New Printers Vulnerable To Old Languages

When we published our research on network printer security at the beginning of the year, one major point of criticism was that the tested printers models had been quite old. This is a legitimate argument. Most of the evaluated devices had been in use at our university for years and one may raise the question if new printers share the same weaknesses.

35 year old bugs features

The key point here is that we exploited PostScript and PJL interpreters. Both printer languages are ancient, de-facto standards and still supported by almost any laser printer out there. And as it seems, they are not going to disappear anytime soon. Recently, we got the chance to test a $2,799 HP PageWide Color Flow MFP 586 brand-new high-end printer. Like its various predecessors, the device was vulnerable to the following attacks:

• Capture print jobs of other users if they used PostScript as a printer driver; This is done by first infecting the device with PostScript code
• Manipulate printouts of other users (overlay graphics, introduce misspellings, etc.) by infecting the device with PostScript malware
• List, read from and write to files on the printers file system with PostScript as well as PJL functions; limited to certain directories
• Recover passwords for PostScript and PJL credentials; This is not an attack per se but the implementation makes brute-force rather easy
• Launch denial of Service attacks of various kinds:
  • PostScript based infinite loops
  • PostScript showpage redefinition
  • Disable jobmedia with proprietary PJL
  • Set the device to offline mode with PJL

Now exploitable from the web

All attacks can be carried out by anyone who can print, which includes:

• Web attacker:
  • A malicious website that uses XSP
• Network access:
  • Via Jetdirect (port 9100/tcp)
  • Via LPD (port 515/tcp)
  • Via IPP (port 631/tcp)
• Wireless access:
  • Apple Air Print (enabled by default)
• Cloud access:
  • Google Cloud Print (disabled by default)
• Physical access:
  • Printing via USB cable or USB drive
  • Potentially NFC printing (haven't tested)

Note that the product was tested in the default configuration. To be fair, one has to say that the HP PageWide Color Flow MFP 586 allows strong, Kerberos based user authentication. The permission to print, and therefore to attack the device, can be be limited to certain employees, if configured correctly. The attacks can be easily reproduced using our PRET software. We informed HP's Software Security Response Team (SSRT) in February.

Conclusion: Christian Slater is right

PostScript and PJL based security weaknesses have been present in laser printers for decades. Both languages make no clear distinction between page description and printer control functionality. Using the very same channel for data (to be printed) and code (to control the device) makes printers insecure by design. Manufacturers however are hard to blame. When the languages were invented, printers used to be connected to a computer's parallel or serial port. No one probably thought about taking over a printer from the web (actually the WWW did not even exist, when PostScript was invented back in 1982). So, what to do? Cutting support for established and reliable languages like PostScript from one day to the next would break compatibility with existing printer drivers. As long as we have legacy languages, we need workarounds to mitigate the risks. Otherwise, "The Wolf" like scenarios can get very real in your office…

More info

1. Hacker Tools For Ios
2. Pentest Tools Free
3. Hacking Tools Free Download
4. Hacking Tools Github
5. Pentest Tools For Windows
6. Pentest Tools Free
7. Hacker Tools 2020
8. Hacking Tools Kit
9. Hacking Tools Kit
10. Pentest Reporting Tools
11. Pentest Tools Open Source
12. Hack Tools Mac
13. Hacker Tools Free Download
14. Kik Hack Tools
15. Hacker Tools Free Download
16. Pentest Tools Review
17. Hack Tools For Mac
18. Hacking App
19. Hacking Tools For Beginners
20. Pentest Tools Website
21. Pentest Tools Download
22. Bluetooth Hacking Tools Kali
23. Hacker Tools Online
24. Tools Used For Hacking
25. Kik Hack Tools
26. Hack Tools Download
27. Hacking Tools For Games
28. Pentest Tools Apk
29. Hacker Security Tools
30. Android Hack Tools Github
31. Hack Tools Online
32. Hack Tool Apk
33. Hacking Tools Windows
34. Hackers Toolbox
35. Pentest Tools For Ubuntu
36. Hacker Tools Hardware
37. Hacking Tools For Pc
38. Beginner Hacker Tools
39. How To Hack
40. Pentest Tools Tcp Port Scanner
41. What Are Hacking Tools
42. Pentest Tools Free
43. Hacking Tools Github
44. Game Hacking
45. Hack App
46. Beginner Hacker Tools
47. Github Hacking Tools
48. Hacking Tools Windows
49. Hacking Tools Download
50. Hacker Tools Linux
51. Hacking Tools Windows
52. Nsa Hack Tools
53. Hacker Tools Free Download
54. Hacking Tools 2019
55. Hacker Tools 2020
56. Nsa Hack Tools
57. Physical Pentest Tools
58. Pentest Tools Bluekeep
59. Pentest Tools Windows
60. Pentest Tools Online
61. Hacking Tools Windows
62. Game Hacking
63. Nsa Hack Tools Download
64. How To Hack
65. Best Hacking Tools 2020
66. Hacking Tools For Pc
67. Computer Hacker
68. Pentest Box Tools Download
69. Pentest Tools Tcp Port Scanner
70. Nsa Hack Tools Download
71. Hacking Tools For Beginners
72. What Are Hacking Tools
73. Pentest Tools Windows
74. Pentest Tools Url Fuzzer
75. Hack Tools Github
76. Hacking Tools Online
77. Hacker Security Tools
78. Pentest Tools Online
79. Hacking Tools Name
80. Hacking Tools For Windows 7
81. Hacking Tools For Beginners
82. Hacking Tools Kit
83. Pentest Tools Review
84. Pentest Recon Tools
85. Hacker Techniques Tools And Incident Handling
86. Pentest Tools Open Source