New Printers Vulnerable To Old Languages

When we published our research on network printer security at the beginning of the year, one major point of criticism was that the tested printers models had been quite old. This is a legitimate argument. Most of the evaluated devices had been in use at our university for years and one may raise the question if new printers share the same weaknesses.

35 year old bugs features

The key point here is that we exploited PostScript and PJL interpreters. Both printer languages are ancient, de-facto standards and still supported by almost any laser printer out there. And as it seems, they are not going to disappear anytime soon. Recently, we got the chance to test a $2,799 HP PageWide Color Flow MFP 586 brand-new high-end printer. Like its various predecessors, the device was vulnerable to the following attacks:

• Capture print jobs of other users if they used PostScript as a printer driver; This is done by first infecting the device with PostScript code
• Manipulate printouts of other users (overlay graphics, introduce misspellings, etc.) by infecting the device with PostScript malware
• List, read from and write to files on the printers file system with PostScript as well as PJL functions; limited to certain directories
• Recover passwords for PostScript and PJL credentials; This is not an attack per se but the implementation makes brute-force rather easy
• Launch denial of Service attacks of various kinds:
  • PostScript based infinite loops
  • PostScript showpage redefinition
  • Disable jobmedia with proprietary PJL
  • Set the device to offline mode with PJL

Now exploitable from the web

All attacks can be carried out by anyone who can print, which includes:

• Web attacker:
  • A malicious website that uses XSP
• Network access:
  • Via Jetdirect (port 9100/tcp)
  • Via LPD (port 515/tcp)
  • Via IPP (port 631/tcp)
• Wireless access:
  • Apple Air Print (enabled by default)
• Cloud access:
  • Google Cloud Print (disabled by default)
• Physical access:
  • Printing via USB cable or USB drive
  • Potentially NFC printing (haven't tested)

Note that the product was tested in the default configuration. To be fair, one has to say that the HP PageWide Color Flow MFP 586 allows strong, Kerberos based user authentication. The permission to print, and therefore to attack the device, can be be limited to certain employees, if configured correctly. The attacks can be easily reproduced using our PRET software. We informed HP's Software Security Response Team (SSRT) in February.

Conclusion: Christian Slater is right

PostScript and PJL based security weaknesses have been present in laser printers for decades. Both languages make no clear distinction between page description and printer control functionality. Using the very same channel for data (to be printed) and code (to control the device) makes printers insecure by design. Manufacturers however are hard to blame. When the languages were invented, printers used to be connected to a computer's parallel or serial port. No one probably thought about taking over a printer from the web (actually the WWW did not even exist, when PostScript was invented back in 1982). So, what to do? Cutting support for established and reliable languages like PostScript from one day to the next would break compatibility with existing printer drivers. As long as we have legacy languages, we need workarounds to mitigate the risks. Otherwise, "The Wolf" like scenarios can get very real in your office…

