We don't want to alarm you, but PostScript makes your printer an attack vector
Actually, we do want to alarm you. At least enough to take your printers off the internet
Take your printers off the Internet: a bunch of researchers from a German university have found a cross-site printing bug in the ancient PostScript language.
If PostScript is the printer driver, the printer is vulnerable to what they call Cross-Site Printing attacks, documented in detail at Hacking Printers here.
The bugs range from attackers exfiltrating copies of what's sent to printers, to denial-of-service, code execution, forced resets and even bricking the targets.
The work from the University Alliance Ruhr landed on Full Disclosure here (with five vendor-specific follow-ups), and as they note: “This vulnerability has presumably been present in every PostScript printer [for] 32 years as solely legitimate PostScript language constructs are abused.”
As they note in the GitHub repo hosting their proof-of-concept code, it "makes dumpster diving obsolete".
Linux, *BSD and Mac OS users note: the bug's also exploitable via the popular Common Unix Printing System, CUPS.
showpage operator is at fault here: present in every PostScript document to print the current page, it can be redefined by an attacker to execute their own PostScript code. The legitimate application is to overlay pages with things like letterheads; as the authors note, “it can be used to play pranks like putting `hax0r slogans' on all sheets”.
More serious malice is also possible, however – an attacker can obtain copies of print jobs from outside the network.
The boffins exploit the Web mechanism Cross-Origin Resource Sharing (CORS) for this attack, which they've illustrated below.
Exfiltrating print jobs. Image: Hacking-Printers.net
CORS is the mechanism that lets Web pages request data from third-parties (font services, images, and of course advertisements), and it's supposed to be restricted by the same origin policy. “CORS spoofing” demonstrated by the University Alliance Ruhr group breaks those rules and gives an attacker access to a networked printer.
Vendors known to have exploitable functions include HP, Dell, and Lexmark, and there are specific advisories for others.
The researchers also say:
- HP LaserJet 4200N and 4250N, the OKI MC342dn and the Konica Minolta Bizhub C454e can be exploited to expose passwords;
- Various HP LaserJets can be reset to factory defaults;
- Brother's proprietary PJL printer language is vulnerable to memory access; and
- It's possible to cause physical damage to NVRAM in a number of printers.
This last one happens because an exploit can force high numbers of rewrites to the printer's NVRAM, which eventually causes it to deteriorate, bricking the target.
Finally, the researchers also demonstrate that PostScript printers and Brother's proprietary PJL can be buffer-overrun with an exploit, leading to “denial of service or potentially even to code execution”. ®