New Printers Vulnerable To Old Languages

When we published our research on network printer security at the beginning of the year, one major point of criticism was that the tested printers models had been quite old. This is a legitimate argument. Most of the evaluated devices had been in use at our university for years and one may raise the question if new printers share the same weaknesses.

35 year old bugs features

The key point here is that we exploited PostScript and PJL interpreters. Both printer languages are ancient, de-facto standards and still supported by almost any laser printer out there. And as it seems, they are not going to disappear anytime soon. Recently, we got the chance to test a $2,799 HP PageWide Color Flow MFP 586 brand-new high-end printer. Like its various predecessors, the device was vulnerable to the following attacks:

• Capture print jobs of other users if they used PostScript as a printer driver; This is done by first infecting the device with PostScript code
• Manipulate printouts of other users (overlay graphics, introduce misspellings, etc.) by infecting the device with PostScript malware
• List, read from and write to files on the printers file system with PostScript as well as PJL functions; limited to certain directories
• Recover passwords for PostScript and PJL credentials; This is not an attack per se but the implementation makes brute-force rather easy
• Launch denial of Service attacks of various kinds:
  • PostScript based infinite loops
  • PostScript showpage redefinition
  • Disable jobmedia with proprietary PJL
  • Set the device to offline mode with PJL

Now exploitable from the web

All attacks can be carried out by anyone who can print, which includes:

• Web attacker:
  • A malicious website that uses XSP
• Network access:
  • Via Jetdirect (port 9100/tcp)
  • Via LPD (port 515/tcp)
  • Via IPP (port 631/tcp)
• Wireless access:
  • Apple Air Print (enabled by default)
• Cloud access:
  • Google Cloud Print (disabled by default)
• Physical access:
  • Printing via USB cable or USB drive
  • Potentially NFC printing (haven't tested)

Note that the product was tested in the default configuration. To be fair, one has to say that the HP PageWide Color Flow MFP 586 allows strong, Kerberos based user authentication. The permission to print, and therefore to attack the device, can be be limited to certain employees, if configured correctly. The attacks can be easily reproduced using our PRET software. We informed HP's Software Security Response Team (SSRT) in February.

Conclusion: Christian Slater is right

PostScript and PJL based security weaknesses have been present in laser printers for decades. Both languages make no clear distinction between page description and printer control functionality. Using the very same channel for data (to be printed) and code (to control the device) makes printers insecure by design. Manufacturers however are hard to blame. When the languages were invented, printers used to be connected to a computer's parallel or serial port. No one probably thought about taking over a printer from the web (actually the WWW did not even exist, when PostScript was invented back in 1982). So, what to do? Cutting support for established and reliable languages like PostScript from one day to the next would break compatibility with existing printer drivers. As long as we have legacy languages, we need workarounds to mitigate the risks. Otherwise, "The Wolf" like scenarios can get very real in your office…

