TL;DR: In this blog post we give an overview of attack scenarios based on network printers, and show the possibilities of an attacker who has access to a vulnerable printer. We present our evaluation of 20 different printer models and show that each of these is vulnerable to multiple attacks. We release an open-source tool that supported our analysis: PRinter Exploitation Toolkit (PRET) https://github.com/RUB-NDS/PRET
The highlights of the entire survey will be presented by Jens Müller for the first time at RuhrSec in Bochum.
There are many cool protocols and languages you can use to control your printer or your print jobs. We assume you have never heard of at least half of them. An overview is depicted in the following figure and described below.
Printing channelThe most common network printing protocols supported by printer devices are the Internet Printing Protocol (IPP), Line Printer Daemon (LPD), Server Message Block (SMB), and raw port 9100 printing. Each protocol has specific features like print job queue management or accounting. In our work, we used these protocols to transport malicious documents to the printers.
Job control language
Page description language
Other attacks include:
- Offline mode. The PJL standard defines the OPMSG command which ‘prompts the printer to display a specified message and go offline’.
- Physical damage. By continuously setting the long-term values for PJL variables, it is possible to physically destroy the printer's NVRAM which only survives a limited number of write cycles.
- Showpage redefinition. The PostScript ‘showpage’ operator is used in every document to print the page. An attacker can simply redefine this operator to do nothing.
However, a factory reset can be performed also by a remote attacker, for example using SNMP if the device complies with RFC1759 (Printer MIB):
Other languages like HP's PML, Kyocera's PRESCRIBE or even PostScript offer similar functionalities.
Furthermore, our work shows techniques to bypass print job accounting on popular print servers like CUPS or LPRng.
Print Job Manipulation
Our prototype implementation simply increments this value to dump the whole NVRAM, which contains passwords for the printer itself but also for user-defined POP3/SMTP as well as for FTP and Active Directory profiles. This way an attacker can escalate her way into a network, using the printer device as a starting point.
Other attacks include:
File system access. Both, the standards for
PostScript and PJL specify functionality to access the printers file
system. As it seems, some manufacturers have not limited this
feature to a certain directory, which leads to the disclosure of
sensitive information like passwords.
Print job capture. If PostScript is used as a
printer driver, printed documents can be captured. This is made
possible by two interesting features of the PostScript language:
First, permanently redefining operators allows an attacker to ‘hook’
into other users' print jobs and secondly, PostScript's capability
to read its own code as data allows to easily store documents
instead of executing them.
Credential disclosure. PJL passwords, if set, can
easily retrieved through brute-force attacks due to their limited
key space (1..65535). PostScript passwords, on the other hand, can
be cracked extremely fast (up to 100,000 password verifications per
second) thanks to the performant PostScript interpreters.
It then collects the printer output and translates it to a user friendly output.
However, this was not our case. To overcome the financial obstacles, we collected printers from various university chairs and facilities. While our actual goal was to assemble a pool of printers containing at least one model for each of the top ten manufacturers, we practically took what we could get. The result is depicted in the following figure:
A proof-of-concept implementation demonstrating that advanced cross-site printing attacks are practical and a real-world threat to companies and institutions is available at http://hacking-printers.net/xsp/.
Our next post will be on adapting PostScript based attacks to websites.
Authors of this PostJens Müller