Related posts

1. Hack Tools 2019
2. Easy Hack Tools
3. Best Hacking Tools 2020
4. Pentest Reporting Tools
5. Best Hacking Tools 2020
6. Pentest Tools For Mac
7. Nsa Hacker Tools
8. Hacking Tools Pc
9. Hacker Hardware Tools
10. Pentest Tools Find Subdomains
11. Tools Used For Hacking
12. Pentest Tools Url Fuzzer
13. Physical Pentest Tools
14. Hacking Tools For Beginners
15. Hack Website Online Tool
16. Pentest Tools Find Subdomains
17. Pentest Tools Windows
18. Hack Tool Apk No Root
19. Hacking Tools For Games
20. Hack Tools Online
21. Install Pentest Tools Ubuntu
22. How To Hack
23. Pentest Tools Alternative
24. Hack Tools For Games
25. Hack Tools For Mac
26. Hacking Tools Kit
27. Hack Tools For Pc
28. Hacking Tools
29. Hacks And Tools
30. Top Pentest Tools
31. Best Hacking Tools 2019
32. Hacking Tools For Beginners
33. New Hacker Tools
34. Hackrf Tools
35. Pentest Tools Linux
36. World No 1 Hacker Software
37. Hacker Tools
38. Tools For Hacker
39. Pentest Tools Windows
40. Hacker Tools For Ios
41. Ethical Hacker Tools
42. Physical Pentest Tools
43. Pentest Tools
44. How To Hack
45. Pentest Tools Kali Linux
46. Hack Tools
47. Hack Rom Tools
48. Tools Used For Hacking
49. Bluetooth Hacking Tools Kali
50. Growth Hacker Tools
51. Hack Tool Apk No Root
52. Hack App
53. Ethical Hacker Tools
54. Bluetooth Hacking Tools Kali
55. Hacker Tools List
56. Hacking Tools For Beginners
57. Hak5 Tools
58. Hacking Tools Hardware
59. New Hacker Tools
60. Hacking Tools And Software
61. Tools 4 Hack
62. Pentest Tools For Mac
63. Wifi Hacker Tools For Windows
64. What Are Hacking Tools
65. Hack Rom Tools
66. Wifi Hacker Tools For Windows
67. Hacking Tools For Pc
68. Hacking Tools And Software
69. Hacking Tools Pc
70. Tools For Hacker
71. Hack Tools For Mac
72. Free Pentest Tools For Windows
73. Pentest Recon Tools
74. Hack App
75. Nsa Hack Tools
76. Pentest Tools For Windows
77. Bluetooth Hacking Tools Kali
78. Hack Tools Online
79. Easy Hack Tools
80. Hacker Tools Windows
81. Hacker Tools For Mac
82. Android Hack Tools Github
83. Hacking Tools For Windows Free Download
84. Usb Pentest Tools
85. Pentest Tools Website Vulnerability
86. Hacker Tools For Mac
87. Hacker Tools Github
88. Best Hacking Tools 2020
89. Hacking Tools For Mac
90. Hack Tools Pc
91. Pentest Tools Apk
92. Pentest Box Tools Download
93. How To Make Hacking Tools
94. Tools For Hacker
95. Hacking Tools For Kali Linux
96. Pentest Box Tools Download
97. Hacking Tools For Kali Linux
98. Nsa Hacker Tools
99. New Hack Tools
100. Termux Hacking Tools 2019
101. Hacking Tools Mac
102. Pentest Tools For Windows
103. Hacker Tools Linux
104. Pentest Tools Windows
105. Top Pentest Tools
106. Hacker Tools Mac
107. Hak5 Tools
108. Hacker Tools Mac
109. Ethical Hacker Tools
110. Free Pentest Tools For Windows
111. Pentest Tools List
112. Hacker Tools List
113. Hacker Tools Apk Download
114. Hacking Tools For Pc
115. Hacker Tools
116. Pentest Tools For Windows
117. Beginner Hacker Tools
118. Pentest Tools Framework
119. Pentest Tools Download
120. Hack Tools For Windows
121. Hacker Tools Apk
122. Pentest Tools
123. Pentest Tools Url Fuzzer
124. Hack Tools Download
125. Hacking Tools For Kali Linux
126. Hacking Tools For Pc
127. Hacking Tools For Pc
128. Hacking Tools Online
129. Hacker Tools For Pc
130. Pentest Tools For Android
131. Hack Tools Mac
132. Pentest Tools Bluekeep
133. What Are Hacking Tools
134. Hack Tools Mac
135. Hack Tools 2019
136. Kik Hack Tools
137. Hacking Tools Usb
138. Hack Tool Apk
139. Hacker Tools For Windows
140. Hacking Tools For Games
141. Bluetooth Hacking Tools Kali
142. Hacker Tools List
143. Hacker Tools Mac
144. Top Pentest Tools
145. Best Pentesting Tools 2018
146. New Hack Tools
147. Hacker Tools Github
148. Hacker Security Tools
149. Hacking Tools Usb
150. Hacker Tools Mac
151. Pentest Tools Apk