Difference between revisions of "Fundamentals"

From Hacking Printers
Jump to: navigation, search
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Typical printers range from classical [https://en.wikipedia.org/wiki/Dot_matrix_printing dot matrix] to [https://en.wikipedia.org/wiki/Inkjet_printing inkjet] or [https://en.wikipedia.org/wiki/Laser_printing laser] printers used at home or in small businesses. The printing hardware is not addressed in detail in this wiki, as from a security perspective it seems less relevant <ref>Even though some newspapers claimed hackers could set laser printers on fire by [http://www.wired.com/2011/12/hp-printer-lawsuit/ overheating] them.</ref>. This page aims to give an introduction to fundamental printing technologies, including network printing protocols, printer control and page description languages.
+
Typical printers range from classical [https://en.wikipedia.org/wiki/Dot_matrix_printing dot matrix] to [https://en.wikipedia.org/wiki/Inkjet_printing inkjet] or [https://en.wikipedia.org/wiki/Laser_printing laser] printers used at home or in corporate environments. The printing '''hardware''' is not addressed in detail in this wiki as from a security perspective it seems less relevant <ref>Even though some newspapers claimed hackers could set laser printers on fire by [http://www.wired.com/2011/12/hp-printer-lawsuit/ overheating] them.</ref>. This page aims to give an introduction to fundamental '''software''' printing technologies, including network printing protocols, printer control and page description languages.
  
 
== High-level overview ==
 
== High-level overview ==
  
A schematic relationship regarding the encapsulation of printer languages is given below.
+
Sending a document to a network printer may involve various protocols and languages. A schematic relationship regarding the encapsulation of printer languages is given below.
 +
 
 +
 
 +
[[File:Protocols.png|500px|Encapsulation of printer languages]]
  
[[File:Protocols.png|border|500px|Encapsulation of printer languages]]
 
  
 
The network printing protocol acts as a channel to deploy print jobs which either contain the page description language directly or first invoke a printer/job control language to change settings like paper trays. From a security point of view this encapsulation is interesting, especially because functionality is overlapping. For example an – each time different – username can be set in [[IPP]], [[PJL]] and [[PostScript]]. If something is restricted in one layer, it may be allowed in the next one. While network printing protocols are discussed in this wiki, the focus is mainly on printer languages, particularly PJL and PostScript.
 
The network printing protocol acts as a channel to deploy print jobs which either contain the page description language directly or first invoke a printer/job control language to change settings like paper trays. From a security point of view this encapsulation is interesting, especially because functionality is overlapping. For example an – each time different – username can be set in [[IPP]], [[PJL]] and [[PostScript]]. If something is restricted in one layer, it may be allowed in the next one. While network printing protocols are discussed in this wiki, the focus is mainly on printer languages, particularly PJL and PostScript.
 +
 +
→ ''Related articles:'' [[Attack carriers]]
  
 
== Network printing protocols ==
 
== Network printing protocols ==
  
Sending data to a printer device can be done by [[USB_drive_or_cable|USB]]/parallel cable or over a network. This wiki focuses on network printing but most of the presented attacks can also be performed against local printers. There are various exotic protocols for network printing like Novell's [https://en.wikipedia.org/wiki/NetWare_Core_Protocol NCP] or [https://en.wikipedia.org/wiki/AppleTalk AppleTalk]. In the Windows world, [[SMB]]/CIFS printer shares have become quite popular. Furthermore, some devices support printing over generic protocols such as [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] or [https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol HTTP] file uploads. The most common printing protocols supported directly by network printers however are [[LPD]], [[IPP]], and [[Raw|raw port 9100]] printing. Network printing protocols can be attacked directly, for example by exploiting a [[Buffer overflows#LPD daemon|buffer overflow]] in the printer's LPD daemon. In many attack scenarios however, they only act as a '''carrier/channel''' to deploy malicious [[Printer language]] code. Note that a network printer usually supports multiple protocols to ‘print’ a document which broadens the attack surface through the network.
+
Sending data to a printer device can be done by [[USB_drive_or_cable|USB]]/parallel cable or over a network. This wiki focuses on network printing but most of the presented attacks can also be performed against local printers. There are various exotic protocols for network printing like Novell's [https://en.wikipedia.org/wiki/NetWare_Core_Protocol NCP] or [https://en.wikipedia.org/wiki/AppleTalk AppleTalk]. In the Windows world, [[SMB]]/CIFS printer shares have become quite popular. Furthermore, some devices support printing over generic protocols such as [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] or [https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol HTTP] file uploads. The most common printing protocols supported directly by network printers however are [[LPD]], [[IPP]], and [[Raw|raw port 9100]] printing. Network printing protocols can be attacked directly, for example by exploiting a [[Buffer overflows#LPD daemon|buffer overflow]] in the printer's LPD daemon. In many attack scenarios however, they only act as a '''carrier/channel''' to deploy malicious [[Fundamentals#Printer_Control_Languages|Printer language]] code. Note that a network printer usually supports multiple protocols to ‘print’ a document which broadens the attack surface.
 +
 
