Difference between revisions of "Fax and Scanner"

From Hacking Printers
Jump to: navigation, search
 
(13 intermediate revisions by 3 users not shown)
Line 1: Line 1:
While single function printers are still common there is clearly a trend towards multi-function printers/peripherals (MFP), also referred to as multi-function devices (MFD) or all-in-one (AiO) devices, which have additional built-in functions like scanning and/or telefax.
+
While single function printers are still common there is clearly a trend towards multi-function printers/peripherals (MFP), also referred to as multi-function devices (MFD) or all-in-one (AiO) devices, which have additional built-in functions like scanning and/or telefax. Access to such functionality is interesting for an attack because it means more sources to gain sensitive information and extended capabilities like access to phone lines.
  
 
== Telefax ==
 
== Telefax ==
  
Fax messages are transmitted in the form of audio-frequency tones. They can be sent to any telefax-capable device available over the telephone system. Therefore, they could potentially be used to bypass typical company protection mechanisms like TCP/IP firewalls or intrusion detection systems and execute malicious commands on printers or MFPs in internal networks. In the middle of 90s Adobe introduced ‘PostScript fax’ as a language supplement <ref>Adobe Systems Inc., ''PostScript Language Reference Manual Supplement for Version 2016'', (1995), 18-35.</ref>, allowing compatible devices to '''inbound''' receive PostScript files directly via fax. This enables an attacker to use ordinary telephone system as a channel to deploy malicious PostScript code to a printer. Unfortunately, PostScript fax never established itself and was only implemented in a handful of devices. Telefax messages are nowadays typically transmitted as graphical images  like TIFF. Nevertheless, it cannot be ruled out that other vendors implement proprietary fax extensions to receive arbitrary PDL datastreams instead of raw fax images. Theoretically, a ‘fax virus’ could be created which would spread by infecting other devices based on numbers from the MFPs's address book or by traditional wardialing.
+
Fax messages are transmitted in the form of audio-frequency tones. They can be sent to any telefax-capable device available over the telephone system. Therefore, they could potentially be used to bypass typical company protection mechanisms like TCP/IP firewalls or intrusion detection systems and execute malicious commands on printers or MFPs in internal networks. In the middle of 90s Adobe introduced ‘PostScript fax’ as a language supplement <ref>''[http://ftp.ktug.org/obsolete/info/adobe/devtechnotes/pdffiles/ps2016.supplement.pdf PostScript Language Reference Manual Supplement for Version 2016]'', Adobe Systems Inc., 1995, p. 18-35</ref>, allowing compatible devices to receive PostScript files directly via fax. This enables an attacker to use ordinary telephone system as a channel to deploy malicious PostScript code to a printer. Unfortunately, PostScript fax never established itself and was only implemented in a handful of devices. Telefax messages instead are typically transmitted as graphical images  like [https://en.wikipedia.org/wiki/TIFF#TIFF_Compression_Tag TIFF]. Nevertheless, it cannot be ruled out that other vendors implement proprietary fax extensions to '''inbound''' receive arbitrary PDL datastreams instead of raw fax images. Theoretically, a ‘fax virus’ could be created which would spread by infecting other devices based on numbers from the MFPs's address book or by traditional wardialing.
  
Furthermore, '''outbound''' fax can often be controlled by proprietary PJL commands on today's MFPs. This can be used to cause financial loss to an institution by calling an 0900 number (which may be registered by the attacker herself) or as a backchannel to leak sensitive information. Examples are given below (mostly untested).
+
Furthermore, '''outbound''' fax can often be controlled by proprietary PJL commands on today's MFPs. This can be used to cause financial loss to an institution by calling an 0900 number (which may be registered by the attacker herself) or as a backchannel to leak sensitive information. Vendor-specific examples to send fax via PDL datastreams are given below.
  
 
=== HP ===
 
=== HP ===
Line 30: Line 30:
  
 
Accroding to [http://www.objectiflune.com/forum2/ubbthreads.php?ubb=showflat&Number=29462&page=1] Ricoh uses proprietary PJL commands:  <code>@PJL ENTER LANGUAGE=RFAX</code>
 
Accroding to [http://www.objectiflune.com/forum2/ubbthreads.php?ubb=showflat&Number=29462&page=1] Ricoh uses proprietary PJL commands:  <code>@PJL ENTER LANGUAGE=RFAX</code>
 +
 +
 +
'''How to test for this attack?'''
 +
 +
Install the printer drivers for the specific model and (ab)use the fax function.
 +
 +
'''Who can perform this attack?'''
 +
 +
Potentially anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].
  
