New Printers Vulnerable To Old Languages

When we published our research on network printer security at the beginning of the year, one major point of criticism was that the tested printers models had been quite old. This is a legitimate argument. Most of the evaluated devices had been in use at our university for years and one may raise the question if new printers share the same weaknesses.

35 year old bugs features

The key point here is that we exploited PostScript and PJL interpreters. Both printer languages are ancient, de-facto standards and still supported by almost any laser printer out there. And as it seems, they are not going to disappear anytime soon. Recently, we got the chance to test a $2,799 HP PageWide Color Flow MFP 586 brand-new high-end printer. Like its various predecessors, the device was vulnerable to the following attacks:

• Capture print jobs of other users if they used PostScript as a printer driver; This is done by first infecting the device with PostScript code
• Manipulate printouts of other users (overlay graphics, introduce misspellings, etc.) by infecting the device with PostScript malware
• List, read from and write to files on the printers file system with PostScript as well as PJL functions; limited to certain directories
• Recover passwords for PostScript and PJL credentials; This is not an attack per se but the implementation makes brute-force rather easy
• Launch denial of Service attacks of various kinds:
  • PostScript based infinite loops
  • PostScript showpage redefinition
  • Disable jobmedia with proprietary PJL
  • Set the device to offline mode with PJL

Now exploitable from the web

All attacks can be carried out by anyone who can print, which includes:

• Web attacker:
  • A malicious website that uses XSP
• Network access:
  • Via Jetdirect (port 9100/tcp)
  • Via LPD (port 515/tcp)
  • Via IPP (port 631/tcp)
• Wireless access:
  • Apple Air Print (enabled by default)
• Cloud access:
  • Google Cloud Print (disabled by default)
• Physical access:
  • Printing via USB cable or USB drive
  • Potentially NFC printing (haven't tested)

Note that the product was tested in the default configuration. To be fair, one has to say that the HP PageWide Color Flow MFP 586 allows strong, Kerberos based user authentication. The permission to print, and therefore to attack the device, can be be limited to certain employees, if configured correctly. The attacks can be easily reproduced using our PRET software. We informed HP's Software Security Response Team (SSRT) in February.

Conclusion: Christian Slater is right

PostScript and PJL based security weaknesses have been present in laser printers for decades. Both languages make no clear distinction between page description and printer control functionality. Using the very same channel for data (to be printed) and code (to control the device) makes printers insecure by design. Manufacturers however are hard to blame. When the languages were invented, printers used to be connected to a computer's parallel or serial port. No one probably thought about taking over a printer from the web (actually the WWW did not even exist, when PostScript was invented back in 1982). So, what to do? Cutting support for established and reliable languages like PostScript from one day to the next would break compatibility with existing printer drivers. As long as we have legacy languages, we need workarounds to mitigate the risks. Otherwise, "The Wolf" like scenarios can get very real in your office…

