New Printers Vulnerable To Old Languages

When we published our research on network printer security at the beginning of the year, one major point of criticism was that the tested printers models had been quite old. This is a legitimate argument. Most of the evaluated devices had been in use at our university for years and one may raise the question if new printers share the same weaknesses.

35 year old bugs features

The key point here is that we exploited PostScript and PJL interpreters. Both printer languages are ancient, de-facto standards and still supported by almost any laser printer out there. And as it seems, they are not going to disappear anytime soon. Recently, we got the chance to test a $2,799 HP PageWide Color Flow MFP 586 brand-new high-end printer. Like its various predecessors, the device was vulnerable to the following attacks:

• Capture print jobs of other users if they used PostScript as a printer driver; This is done by first infecting the device with PostScript code
• Manipulate printouts of other users (overlay graphics, introduce misspellings, etc.) by infecting the device with PostScript malware
• List, read from and write to files on the printers file system with PostScript as well as PJL functions; limited to certain directories
• Recover passwords for PostScript and PJL credentials; This is not an attack per se but the implementation makes brute-force rather easy
• Launch denial of Service attacks of various kinds:
  • PostScript based infinite loops
  • PostScript showpage redefinition
  • Disable jobmedia with proprietary PJL
  • Set the device to offline mode with PJL

Now exploitable from the web

All attacks can be carried out by anyone who can print, which includes:

• Web attacker:
  • A malicious website that uses XSP
• Network access:
  • Via Jetdirect (port 9100/tcp)
  • Via LPD (port 515/tcp)
  • Via IPP (port 631/tcp)
• Wireless access:
  • Apple Air Print (enabled by default)
• Cloud access:
  • Google Cloud Print (disabled by default)
• Physical access:
  • Printing via USB cable or USB drive
  • Potentially NFC printing (haven't tested)

Note that the product was tested in the default configuration. To be fair, one has to say that the HP PageWide Color Flow MFP 586 allows strong, Kerberos based user authentication. The permission to print, and therefore to attack the device, can be be limited to certain employees, if configured correctly. The attacks can be easily reproduced using our PRET software. We informed HP's Software Security Response Team (SSRT) in February.

Conclusion: Christian Slater is right

PostScript and PJL based security weaknesses have been present in laser printers for decades. Both languages make no clear distinction between page description and printer control functionality. Using the very same channel for data (to be printed) and code (to control the device) makes printers insecure by design. Manufacturers however are hard to blame. When the languages were invented, printers used to be connected to a computer's parallel or serial port. No one probably thought about taking over a printer from the web (actually the WWW did not even exist, when PostScript was invented back in 1982). So, what to do? Cutting support for established and reliable languages like PostScript from one day to the next would break compatibility with existing printer drivers. As long as we have legacy languages, we need workarounds to mitigate the risks. Otherwise, "The Wolf" like scenarios can get very real in your office…

