Commonly used office printers and multi-function devices can be exploited to leak information and execute code, presenting multiple attack vectors that are often overlooked, a security researcher has found.
Jens Müller from the Ruhr-Universität Bochum in Germany published multiple advisories on vulnerabilities that he had discovered as part of his Master's degree thesis on the security of printers.
The vulnerabilites stem from vendors not separating page description languages such as PostScript and PJL/PCL used to generate the output from printer control.
"Potentially harmful commands can be executed by anyone who has the right to print," Müller said.
Müller outlined multiple attacks on his Hacking Printers wiki, ranging from accessing print jobs to credentials disclosure and bypassing device security, and included proofs of concept.
HP LaserJet 1200, 4200N and 4250N as well as Dell 3130cn and Samsung Multipress 6345N have a vulnerable line printer daemon (LPD) service that cannot handle usernames with 150 or more characters.
Sending a long username to the LPD service on the above devices crashes the printer, requiring manual restart to bring it back up. Müller said with correct shellcode and return address, the vulnerability could be used for remote code execution. More printers than the above are likely to be vulnerable, he said.
It is even possible to launch denial of service attacks against printers that support PJL, and permanently damage the non-volatile random access memory (NVRAM) that is used to persistently store settings for the devices, Müller found.
He tested the NVRAM destruction attack on printers from Brother, Konica Minolta, Lexmark, Dell and HP, and verified that they are vulnerable.
Printers can be attacked via networks or USB interfaces. Müller also described a more complex but feasible cross site printing (XSP) attack using a specially crafted website to access printers.
Although they are not usually directly connected to and accessible from the internet, a Shodan.io scan found almost 36,000 printers around the world on public networks, including 500 in Australia and 58 in New Zealand.
Müller warned that, for instance, disgruntled employees could attack intranet printers to capture information such as department payrolls. Newer printers can also be accessed wirelessly through features such as Apple's AirPrint protocol for mobile apps.
Researchers have unearthed security risks in printers since the early 2000s, but Müller notes that vendors have painted themselves into a corner, as cutting support for established and reliable page description languages like PostScript would break compatiblity with existing printer drivers.
Updating the language standards is not an option for the same reason, Müller said. Adding to the security woes, vendors include undocumented extensions, service codes, and proprietary features that can be reverse engineered and exploited.
Müller suggested vendors instead focus on open standards, and avoid hidden functions in a misguided security through obscurity effort.
Administrators should ensure that printers are never internet accessible, and if not required, disable network printing over TCP port 9100.
Müller also recommended sandboxing printers on separate network segments so that they're only accessible via a hardened and secure dedicated server, along with strong passwords for the PostScript startjob command and system parameters, and blocking malicious PJL commands via an intrusion detection systems.
To assist in finding vulnerable printers, Müller has published the printer exploitation toolkit (PRET) on Github.
