Hacking printers exploiting Cross-site printing (XSP) attacks

A group of researchers from the University Alliance Ruhr has found a cross-site printing bug in the old PostScript language.

Popular printer models manufactured by Dell, Brother, Konica, Samsung, HP, and Lexmark are affected by security vulnerabilities that could be exploited by hackers to steal passwords, steal information from the print jobs, and shut down the devices.

The discovery was made by researchers at the University Alliance Ruhr who published a series of advisories and a wiki regarding their research.

20 printer models are affected by flaws related to common printing languages, PostScript and PJL, used in most laser printers. The flaws are not a novelty, according to the experts they have existed for decades.

“In the scope of academic research on printer security, various vulnerabilities in network printers and MFPs have been discovered.” reads the advisory 2 of 6 of the `Hacking Printers’ series. “This post is about accessing a printers file system through ordinary PostScript or PJL based print jobs — since decades a documented feature of both languages. The attack can be performed by anyone who can print, for example through USB or network. It can even be carried out by a malicious website, using advanced cross-site printing techniques in combination with a novel technique we call `CORS spoofing’ (see http://hacking-printers.net/wiki/index.php/Cross-site_printing)”

The researchers published a Python based proof of concept application entitled Printer Exploitation Toolkit (PRET) that could be used to simplify PostScript and PJL based file system access on printers.

The tool connects to a printer via network or USB and exploits could be used to exploit the security flaw discovered by the researchers in the printer’s PostScript or PJL language. “This (tool) allows stuff like capturing or manipulating print jobs, accessing the printer’s file system and memory or even causing physical damage to the device,”

“This (tool) allows stuff like capturing or manipulating print jobs, accessing the printer’s file system and memory or even causing physical damage to the device,” states a PRET description published on GitHub.

The researchers published six distinct advisories reporting multiple issues, including buffer overflow, password disclosure, and print job captures vulnerabilities.

Among the attacks, there is a technique that could allow attackers to access a printer’s file system. The method exploits the Cross-Origin Resource Sharing (CORS) mechanism that allows a third-party domain to read web page data such as fonts when printing.

The combination of the CORS spoofing and Cross-Site Printing (XPS) can be exploited by attackers to access a printer via a web-based attack using “a hidden Iframe to send HTTP POST requests to port 9100/tcp of a printer within the victim’s internal network.”

“Cross-site printing (XSP) attacks empower a web attacker to access the printer device as demonstrated by who use a hidden Iframe to send HTTP POST requests to port 9100/tcp of a printer within the victim’s internal network. The HTTP header is either printed as plain text or discarded based on the printer’s settings. The POST data however can contain arbitrary print jobs like PostScript or PJL commands to be interpreted.” reads the Wiki.

According to the researchers, it is possible to send data back to the browser from the printer by manipulating the PostScript output commands.

“By using PostScript output commands we can simply emulate an HTTP server running on port 9100/tcp and define our own HTTP header to be responded – including arbitrary CORS Access-Control-Allow-Origin fields which instruct the web browser to allow JavaScript access to this resource and therefore punch a hole into the same-origin policy.” continues the Wiki.

The experts reported the issued to all the vendors.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – printers, cross-site printing)