Spanish researchers during this monthGuerreroResearch found HP Printing SoftwareJetDirect has a vulnerability that allows attackers to bypass bio-or swipe card security protection, access some printed documents, or advertise the network to cause DoS attacks on vulnerable network printers.
Although JetDirect was designed by HP, many printers use the software, including Canon, Lexmark, Samsung, and Xerox. The software processes print requests submitted over the network. The Network Printer listens to and receives print request data through the JetDirect protocol, as shown in the following figure:
When you connect to a network printer, JetDirect adds additional information so that the printer can parse the print task. Three key concepts are involved here.
UEL (Universal Exit Language)These commands are usually at the header and end of the data packet sent to the printer. The syntax is %-12345X, and 0x1B indicates ESCape.
PJL (Printer Job Language)It is used to tell the printer what action to perform, which is an additional support for PCL.
PCL (Printer Control Language)To regulate the basic language for formatting pages. It seems harmless, but it becomes the exploit code for most parser and interpreter vulnerabilities.
Shows a typical print task data packet.
Since the investigator wrote the comments in Spanish, they can only get together and read them. To learn more, I am afraid I should refer to the official JetDirect manual:
Http://h20000.www2.hp.com/bc/docs/support/SupportManual/bpl13207/bpl13207.pdf
Http://h20000.www2.hp.com/bc/docs/support/SupportManual/bpl13211/bpl13211.pdf
By modifying the tags passed into the PCL/PJL parser, attackers can trigger DoS attacks.
Enterprises may want to have fingerprint access, PINs, passwords, smart cards, and so on, which can effectively protect their printers. But in fact, once these documents are sent to the printer, the protection is automatically disabled. Attackers can directly access or re-print the print tasks in the printer memory. Researchers believe that the following products have security vulnerabilities:
Canon, Fujitsu, HP, Konica Minolta, Lexmark, Xerox, Sharp, Kyocera Mita, Kodak, Brother, Samsung, Toshiba, Ricoh, Lanier, Gestetner, Infotek, OCE, OKI
Vulnerability 1: bypass authentication
Enterprise printers generally have various certifications to prevent unauthorized access to printers, such as rfidcard, fingerprint recognition, smart card, and LDAP passwords.
However, in fact, the network port of the past printer can send the aforementioned special data packets to bypass authentication and use the network printer.
The result is as follows:
Analyze the document sent to the printer and find two important labels:
1 @ pjl set jobname = "C: \ Documents ents and Settings \ Divine \ My Documents \ TU \ TDOC \ cad files \ kapak. dwg Model (1 )"
2 @ pjl set username = "AAA"
Vulnerability 2: tampering and printing tasks
Assigning work to system users
Attackers can exploit this vulnerability to modify the label value assigned to the print task. (In this example, the task number in the queue is used to print the modified content)
Vulnerability 3: DoS Attacks
As shown in the preceding data packet, the data sent to the printer, including determining the Document Style, Document Format Structure, and printer action parameters, are all worth noting. These values are interpreted by the printer parser. Therefore, inputting an undesired value on these points can cause DoS attacks.
The following uses a PCL printing command as an example:
1 ^ [& l7H ^ [& l-1M ^ [* o5W ^ M ^ C ^ @ ^ G? ^ [* O-2M ^ [* o5W ^ M ^ B ^ @ ^ A ^ [* o5W ^ K ^ A ^ @ ^ [* o5W ^ N ^ C ^ @ ^ E ^ [* o5W ^ N ^ U ^ @ ^ [& l110A ^ [& u600D ^ [* o5W ^ N ^ E ^ @ ^ S '^ [* o5W ^ N ^ F ^ @ ^ [g ^ [* r4724S ^ [* g12W ^ F ^ _ ^ @ ^ A ^ BX ^ BXg # W -- configure grid data command, the above g12W is responsible for setting the color depth, vertical and horizontal resolution.
O # W -- configure the driver command, such as the above o5W, which is usually used to execute the command for setting the printer. For details, see the configuration form of each printer.
& L7H -- set the paper source. In this example, automatic
& L-1M -- Media Type Bond
& L110A -- use the PCL_JENV_CHOU3 macro code to define the height of the paper
& U600D -- number of PCL units per inch
Changing any of the above parameters to an unexpected value may cause the printer to be disconnected or directly force them to require manual reset. As shown in:
Vulnerability 4: Touch Screen
One of the advanced features of modern printers is a touch screen that allows you to control some configuration pages, such as modifying FTP service configurations.
While the number of characters entered is limited and controlled by JS, once an attacker has intercepted the request, they cocould enter something like:
1 perl-e 'print "A" x1000'
2) Too many rows have been written before using the result wocould be:
In this case, the printer was bricked and had to undergo a USB hard reset by re-installing the firmware.
The examples above represent just a few of the printer certificate that can be exploited for denial of service attacks-of perhaps greater worry to companies might be data theft that cocould easily occur on printer devices that store sensitive information. as such, its imperative that companies don't fail to take into account their printing devices when considering their overall risk profile.
SANS issued a security warning last week to remind enterprises to pay attention to the security of network printers.