Related news

1. Pentest Tools Bluekeep
2. Hacker Security Tools
3. Pentest Tools For Android
4. Hacking Tools Usb
5. Hacker Tools For Ios
6. Nsa Hack Tools Download
7. Hacker
8. Hack And Tools
9. Hacker Security Tools
10. Hackrf Tools
11. Hacker Tools Hardware
12. Physical Pentest Tools
13. Hack Tools Github
14. Hack Tools For Games
15. Ethical Hacker Tools
16. Pentest Tools List
17. Hacking Tools For Kali Linux
18. Hacker Tools Software
19. New Hacker Tools
20. Hacking Tools Online
21. New Hacker Tools
22. Hacker Tools For Windows
23. Pentest Tools Review
24. Pentest Tools
25. What Is Hacking Tools
26. Pentest Tools Subdomain
27. Hacker Tools Mac
28. Hacking Tools Kit
29. Pentest Tools List
30. Physical Pentest Tools
31. Hack Tools For Windows
32. Hak5 Tools
33. Pentest Tools For Android
34. Hacking Apps
35. Pentest Reporting Tools
36. Hack Rom Tools
37. Tools For Hacker
38. Hack Apps
39. Free Pentest Tools For Windows
40. Hackrf Tools
41. Hacking Tools For Mac
42. Hacking Tools Usb
43. Install Pentest Tools Ubuntu
44. Hacking Tools
45. Hacker Tools Hardware
46. Hack Tools 2019
47. Hack Tools
48. Hack Tools For Games
49. Hacking Tools And Software
50. Free Pentest Tools For Windows
51. Computer Hacker
52. Hack Tools For Games
53. Hacking Tools Download
54. Hacker
55. Hacking Apps
56. Game Hacking
57. New Hack Tools
58. How To Install Pentest Tools In Ubuntu
59. Hack Tools For Games
60. Pentest Tools Find Subdomains
61. Hack Rom Tools
62. Hack Website Online Tool
63. Hack Tools Github
64. Install Pentest Tools Ubuntu
65. Computer Hacker
66. Hack Tools
67. Pentest Tools Subdomain
68. Pentest Tools Tcp Port Scanner
69. Hackrf Tools
70. Hack Tools
71. Kik Hack Tools
72. Hacking Tools Online
73. Pentest Tools Free
74. Hacking Tools For Mac
75. Hacking Tools For Mac
76. Easy Hack Tools
77. Pentest Tools For Mac
78. Hacker Tools Mac
79. Hacking Tools Pc
80. Hack Tools For Windows
81. Beginner Hacker Tools
82. Hack Tools Online
83. Hacking Tools Usb
84. Pentest Tools Port Scanner
85. Hack Tool Apk
86. Hack Tools For Pc
87. Pentest Tools Find Subdomains
88. Tools 4 Hack
89. Pentest Tools Free
90. New Hacker Tools
91. Pentest Tools Website Vulnerability
92. Best Hacking Tools 2019
93. Hacker Techniques Tools And Incident Handling
94. How To Make Hacking Tools
95. Wifi Hacker Tools For Windows
96. Bluetooth Hacking Tools Kali
97. Hacking Tools Windows 10
98. Hacker Tools List
99. Hack Tools 2019
100. Hacker Tools Hardware
101. Hack Tools Online
102. Android Hack Tools Github
103. Hackrf Tools
104. Hacker Tool Kit
105. Hacker Tools Windows
106. Pentest Automation Tools
107. What Are Hacking Tools
108. Kik Hack Tools
109. New Hack Tools
110. Wifi Hacker Tools For Windows
111. Hacker Tools Apk Download
112. What Is Hacking Tools
113. New Hacker Tools
114. Ethical Hacker Tools
115. Pentest Tools Download
116. Hacks And Tools
117. Hackers Toolbox
118. Best Pentesting Tools 2018
119. Hacking Tools Kit
120. Hack App
121. Hack Tools Pc
122. Hackrf Tools
123. Hacking Tools Mac
124. Pentest Tools Find Subdomains
125. Hacker Hardware Tools
126. Pentest Tools Windows
127. Ethical Hacker Tools
128. Hacker Tools Windows
129. Hacking Tools Kit
130. Termux Hacking Tools 2019
131. Easy Hack Tools
132. Best Hacking Tools 2019
133. Pentest Tools List
134. Pentest Tools Github
135. Pentest Tools Free
136. Hacking Tools For Mac
137. Hacker Security Tools
138. How To Install Pentest Tools In Ubuntu
139. Pentest Tools Nmap
140. Best Hacking Tools 2020
141. Hack Tool Apk
142. Hacker Tools 2020
143. Hacking Tools Mac
144. Hack Tools
145. Physical Pentest Tools
146. Pentest Tools Find Subdomains
147. Pentest Tools For Windows
148. Hack Tools Pc
149. Pentest Tools Website
150. Hackers Toolbox
151. Hacking Tools Windows
152. How To Install Pentest Tools In Ubuntu
153. Hacking Tools For Games
154. Tools Used For Hacking
155. Pentest Tools Port Scanner
156. Beginner Hacker Tools
157. Hacking Tools Windows
158. Pentest Tools Port Scanner
159. Pentest Tools For Windows
160. Hacker Tools Online
161. Hacker Search Tools
162. Hacking Tools Software
163. Hacker Tools For Ios
164. Hacker
165. Hacker Tools 2020
166. Hacking Tools And Software
167. Hacker Tools For Windows
168. Kik Hack Tools
169. Hacking Tools Online
170. Hacking Tools 2019