Difference between revisions of "PML"

From Hacking Printers
Jump to: navigation, search
(Created page with "'''TBD: This article needs further explanation''' The Printer Management Language (PML) is a proprietary language to control HP printers. It basically combines the features o...")
 
 
(5 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
'''TBD: This article needs further explanation'''
 
'''TBD: This article needs further explanation'''
  
The Printer Management Language (PML) is a proprietary language to control HP printers. It basically combines the features of [[SNMP]] with [[PJL]]. Publicly available documentation has not been released, however parts of the standard were leaked by the [https://en.wikipedia.org/wiki/LPRng LPRng] project: the '''PJL Passthrough to PML and SNMP User’s Guide''' defines defines PML as ‘an object-oriented request-reply printer management protocol’ <ref>''[http://ftp.icm.edu.pl/packages/lprng/RESOURCES/SNMPDesignJetpassthru.pdf PJL Passthrough to PML and SNMP User's Guide]'', HP Inc., 2000, p. 11</ref> and gives an introduction to the basics of the syntax. PML is embedded within PJL and can be used to read and set SNMP values on a printer device. This is especially interesting if a firewall blocks access to SNMP services (161/udp), but an attacker is still able to print using one of the various techniques discussed in [[deployment channels]]. The use of PML within a print job retrieving the <code>hrDeviceDescr</code> value (OID 1.3.6.1.2.1.25.3.2.1.3, textual description of a device) is demonstrated below:
+
The Printer Management Language (PML) is a proprietary language to control HP printers. It basically combines the features of [[SNMP]] with [[PJL]]. Publicly available documentation has not been released, however parts of the standard were leaked by the [https://en.wikipedia.org/wiki/LPRng LPRng] project: the '''PJL Passthrough to PML and SNMP User’s Guide''' defines defines PML as ‘an object-oriented request-reply printer management protocol’ <ref>''[http://ftp.icm.edu.pl/packages/lprng/RESOURCES/SNMPDesignJetpassthru.pdf PJL Passthrough to PML and SNMP User's Guide]'', HP Inc., 2000, p. 11</ref> and gives an introduction to the basics of the syntax. PML is embedded within PJL and can be used to read and set SNMP values on a printer device. This is especially interesting if a firewall blocks access to SNMP services (161/udp), but an attacker is still able to print using one of the various techniques discussed in [[attack carriers]]. The use of PML within a print job retrieving the <code>hrDeviceDescr</code> value (OID 1.3.6.1.2.1.25.3.2.1.3, textual description of a device) is demonstrated below:
  
  > @PJL DMINFO ASCIIHEX="000006030302010301"
+
<syntaxhighlight lang=sh>
  < "8000000603030201030114106870204c617365724a65742034323530
+
> @PJL DMINFO ASCIIHEX="000006030302010301"
 +
< "8000000603030201030114106870204c617365724a65742034323530
 +
</syntaxhighlight>
  
The rear part of string responded by the printer, <code>6870204c617365724a65742034323530</code> is hexdecimal for <code>hp LaserJet 4250</code> – equivalent to the [[SNMP|snmpget example]]. As one can see, with PML it is possible to invoke (a subset of) SNMP commands over PJL. One security-sensitve use of PML is to to reset HP printers to [[factory defaults]] via ordinary print jobs, therefore removing protection mechanisms like user-set passwords.
+
The rear part of string responded by the printer, <code>6870204c617365724a65742034323530</code> is hexadecimal for <code>hp LaserJet 4250</code> – equivalent to the [[SNMP|snmpget example]]. As can be seen, it is possible to invoke (a subset of) SNMP commands over PJL via PML. A security-sensitive use of PML is to reset HP printers to [[factory defaults]] via ordinary print jobs, therefore removing protection mechanisms like user-set passwords.
  
→ ''Related aricles:'' [[SNMP]], [[Factory defaults]]
+
→ ''Related articles:'' [[Fundamentals#Printer Control Languages|Printer Control Languages]], [[SNMP]], [[Factory defaults]]
  
  
 
-----------
 
-----------

Latest revision as of 12:23, 25 June 2017

TBD: This article needs further explanation

The Printer Management Language (PML) is a proprietary language to control HP printers. It basically combines the features of SNMP with PJL. Publicly available documentation has not been released, however parts of the standard were leaked by the LPRng project: the PJL Passthrough to PML and SNMP User’s Guide defines defines PML as ‘an object-oriented request-reply printer management protocol’ [1] and gives an introduction to the basics of the syntax. PML is embedded within PJL and can be used to read and set SNMP values on a printer device. This is especially interesting if a firewall blocks access to SNMP services (161/udp), but an attacker is still able to print using one of the various techniques discussed in attack carriers. The use of PML within a print job retrieving the hrDeviceDescr value (OID 1.3.6.1.2.1.25.3.2.1.3, textual description of a device) is demonstrated below:

> @PJL DMINFO ASCIIHEX="000006030302010301"
< "8000000603030201030114106870204c617365724a65742034323530

The rear part of string responded by the printer, 6870204c617365724a65742034323530 is hexadecimal for hp LaserJet 4250 – equivalent to the snmpget example. As can be seen, it is possible to invoke (a subset of) SNMP commands over PJL via PML. A security-sensitive use of PML is to reset HP printers to factory defaults via ordinary print jobs, therefore removing protection mechanisms like user-set passwords.

Related articles: Printer Control Languages, SNMP, Factory defaults



  1. PJL Passthrough to PML and SNMP User's Guide, HP Inc., 2000, p. 11