 
== Scanner ==
 
== Scanner ==
  
Access to scan functionality on MFPs is not standardized and it seems only few vendors apply PJL commands for this task. Public documentation is missing, the [http://www.sane-project.org/sane-backends.html#SCANNERS SANE project] has reverse engineered some scanners. On Brother devices, the proprietary PostScript operator '''_brpdfscan''' may possibly be used.
+
Access to scan functionality on MFPs is not standardized and it seems only few vendors apply PJL commands for this task. Public documentation is missing, the [http://www.sane-project.org/sane-backends.html#SCANNERS SANE project] managed to reverse engineer the protocols for various scanner devices. On Brother MFPs, the proprietary PostScript operator ''_brpdfscan'' may possibly be used.
 +
 
 +
'''How to test for this attack?'''
 +
 
 +
Install the printer drivers for the specific model and (ab)use the scan function.
 +
 
 +
'''Who can perform this attack?'''
 +
 
 +
* Anyone who can print, if scanning functionality can be accessed through a [[Fundamentals#Printer_Control_Languages|printer control]] or [[Fundamentals#Page_Description_Languages|page description]] language
 +
* Anyone who can access the web interface, on MFPs where documents can be scanned using the web interface
 +
* Only attackers who can access certain network services, if a separate TCP port is used for scanning
 +
 
 +
 
 +
----

Latest revision as of 19:30, 14 January 2017

While single function printers are still common there is clearly a trend towards multi-function printers/peripherals (MFP), also referred to as multi-function devices (MFD) or all-in-one (AiO) devices, which have additional built-in functions like scanning and/or telefax. Access to such functionality is interesting for an attack because it means more sources to gain sensitive information and extended capabilities like access to phone lines.

Telefax

Fax messages are transmitted in the form of audio-frequency tones. They can be sent to any telefax-capable device available over the telephone system. Therefore, they could potentially be used to bypass typical company protection mechanisms like TCP/IP firewalls or intrusion detection systems and execute malicious commands on printers or MFPs in internal networks. In the middle of 90s Adobe introduced ‘PostScript fax’ as a language supplement [1], allowing compatible devices to receive PostScript files directly via fax. This enables an attacker to use ordinary telephone system as a channel to deploy malicious PostScript code to a printer. Unfortunately, PostScript fax never established itself and was only implemented in a handful of devices. Telefax messages instead are typically transmitted as graphical images like TIFF. Nevertheless, it cannot be ruled out that other vendors implement proprietary fax extensions to inbound receive arbitrary PDL datastreams instead of raw fax images. Theoretically, a ‘fax virus’ could be created which would spread by infecting other devices based on numbers from the MFPs's address book or by traditional wardialing.

Furthermore, outbound fax can often be controlled by proprietary PJL commands on today's MFPs. This can be used to cause financial loss to an institution by calling an 0900 number (which may be registered by the attacker herself) or as a backchannel to leak sensitive information. Vendor-specific examples to send fax via PDL datastreams are given below.

HP

According to [1] fax can be accessed using PML on HP devices.

Xerox

According to [2], Xerox uses proprietary PJL commands: @PJL COMMENT OID_ATT_FAX_DESTINATION_PHONE "..."

Brother

According to [3], Brother uses the proprietary FCL (Fax Control Language): <Esc>DIALNUM[ (...) ]

Lexmark

According to [4] Lexmark uses proprietary PJL commands: @PJL LFAX PHONENUMBER="..."

Kyocera

According to [5] Kyocera uses proprietary PJL commands: @PJL SET FAXTEL = ...

Ricoh

Accroding to [6] Ricoh uses proprietary PJL commands: @PJL ENTER LANGUAGE=RFAX


How to test for this attack?

Install the printer drivers for the specific model and (ab)use the fax function.

Who can perform this attack?

Potentially anyone who can print, for example through USB drive or cable, Port 9100 printing or Cross-site printing.

Scanner

Access to scan functionality on MFPs is not standardized and it seems only few vendors apply PJL commands for this task. Public documentation is missing, the SANE project managed to reverse engineer the protocols for various scanner devices. On Brother MFPs, the proprietary PostScript operator _brpdfscan may possibly be used.

How to test for this attack?

Install the printer drivers for the specific model and (ab)use the scan function.

Who can perform this attack?

  • Anyone who can print, if scanning functionality can be accessed through a printer control or page description language
  • Anyone who can access the web interface, on MFPs where documents can be scanned using the web interface
  • Only attackers who can access certain network services, if a separate TCP port is used for scanning



  1. PostScript Language Reference Manual Supplement for Version 2016, Adobe Systems Inc., 1995, p. 18-35