PML

From Hacking Printers
Revision as of 18:10, 8 January 2017 by Admin (Talk | contribs) (Created page with "'''TBD: This article needs further explanation''' The Printer Management Language (PML) is a proprietary language to control HP printers. It basically combines the features o...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

TBD: This article needs further explanation

The Printer Management Language (PML) is a proprietary language to control HP printers. It basically combines the features of SNMP with PJL. Publicly available documentation has not been released, however parts of the standard were leaked by the LPRng project: the PJL Passthrough to PML and SNMP User’s Guide defines defines PML as ‘an object-oriented request-reply printer management protocol’ [1] and gives an introduction to the basics of the syntax. PML is embedded within PJL and can be used to read and set SNMP values on a printer device. This is especially interesting if a firewall blocks access to SNMP services (161/udp), but an attacker is still able to print using one of the various techniques discussed in deployment channels. The use of PML within a print job retrieving the hrDeviceDescr value (OID 1.3.6.1.2.1.25.3.2.1.3, textual description of a device) is demonstrated below:

 > @PJL DMINFO ASCIIHEX="000006030302010301"
 < "8000000603030201030114106870204c617365724a65742034323530

The rear part of string responded by the printer, 6870204c617365724a65742034323530 is hexdecimal for hp LaserJet 4250 – equivalent to the snmpget example. As one can see, with PML it is possible to invoke (a subset of) SNMP commands over PJL. One security-sensitve use of PML is to to reset HP printers to factory defaults via ordinary print jobs, therefore removing protection mechanisms like user-set passwords.

Related aricles: SNMP, Factory defaults



  1. PJL Passthrough to PML and SNMP User's Guide, HP Inc., 2000, p. 11