PML is to reset HP printers to [[factory defaults]] via ordinary print jobs, therefore removing protection mechanisms like user-set passwords. |
→ ''Related articles:'' [[Fundamentals#Printer Control Languages|Printer Control Languages]], [[SNMP]], [[Factory defaults]] | → ''Related articles:'' [[Fundamentals#Printer Control Languages|Printer Control Languages]], [[SNMP]], [[Factory defaults]] |
Latest revision as of 12:23, 25 June 2017
TBD: This article needs further explanation
The Printer Management Language (PML) is a proprietary language to control HP printers. It basically combines the features of SNMP with PJL. Publicly available documentation has not been released, however parts of the standard were leaked by the LPRng project: the PJL Passthrough to PML and SNMP User’s Guide defines defines PML as ‘an object-oriented request-reply printer management protocol’ [1] and gives an introduction to the basics of the syntax. PML is embedded within PJL and can be used to read and set SNMP values on a printer device. This is especially interesting if a firewall blocks access to SNMP services (161/udp), but an attacker is still able to print using one of the various techniques discussed in attack carriers. The use of PML within a print job retrieving the hrDeviceDescr
value (OID 1.3.6.1.2.1.25.3.2.1.3, textual description of a device) is demonstrated below:
> @PJL DMINFO ASCIIHEX="000006030302010301"
< "8000000603030201030114106870204c617365724a65742034323530
The rear part of string responded by the printer, 6870204c617365724a65742034323530
is hexadecimal for hp LaserJet 4250
– equivalent to the snmpget example. As can be seen, it is possible to invoke (a subset of) SNMP commands over PJL via PML. A security-sensitive use of PML is to reset HP printers to factory defaults via ordinary print jobs, therefore removing protection mechanisms like user-set passwords.
→ Related articles: Printer Control Languages, SNMP, Factory defaults
- ↑ PJL Passthrough to PML and SNMP User's Guide, HP Inc., 2000, p. 11