Related links

1. Wifi Hacker Tools For Windows
2. Pentest Tools Website
3. Tools Used For Hacking
4. How To Hack
5. World No 1 Hacker Software
6. Pentest Tools Apk
7. Bluetooth Hacking Tools Kali
8. Top Pentest Tools
9. Hacks And Tools
10. Hack Website Online Tool
11. Hacker Hardware Tools
12. How To Hack
13. Hacking Tools For Windows Free Download
14. Pentest Tools Alternative
15. Hacking Tools Name
16. Physical Pentest Tools
17. Hackrf Tools
18. Pentest Tools Kali Linux
19. Computer Hacker
20. Hacker Tools List
21. Pentest Tools Windows
22. Hacker Techniques Tools And Incident Handling
23. Game Hacking
24. Computer Hacker
25. Hacker Tools For Ios
26. Hak5 Tools
27. Hack Tools Online
28. Pentest Tools Linux
29. Pentest Tools For Mac
30. Pentest Tools
31. Android Hack Tools Github
32. Hacker Tools 2019
33. Pentest Reporting Tools
34. Pentest Recon Tools
35. What Are Hacking Tools
36. Hacking App
37. Hacking Tools For Kali Linux
38. Pentest Tools Bluekeep
39. Hacker Tools Free
40. Ethical Hacker Tools
41. Pentest Tools Windows
42. How To Make Hacking Tools
43. Pentest Tools List
44. Hacking Apps
45. Hacking Tools Name
46. Hacker Hardware Tools
47. Hacker Tools Linux
48. Termux Hacking Tools 2019
49. Growth Hacker Tools
50. Pentest Recon Tools
51. Hacking Tools Mac
52. Pentest Reporting Tools
53. Pentest Tools Website
54. Free Pentest Tools For Windows
55. Pentest Recon Tools
56. Hacker Tools Mac
57. Pentest Tools Url Fuzzer
58. Hacking Tools For Windows Free Download
59. Pentest Tools Github
60. Hacker Tools Free
61. Hack Tools Pc
62. Best Pentesting Tools 2018
63. Hackrf Tools
64. Hacker Tools Hardware
65. Hacking Tools Windows 10
66. Bluetooth Hacking Tools Kali
67. Hack Rom Tools
68. Hacker Tools 2019
69. Pentest Tools Open Source
70. Tools Used For Hacking
71. Hacker Tools Github
72. Pentest Tools Framework
73. Hacking Tools For Mac
74. Usb Pentest Tools
75. Pentest Tools Find Subdomains
76. Hacker Tools Apk Download
77. Hacker Tools Windows
78. Hacker Tools 2020
79. Hacker Tools Github
80. Pentest Tools Nmap
81. Hackrf Tools
82. Hack Tool Apk No Root
83. World No 1 Hacker Software
84. Hacking Tools For Windows 7
85. Tools For Hacker
86. Pentest Tools Linux
87. What Is Hacking Tools
88. Hacker Tools For Windows
89. Hacking Tools For Windows 7
90. Hacking Tools For Windows Free Download
91. Hacker Techniques Tools And Incident Handling
92. Best Pentesting Tools 2018
93. Pentest Tools Windows
94. Hacking Tools For Games
95. Hacker Tools Mac
96. Pentest Tools Nmap
97. Hacking Tools For Windows
98. Pentest Tools For Mac
99. Hacker Tool Kit
100. Hack Tools For Pc
101. Hacker Techniques Tools And Incident Handling
102. Hacker Tools Free
103. Android Hack Tools Github
104. Hacker Tools Apk
105. Hacker Tools For Windows
106. Hacker Tools Apk
107. Beginner Hacker Tools
108. Hacking Tools Free Download
109. Pentest Tools Find Subdomains
110. Pentest Tools Kali Linux
111. Hacking Tools Mac
112. Hacker Tools For Ios
113. Hacking Tools Software
114. Pentest Tools Open Source
115. Hacking Tools Software
116. Physical Pentest Tools
117. Hacking Tools Mac
118. Ethical Hacker Tools
119. Hack Tool Apk No Root
120. Hacker Tool Kit
121. Pentest Tools Kali Linux
122. Pentest Tools Url Fuzzer
123. Hackers Toolbox
124. Nsa Hack Tools Download
125. Hacks And Tools
126. Easy Hack Tools
127. Hacker
128. Hacker Tools List
129. Wifi Hacker Tools For Windows
130. Github Hacking Tools
131. Hacker Tools Github
132. Hacking Tools Name
133. How To Hack
134. Free Pentest Tools For Windows
135. Hacking Tools Windows 10
136. Hack Tools For Games
137. Hack Tools Mac
138. Android Hack Tools Github
139. Nsa Hacker Tools
140. Pentest Tools Online
141. Wifi Hacker Tools For Windows
142. New Hacker Tools
143. Hack Tools For Ubuntu
144. Hacker Tools Apk