We don't want to alarm you, but PostScript makes your printer an attack vector

Actually, we do want to alarm you. At least enough to take your printers off the internet

Cthulu emerges from a printer. Image created by illustrator Andy Davies. Copyright: The Register

Take your printers off the Internet: a bunch of researchers from a German university have found a cross-site printing bug in the ancient PostScript language.

If PostScript is the printer driver, the printer is vulnerable to what they call Cross-Site Printing attacks, documented in detail at Hacking Printers here.

The bugs range from attackers exfiltrating copies of what's sent to printers, to denial-of-service, code execution, forced resets and even bricking the targets.

The work from the University Alliance Ruhr landed on Full Disclosure here (with five vendor-specific follow-ups), and as they note: “This vulnerability has presumably been present in every PostScript printer [for] 32 years as solely legitimate PostScript language constructs are abused.”

As they note in the GitHub repo hosting their proof-of-concept code, it "makes dumpster diving obsolete".

Linux, *BSD and Mac OS users note: the bug's also exploitable via the popular Common Unix Printing System, CUPS.

The PostScript showpage operator is at fault here: present in every PostScript document to print the current page, it can be redefined by an attacker to execute their own PostScript code. The legitimate application is to overlay pages with things like letterheads; as the authors note, “it can be used to play pranks like putting `hax0r slogans' on all sheets”.

More serious malice is also possible, however – an attacker can obtain copies of print jobs from outside the network.

The boffins exploit the Web mechanism Cross-Origin Resource Sharing (CORS) for this attack, which they've illustrated below.

Cross-site printing: too easy

Exfiltrating print jobs. Image: Hacking-Printers.net

CORS is the mechanism that lets Web pages request data from third-parties (font services, images, and of course advertisements), and it's supposed to be restricted by the same origin policy. “CORS spoofing” demonstrated by the University Alliance Ruhr group breaks those rules and gives an attacker access to a networked printer.

“We have full control of what the requested `web server' – which actually is a printer RIP [raster image processor – The Register] accessed over port 9100/tcp – sends back to the browser. By using PostScript output commands we can simply emulate an HTTP server running on port 9100/tcp and define our own HTTP header to be responded – including arbitrary CORS Access-Control-Allow-Origin fields which instruct the web browser to allow JavaScript access to this resource and therefore punch a hole into the same-origin policy.”

Vendors known to have exploitable functions include HP, Dell, and Lexmark, and there are specific advisories for others.

The researchers also say:

This last one happens because an exploit can force high numbers of rewrites to the printer's NVRAM, which eventually causes it to deteriorate, bricking the target.

Finally, the researchers also demonstrate that PostScript printers and Brother's proprietary PJL can be buffer-overrun with an exploit, leading to “denial of service or potentially even to code execution”. ®

Sponsored: Minds Mastering Machines - Call for papers now open


Biting the hand that feeds IT © 1998–2018