Time to retire the printer?
Time to retire the printer?

HP, Lexmark and Dell printers could be hacked thanks to a 32-year-old flaw that allows an attacker to access and manipulate documents, steal passwords and shut down printers.

According to researchers at Ruhr University, around 20 models of printers are affected and these flaws are linked to common printing languages, such as PostScript and PJL.

“This vulnerability has presumably been present in every PostScript printer since 32 years as solely legitimate PostScript language constructs are abused,” said Jens Muller in an advisory.

“The attack can be performed by anyone who can print, for example through USB or network. It can even be carried out by a malicious website, using advanced cross-site printing techniques in combination with a novel technique we call `CORS spoofing'.”

The university researchers developed a tool called the Printer Exploitation Toolkit (PRET), which can be used to connect to a printer via USB or the network and exploit flaws in Postscript and PJL.

“This allows cool stuff like capturing or manipulating print jobs, accessing the printer's file system and memory or even causing physical damage to the device,” said the researchers on a Github page devoted to the tool.

Muller outlined a variety of attacks on a Wiki page devoted to the issue, called “Hacking Printers”. These range from accessing print jobs to credentials disclosure and bypassing device security. The page also includes several proofs of concept.

"This way an attacker can escalate her way into a network, using the printer device as a starting point," said the researchers in the blog post. Some printers "have not limited this feature to a certain directory, which leads to the disclosure of sensitive information like passwords.”

The researchers said the flaw is easy to exploit but still hasn't been fixed.

Some printers, such as HP LaserJet 1200, 4200N and 4250N as well as Dell 3130cn and Samsung Multipress 6345N, have an exploitable line printer daemon (LPD) service that cannot handle usernames with 150 or more characters.

Sending a username to this service that exceeds the character limit crashes the printer, requiring a manual restart. With the right shell code and return address, the flaw can be used by attackers to execute remote code. It is even possible to launch DDoS attacks against printers that support PJL.

Muller added on the Wiki page that printer vendors have “gotten themselves into a situation that is not easy to solve”.

“Cutting support for established and reliable languages like PostScript from one day to the next would break compatibility with existing printer drivers, and updating the PostScript standard is probably not an option,” he said.

He said that network administrators should never leave their printers accessible from the Internet and disable raw port 9100/tcp printing if not required.

“While this does not prevent most of the presented attacks, it complicates them and in particular mitigates the attackers' ability to leak data. A more secure but also more expensive approach is to completely sandbox all printing devices into a separate VLAN, only accessible by a hardened print server,” he said.

Muller added that employees should be trained to never leave the copy room unlocked and report suspicious printouts like HTTP headers to the administrator as they may be traces of a cross-site printing attack. “All other dispensable hard copies should be shredded, even if they apparently do not contain confidential data,” he said.

Deral Heiland, research lead at Rapid7, told SC Media UK that the research is yet another fascinating example of the risk and vulnerabilities facing everyone who uses multifunction printers (MFP).

“This reminds us that MFP security must be taken seriously; avoiding exposing your MFP directly to the Internet is crucial. Only allow access to print services (ie tcp 515, 531,9100) and management services (http (80), https (443)) to those that need it. This can be accomplished by placing all MFPs on separated, managed VLANs. Also avoid printing postscript based print jobs which you do not know the origin of and finally, do not forget to change all default passwords on your MFP devices,” he said.