 +
→ ''Related articles:'' [[LPD]], [[IPP]], [[Raw]], [[SMB]]
  
 
== Printer Control Languages ==
 
== Printer Control Languages ==
  
A job control language manages settings like output trays for the current print job. While it usually sits as an optional layer in-between the printing protocol and the page description language, functions may be overlapping. Examples of vendor-specific job control languages are [http://www.undocprint.org/formats/printer_control_languages/cpca CPCA], [http://www.undocprint.org/formats/printer_control_languages/xjcl XJCL], [http://www.undocprint.org/formats/printer_control_languages/ejl EJL] and [[PJL]] – which is supported by a variety of printers and will be discussed below. In addition, printer control and management languages are designed to affect not only a single print job but the device as a whole. One approach to define a common standard for this task was [http://www.undocprint.org/formats/printer_control_languages/npap NPAP]. However, it has not established itself and is only supported by Lexmark. Other printer manufacturers instead use [[SNMP]] or its metalanguage [[PML]] as introduced in the following.
+
A job control language manages settings like output trays for the current print job. While it usually sits as an optional layer in-between the printing protocol and the page description language, functions may be overlapping. Examples of vendor-specific job control languages are [http://www.undocprint.org/formats/printer_control_languages/cpca CPCA], [http://www.undocprint.org/formats/printer_control_languages/xjcl XJCL], [http://www.undocprint.org/formats/printer_control_languages/ejl EJL] and [[PJL]] – which is supported by a variety of printers and will be discussed below. In addition, printer control and management languages are designed to affect not only a single print job but the device as a whole. One approach to define a common standard for this task was [http://www.undocprint.org/formats/printer_control_languages/npap NPAP]. However, it has not established itself and is only supported by Lexmark. Other printer manufacturers instead use [[SNMP]] or its PJL-based metalanguage [[PML]].
 +
 
 +
→ ''Related articles:'' [[PJL]], [[PML]], [[SNMP]], [[UEL]]
  
 
== Page Description Languages ==
 
== Page Description Languages ==
Line 21: Line 29:
 
A page description language (PDL) specifies the appearance of the actual document. It must however be pointed out that some PDLs offer limited job control, so a clear demarcation between page description and printer/job control language is not always possible. The function of a ‘printer driver’ is to translate the file to be printed into a PDL that is understood by the printer model. Note that some low cost inkjet printers do not support any high level page description language at all. So called host-based or [https://en.wikipedia.org/wiki/Graphics_Device_Interface#GDI_printers GDI] printers only accept simple bitmap datastreams like [http://www.undocprint.org/formats/page_description_languages/zjstream ZJS] while the actual rendering is done by the printer driver. There are various proprietary page description languages like Kyocera's [http://www.undocprint.org/formats/page_description_languages/prescribe PRESCRIBE], [http://www.undocprint.org/formats/page_description_languages/spl SPL], [http://www.undocprint.org/formats/page_description_languages/xes XES], [http://www.undocprint.org/formats/page_description_languages/capsl CaPSL], [http://www.undocprint.org/formats/page_description_languages/rpcs RPCS], [https://en.wikipedia.org/wiki/ESC/P ESC/P] which is mostly used in dot matrix printers or [https://en.wikipedia.org/wiki/HPGL HP-GL] and [https://en.wikipedia.org/wiki/HPGL#HP-GL.2F2 HP-GL/2] which have been designed for plotters. Support for direct [https://en.wikipedia.org/wiki/Portable_Document_Format PDF] and [https://en.wikipedia.org/wiki/Open_XML_Paper_Specification XPS] printing is also common on newer printers. The most common ‘standard’ page description languages however are [[PostScript]] and [[PCL]].
 
A page description language (PDL) specifies the appearance of the actual document. It must however be pointed out that some PDLs offer limited job control, so a clear demarcation between page description and printer/job control language is not always possible. The function of a ‘printer driver’ is to translate the file to be printed into a PDL that is understood by the printer model. Note that some low cost inkjet printers do not support any high level page description language at all. So called host-based or [https://en.wikipedia.org/wiki/Graphics_Device_Interface#GDI_printers GDI] printers only accept simple bitmap datastreams like [http://www.undocprint.org/formats/page_description_languages/zjstream ZJS] while the actual rendering is done by the printer driver. There are various proprietary page description languages like Kyocera's [http://www.undocprint.org/formats/page_description_languages/prescribe PRESCRIBE], [http://www.undocprint.org/formats/page_description_languages/spl SPL], [http://www.undocprint.org/formats/page_description_languages/xes XES], [http://www.undocprint.org/formats/page_description_languages/capsl CaPSL], [http://www.undocprint.org/formats/page_description_languages/rpcs RPCS], [https://en.wikipedia.org/wiki/ESC/P ESC/P] which is mostly used in dot matrix printers or [https://en.wikipedia.org/wiki/HPGL HP-GL] and [https://en.wikipedia.org/wiki/HPGL#HP-GL.2F2 HP-GL/2] which have been designed for plotters. Support for direct [https://en.wikipedia.org/wiki/Portable_Document_Format PDF] and [https://en.wikipedia.org/wiki/Open_XML_Paper_Specification XPS] printing is also common on newer printers. The most common ‘standard’ page description languages however are [[PostScript]] and [[PCL]].
  
