# Accounting bypass

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Printing without permission can itself be a security risk or breach of company policy. In environments where print jobs are charged for an inside attacker has a motivation to bypass the accounting system. Typical examples range from copy shops to schools and universities where print quotas are to be enforced. Also, many companies keep track of the printer usage by each employee or by department. Besides free copies, breaking accounting and authentication systems can be used to discredit an employee for example by printing pornographic images under his name. Furthermore, being able to ‘print’ is a precondition for most attacks against network printers – therefore any restrictions need to be bypassed first.

## Introduction to print job accounting

There are two major approaches when it comes to print job accounting: Either let the printer handle it directly or use a print server in between. The first approach is vendor-specific, usually involves some kind of special ‘printer driver’ and is not further discussed here. The other approach involves a separate print server – usually a software implementation like CUPS or LPRng – to handle the accounting and is quite common in companies and institutions. The print server may speak LPD, IPP or further printing protocols and forwards jobs to the actual printer. It is important to note that direct network access to the printer must be restricted, otherwise an attacker can easily bypass the print server and its accounting mechanisms. This not only means filtering access to the ports typically assigned to printing protocols, but also to less known printing channels like FTP or the embedded web server which can often be abused to print as described in Network protocols.

There are basically two approaches to circumvent or trick print job accounting systems: either impersonate another user or manipulate the counter of printed pages. In the following we discuss both options for LPRng (v3.8.B) and CUPS (v2.1.4) installations which are popular open-source printing systems used in academic and corporate environments. A comparison of the security features of both systems is given below.

Security features of LPRng and CUPS
Printing system Protocol Encryption Authentication Page counter
LPRng LPD SSL/TLS Kerberos, PGP hardware
CUPS IPP SSL/TLS Kerberos, HTTP software

## Authentication bypasses

LPRng and CUPS both offer SSL based channel encryption and secure authentication schemes like Kerberos, PGP signed print jobs or HTTP basic/digest authentication. If configured properly and in case the attacker cannot access the printer directly she will be not be able to impersonate other users. Those security features however are optional and rarely applied in the real-world print servers. Instead, the usernames given as LPD (LPRng) or IPP (CUPS) parameters are logged and accounted for – which can be set to arbitrary values by the client side. The reasons for this is a simple cost-benefit consideration in most institutions: Kerberos needs a special setup on every client and HTTP authentication requires users to enter a password whenever they want to print something while the costs of a few unaccounted printouts are bearable.

## Page counter manipulation

### Hardware page counters

For correct accounting the number of printed pages must be determined by the printing system which is not a trivial task as discussed in [1]. The authors of LPRng ‘make the assumption that the printer has some sort of non-volatile page counter mechanism that is reliable and impervious to power on/off cycles’ [2]. Such hardware page counters are supported by most printers read by LPRng using PJL after every print job. HP has even documented a feature to write to the page counter variable [3]. By setting the printer into service mode as previously explained we were able to manipulate the page counter of the HP LaserJet 1200, HP LaserJet 4200N, HP LaserJet 4250N. At the end of the document to be printed and separated by the \acs{UEL}, the counter simply has to be reset to its original value (2342).

Resetting the page counter on HP LaserJets:

  \x1b%-12345X@PJL JOB
\x1b%-12345X@PJL EOJ
\x1b%-12345X@PJL JOB
@PJL SET SERVICEMODE=HPBOISEID
@PJL SET PAGES=2342
\x1b%-12345X@PJL EOJ

Based on the logic of the accounting software an attacker might even increase the balance of her account – which may be linked with other services like the canteen – by setting a negative number of printed pages. Note that resetting the device to Factory defaults also resets the page counter to zero on some of the tested devices, however this method is not suited if a certain value is desired. Lowering the page counter can also be used to sell a printer above its price as it can be compared to the odometer when buying a second-hand car. It is however worth emphasizing that resetting the page counter is not necessarily for malicious purposes: It is a well-known business model to sell overpriced ink for low-cost inkjet devices and block third-party refill kits by refusing to print after a certain number of pages – to handle such unethical practices it is absolutely legitimate to reset the page counter.

### Software page counters

%CUPS create document containing more pages or higher density than analyzed by CUPS. Below we will briefly discuss how LPRng and CUPS try to solve the problem of accounting.

% PostScript has access read access to the page counter, however on none of the devices we were able to set this value.

CUPS uses software page counters which have been implemented for all major page description languages. For PostScript, an easy way to bypass accounting is to check if the PageCount system parameter exists before actually printing the document as shown below.

  currentsystemparams (PageCount) known {
<@\textit{[...] code which is only executed on a printer device [...]}@>
} if


This way, the accounting software used by CUPS renders a different document than the printer. In our tests, CUPS only accounted for one page – which seems to be a hardcoded minimum – while the real job can be hundreds of pages. Note that using the IPP ‘raw’ queue/option is mandatory, otherwise CUPS parses the code with a PostScript-to-PostScript filter before it reaches the page counter.

% The CUPS method is XXX. This requires server-side user management which is hard to maintain or access to some kind of LDAP database which might be a security risk for itself. Therefore it seems many configurations simply trust the given username from the client-side print job input. In a quick test at the RUB data center and various computer pools, we could see that user identification was not configured with any authentication, allowing us to impersonate any user.\\

Manipulating hardware page counters with PJL or tricking software page counters with PostScript can be performed in all defined attacker models, however it deserves to be mentioned that only a local attacker (AM1) has an actual benefit of free hard copies.

also: can we overwrite the pagecounter operator?
1. Deußen, J., Counting Pages in Printer Data Streams, (2011), \url{http://blog.cyrtech.de/sites/default/files/Counting%20Pages%20in%20Printer%20Data%20Streams%20%28D2%29.pdf}.
2. Powell, P., Printer Accounting Reality Check, (1995), http://web.mit.edu/ops/services/print/Attic/src/doc/LPRng-HOWTO-15.html.
3. HP Inc., HP LaserJet Family Quick Reference Service Guide, (1999), \url{https://h30434.www3.hp.com/psg/attachments/psg/PostPrint/141685/1/PJL%20commands-Druckerz%C3%A4hler%20setzen%20HP2015dn.pdf}.