Some thought about network printers security
Network printers use a various amount of protocols and firmwares which differ from vendor to vendor and model to model.
Obviously, every firmware (and protocol) could be vulnerable and exploitable but, a printer could be an attack vector?
Why would I even want to target a printer in the first place?
Why not just target desktop or server environments with malware as usual?
Well, in some case exploiting a printer is more simple: printers uses GNU/Linux based embedded operating systems, in a lot of cases not updated for recent vulnerability.
Furthermore, sysadmins often uses less attention for security in this kind of devices, that they're not usually seen as a real system with exploitable vulnerabilities.
Below some fundamentals (courtesy of hacking-printers.net):
Firmwares
Printer uses different operating systems for embedded devices.
Some examples:
- Generic slimmed down GNU/Linux
- WindRiver Linux
- VxWorks
- ThreadX
Network printing protocols
The most common printing protocols supported directly by network printers are LPD and IPP.
Some devices support printing over generic protocols such as FTP or HTTP file uploads as well.
LPD
LPD is short for ‘Line Printer Daemon’ protocol.
It runs on port 515/TCP and can be accessed by using ‘lpr’ over the CLI.
In order to start a print, the client sends a control file defining job/username and a data file containing the actual data to be printed.
IPP
IPP is a protocol based on HTTP, so it inherits all existing security features like basic authentication and SSL/TLS encryption.
For example CUPS is an IPP implementation, which is a default printing system in many Linux distributions and OSX.
SMB
Server Message Block is an application-layer network protocol, which handles file and printer sharing, used by default on Windows.
Port 9100
Also known as ‘raw printing’, is the default method used by CUPS and the Windows printing architecture: all data sent is directly processed by the printing device, just like a parallel connection over TCP.
Printer Control Languages
Printer control and management languages are designed to control not only a single print job but the device as a whole.
SNMP
Simple Network Management Protocol listens on 161/UDP and was originally designed to manage network components
PJL
Printer Job Language can be used to manipulate general settings.
There are many dialects as vendors tend to support only a subset of the commands listed in the PJL reference and instead prefer to add proprietary ones.
PDL
Page Description Languages is one basically specifies how the actual document will look like appearance wise.
PostScript (PS)
Is well known and made by Adobe and is widely used as a PDL.
PS is capable of far more than just defining the appearance of the document and handling vector graphics though.
How can i check if my printer is secure?
Jens Mueller, in the scope of his Master's Thesis at Ruhr University Bochum, has developed a python tool for printer security testing, named PRET:
It connects to a device via network or USB and exploits the features of a given printer language. Currently PostScript, PJL and PCL are supported which are spoken by most laser printers. This allows cool stuff like capturing or manipulating print jobs, accessing the printer's file system and memory or even causing physical damage to the device.
Here the full paper:
http://nds.rub.de/media/ei/arbeiten/2017/01/13/exploiting-printers.pdf
Installation
First, install third party modules needed for colored output and SNMP support:
# pip install colorama pysnmp
Then, for experimental, ‘driverless’ printing you need to install ImageMagick and GhostScript:
# apt-get install imagemagick ghostscript
Finally, clone the git repository:
$ git clone https://github.com/RUB-NDS/PRET.git
Usage
usage: pret.py [-h] [-s] [-q] [-d] [-i file] [-o file] target {ps,pjl,pcl}
positional arguments:
target printer device or hostname
{ps,pjl,pcl} printing language to abuse
optional arguments:
-h, --help show this help message and exit
-s, --safe verify if language is supported
-q, --quiet suppress warnings and chit-chat
-d, --debug enter debug mode (show traffic)
-i file, --load file load and run commands from file
-o file, --log file log raw data sent to the target
Example usage:
$ ./pret.py laserjet.lan ps
$ ./pret.py /dev/usb/lp0 pjl
References
- http://hacking-printers.net/wiki/index.php/Main_Page
- http://nds.rub.de/media/ei/arbeiten/2017/01/13/exploiting-printers.pdf
- https://github.com/RUB-NDS/PRET