Related links

1. Pentest Tools For Android
2. Hacking Tools Usb
3. Best Pentesting Tools 2018
4. Hacker Tools Linux
5. Black Hat Hacker Tools
6. Black Hat Hacker Tools
7. Kik Hack Tools
8. Hacker
9. Pentest Tools Website
10. Hacker Techniques Tools And Incident Handling
11. Pentest Tools Online
12. Hack Tools 2019
13. Hacker Tools For Windows
14. Hacker Tools Linux
15. Physical Pentest Tools
16. Bluetooth Hacking Tools Kali
17. Hacker Techniques Tools And Incident Handling
18. World No 1 Hacker Software
19. Pentest Tools Bluekeep
20. Best Hacking Tools 2019
21. Pentest Tools Port Scanner
22. New Hacker Tools
23. Hacker Tools Apk
24. Pentest Tools Linux
25. Hacker Tools Mac
26. Hack Tools For Games
27. Hacking Tools Usb
28. Hacker Tools For Windows
29. Hacking Tools 2020
30. Hacking Tools And Software
31. Hacking Tools Usb
32. Pentest Tools Alternative
33. Hacking Tools Hardware
34. Hacking Tools For Windows Free Download
35. Hacker Tools Mac
36. Hack Tools For Mac
37. Hackers Toolbox
38. Hacker Tools For Mac
39. Pentest Tools Download
40. Pentest Tools For Ubuntu
41. Hacker Tools Windows
42. Pentest Automation Tools
43. Nsa Hack Tools Download
44. Hacking App
45. Underground Hacker Sites
46. Hacking Tools Online
47. Hack Apps
48. Tools 4 Hack
49. Github Hacking Tools
50. Nsa Hack Tools Download
51. Hack Tools For Mac
52. Hacker Tools Free Download
53. Pentest Tools Website
54. Pentest Tools Framework
55. Pentest Tools Find Subdomains
56. Hacker Tools Mac
57. Pentest Tools Online
58. Pentest Tools Linux
59. Pentest Tools List
60. Termux Hacking Tools 2019
61. Hacking Tools 2019
62. Best Pentesting Tools 2018
63. Pentest Tools Nmap
64. Wifi Hacker Tools For Windows
65. Pentest Tools Linux
66. Pentest Tools Github
67. Hacking Tools For Windows Free Download
68. Pentest Tools Alternative
69. Hacker Tools
70. How To Make Hacking Tools
71. New Hacker Tools
72. Hacking Tools Mac
73. Pentest Tools Github
74. Hackrf Tools
75. Hacker Tools For Mac
76. Hacker Tools Apk Download
77. Hacker Security Tools
78. Hacking Tools Usb
79. Pentest Tools Github
80. Hacker Tools For Mac
81. Termux Hacking Tools 2019
82. Hack Apps
83. Pentest Tools Github
84. Hacking Tools For Pc
85. Free Pentest Tools For Windows
86. How To Install Pentest Tools In Ubuntu
87. Hacking Tools For Mac
88. Hack Tool Apk No Root
89. Hacking Tools Pc
90. Hack Tools
91. Top Pentest Tools
92. Hack Tools For Ubuntu
93. Nsa Hacker Tools
94. Hacking Tools 2020
95. How To Hack
96. Android Hack Tools Github
97. Hack App
98. Hacking Tools For Pc
99. Pentest Tools Website
100. Pentest Tools Apk
101. Hacking Tools Windows 10
102. Pentest Tools Download
103. Hacking Tools Kit
104. Pentest Tools Windows
105. Hacks And Tools
106. Physical Pentest Tools
107. Hack Website Online Tool
108. Hacker Tools 2019
109. Hacker Tools For Mac
110. Hacker Tools Online
111. Pentest Tools Apk
112. Hacker Tools For Pc
113. Hacking Tools For Kali Linux
114. Pentest Tools Bluekeep
115. Termux Hacking Tools 2019
116. Hacks And Tools
117. Pentest Tools Find Subdomains
118. Pentest Tools Kali Linux
119. Pentest Tools Alternative
120. Game Hacking
121. Hack Tool Apk No Root
122. Hack Tools 2019
123. Tools For Hacker
124. Hacking Tools For Beginners
125. Game Hacking
126. Hacker Tools 2020
127. Pentest Tools Apk
128. Easy Hack Tools
129. Black Hat Hacker Tools
130. Hack Tools Pc
131. Tools Used For Hacking
132. Pentest Tools Website Vulnerability
133. Pentest Tools For Windows
134. Black Hat Hacker Tools
135. Hacking Tools Name
136. Hak5 Tools
137. Android Hack Tools Github
138. Hacker Tools Hardware
139. What Is Hacking Tools
140. Hacker Tools Free Download
141. New Hacker Tools
142. Hacker Tools Mac
143. Hacker Tools Hardware
144. Hacker Tools Github
145. Hacker Tools Free Download
146. Termux Hacking Tools 2019
147. Pentest Tools Bluekeep
148. Best Hacking Tools 2019
149. Best Hacking Tools 2019
150. Pentest Tools Bluekeep
151. Physical Pentest Tools
152. Hacker Search Tools
153. Hack Tools For Windows
154. Hack Apps
155. Pentest Tools Nmap
156. World No 1 Hacker Software
157. Pentest Tools Linux
158. Hackers Toolbox
159. Hacking Tools Hardware
160. Nsa Hack Tools
161. Pentest Tools List