Factory defaults
Resetting a device to factory defaults is a security-critical functionality as it overwrites protection mechanisms like user-set passwords. This can usually be done by pressing a special key combination on the printer's control panel. Performing such a cold reset only takes seconds and therefore is a realistic scenario for local attackers or penetration testers, who can for example sneak into the copy room at lunchtime. However, physical access to the device is not always an option. The question comes up, if printer vendors have implemented the possibility to perform factory resets on-line using printer control or page description languages.
Contents
SNMP
The Printer-MIB [1] defines the prtGeneralReset Object (OID 1.3.6.1.2.1.43.5.1.1.3.1) which allows an attacker to restart the device (powerCycleReset(4)), reset the NVRAM settings (resetToNVRAM(5)) or restore factory defaults (resetToFactoryDefaults(6)) using SNMP. Resetting the device to factory default can be accomplished using snmpset command as shown below:
$ snmpset -v1 -c public printer 1.3.6.1.2.1.43.5.1.1.3.1 i 6
This feature/attack is supported by a large variety of printers and removes all protection mechanisms like user-set passwords for the embedded web server. While protection mechanisms can be efficiently bypassed, a practical drawback of this approach is that all static IP address configuration will be lost. If no DHCP service is available, the attacker will not be able to reconnect to the device anymore after resetting it to factory defaults.
PML
In many scenarios an attacker does not have the capabilities to perform SNMP requests because of firewalls or unknown SNMP community strings. On HP devices however, SNMP can be transformed into its PML representation and embed the request within a legitimate print job. This allows to restart and/or reset the device to factory defaults as shown below:
@PJL DMCMD ASCIIHEX="040006020501010301040106"
How to test this attack?
On HP printers, restarting or resetting the device can easily be reproduced using PRET:
./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> reset printer:/> restart
PostScript
PostScript offers a similar feature: The FactoryDefaults system parameter, ‘a flag that, if set to true immediately before the printer is turned off, causes all nonvolatile parameters to revert to their factory default values at the next power-on’ [2]. Restarting the printer on the other hand can be accomplished by SNMP and PML as described above. It must be noted that PostScript itself also has the capability to restart its environment but it requires a valid password. The PostScript interpreter however can be put into an infinite loop as discussed in eval-transmission-channel which forces the user to manually restart the device and thus reset the PostScript password.
Reset device to factory defaults (PostScript)
<< /FactoryDefaults true >> setsystemparams
Restart the PostScript interpreter and VM:
true 0 startjob systemdict /quit get exec
How to test this attack?
Restarting or resetting a printer's PostScript interpreter can easily be reproduced using PRET:
./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> reset printer:/> restart
PRESCRIBE
For Kyocera devices, the PRESCRIBE page description languages may be used to reset the device to factory default from within ordinary print jobs using one of the commands shown below:
!R! KSUS "AUIO", "CUSTOM:Admin Password = 'admin00'"; CMMT "Drop the security level, reset password"; !R! ACNT "REST"; CMMT "Reset account code admin password"; !R! EGRE; CMMT "Reset the engine board to factory defaults"; !R! SIOP0,"RESET:0"; CMMT "Reset configuration settings";
- ↑ RFC3805: Printer MIB v2, R. Bergman, I. McDonald and H. Lewis, 2004
- ↑ PostScript Language Reference Manual, 3rd Edition, Adobe Systems Inc., 1999, p. 751