 +
→ ''Related articles:'' [[PCL]], [[PostScript]]
  
  
 
+
-----------
 
+
 
+
 
+
 
+
 
+
 
+
 
+
 
+
% specifies the actual document to be rendered | structure | layout
+
 
+
% and then to explicitly communicate to the printer device which language is going to be used.
+
% explicitly set the PDL first
+
 
+
 
+
 
+
 
+
 
+
 
+
% however it is embedded within a printing protocol.
+
% Therefore, PJL can also be refered to as a printer control languages.
+
% PJL is not limited to the current
+
% In comparison, a printer control and management languages affects not only a single job but the printer device as a whole.
+
 
+
 
+
%In this work the terms
+
%job control language and printer control lanuage can usually be used as synonyms as there is no
+
%It must be pointed job control languages  that there is no clear
+
 
+
%\textit{... many more\\
+
%... have interesting features like file system access\\
+
%... often proprietary, vendor-specific\\
+
%... might be worth a look}
+

Latest revision as of 12:20, 25 June 2017

Typical printers range from classical dot matrix to inkjet or laser printers used at home or in corporate environments. The printing hardware is not addressed in detail in this wiki as from a security perspective it seems less relevant [1]. This page aims to give an introduction to fundamental software printing technologies, including network printing protocols, printer control and page description languages.

High-level overview

Sending a document to a network printer may involve various protocols and languages. A schematic relationship regarding the encapsulation of printer languages is given below.


Encapsulation of printer languages


The network printing protocol acts as a channel to deploy print jobs which either contain the page description language directly or first invoke a printer/job control language to change settings like paper trays. From a security point of view this encapsulation is interesting, especially because functionality is overlapping. For example an – each time different – username can be set in IPP, PJL and PostScript. If something is restricted in one layer, it may be allowed in the next one. While network printing protocols are discussed in this wiki, the focus is mainly on printer languages, particularly PJL and PostScript.

Related articles: Attack carriers

Network printing protocols

Sending data to a printer device can be done by USB/parallel cable or over a network. This wiki focuses on network printing but most of the presented attacks can also be performed against local printers. There are various exotic protocols for network printing like Novell's NCP or AppleTalk. In the Windows world, SMB/CIFS printer shares have become quite popular. Furthermore, some devices support printing over generic protocols such as FTP or HTTP file uploads. The most common printing protocols supported directly by network printers however are LPD, IPP, and raw port 9100 printing. Network printing protocols can be attacked directly, for example by exploiting a buffer overflow in the printer's LPD daemon. In many attack scenarios however, they only act as a carrier/channel to deploy malicious Printer language code. Note that a network printer usually supports multiple protocols to ‘print’ a document which broadens the attack surface.

Related articles: LPD, IPP, Raw, SMB

Printer Control Languages

A job control language manages settings like output trays for the current print job. While it usually sits as an optional layer in-between the printing protocol and the page description language, functions may be overlapping. Examples of vendor-specific job control languages are CPCA, XJCL, EJL and PJL – which is supported by a variety of printers and will be discussed below. In addition, printer control and management languages are designed to affect not only a single print job but the device as a whole. One approach to define a common standard for this task was NPAP. However, it has not established itself and is only supported by Lexmark. Other printer manufacturers instead use SNMP or its PJL-based metalanguage PML.

Related articles: PJL, PML, SNMP, UEL

Page Description Languages

A page description language (PDL) specifies the appearance of the actual document. It must however be pointed out that some PDLs offer limited job control, so a clear demarcation between page description and printer/job control language is not always possible. The function of a ‘printer driver’ is to translate the file to be printed into a PDL that is understood by the printer model. Note that some low cost inkjet printers do not support any high level page description language at all. So called host-based or GDI printers only accept simple bitmap datastreams like ZJS while the actual rendering is done by the printer driver. There are various proprietary page description languages like Kyocera's PRESCRIBE, SPL, XES, CaPSL, RPCS, ESC/P which is mostly used in dot matrix printers or HP-GL and HP-GL/2 which have been designed for plotters. Support for direct PDF and XPS printing is also common on newer printers. The most common ‘standard’ page description languages however are PostScript and PCL.

Related articles: PCL, PostScript



  1. Even though some newspapers claimed hackers could set laser printers on fire by overheating them.