back to article We don't want to alarm you, but PostScript makes your printer an attack vector

Take your printers off the Internet: a bunch of researchers from a German university have found a cross-site printing bug in the ancient PostScript language. If PostScript is the printer driver, the printer is vulnerable to what they call Cross-Site Printing attacks, documented in detail at Hacking Printers here. The bugs …

Silver badge

Maybe I'm thick...

... but why would I connect my printer to the Internet?

19
0
Silver badge

Re: Maybe I'm thick...

Because you used Google' cloud print service instead of any sane choice like printing directly from the device?

It is most of the whole IoT shit-storm really. Printers and any other not-secure and not-updated devices ought to be on a separate sub-net that has firewall rules that (a) have no ability to go out the the internet, and (b) can't initiate connections to your main PCs. OK it makes discovery at little harder, etc, but one machines are known it greatly reduces the impact of something stupid like this happening.

15
0
Boffin

@Pompous Git - Maybe I'm thick too, but ...

...it looks to me from the diagram in the article as though the printer is only connected to the LAN, presumably behind a firewall and NAT. The attack works by a client PC in the LAN hitting an infected website and executing a malicious JS payload locally. That payload exploits the vulnerability in the printer and posts the results back to the attacker.

At least I think that's what the diagram indicates.

14
0
Anonymous Coward

Re: Maybe I'm thick...

It is most of the whole IoT shit-storm really. Printers and any other not-secure and not-updated devices ought to be on a separate sub-net that has firewall rules that (a) have no ability to go out the the internet, and (b) can't initiate connections to your main PCs. OK it makes discovery at little harder, etc, but one machines are known it greatly reduces the impact of something stupid like this happening.

One dedicated print spooler fixes that - we need to retain print jobs anyway for compliance reasons :).

I just don't get this fashion to have everything accessible from the outside, but that's maybe because it's old hat for me. I was a very early Internet user so I've had my fun with a static IP address and a dedicated firewall many, many years ago when a public interface didn't get hit by a probe at least once a second. I've been running some tests of late and I was shocked to see just how often someone tries if the door is locked.

4
1
Silver badge

Re: @Pompous Git - Maybe I'm thick too, but ...

>...it looks to me from the diagram in the article as though the printer is only connected to the LAN...

One of the attack vectors is to use the victims browser. Given the convergence of PS and PDF, I wonder if a PDF document can be used as a carrier.

6
1
Silver badge
Facepalm

Re: @Pompous Git - Maybe I'm thick too, but ...

>Given the convergence of PS and PDF, I wonder if a PDF document can be used as a carrier.

The "convergence" (whatever you mean by that in this context) has nothing to do with it.

From the article:

CORS is the mechanism that lets Web pages request data from third-parties (font services, images, and of course advertisements), and it's supposed to be restricted by the same origin policy. “CORS spoofing” demonstrated by the University Alliance Ruhr group breaks those rules and gives an attacker access to a networked printer.

From the web:

Access control CORS

3
0

This post has been deleted by its author

Silver badge

Re: @Pompous Git - Maybe I'm thick too, but ...

The "convergence" (whatever you mean by that in this context) has nothing to do with it.

But if you read the article more closely, you'll see they use postscript (a Turing-complete programming language) to write a dummy web server that defeats the browser's built in CORS protection. The question is does the subset of postscript commands available in PDF also allow that?

I think PDF lacks the showpage operator. And its restricted nature means it's probably a challenge. But I'm not a PDF expert.

3
0
Silver badge
Silver badge
Happy

Re: @Pompous Git - Maybe I'm thick too, but ...

Blitheringeejit At least I think that's what the diagram indicates.

Really? All I ascertained from the diagram was that if I have a Citizen Swift dot-matrix printer hooked up to an Escom 486 with 12" CRT monitor, my print-jobs are at risk from headless quadruple-amputee sheep.

JEEEZ that's bad clip-art.

1
0
Silver badge
Childcatcher

"Our approach is to abuse WebRTC"

From the wiki, apparently your printer doesn't actually need to be connected directly to the Internet, it only needs to be discoverable on the host's subnet. WebRTC, Java and VBScript can all be used to "leak the local IP address" - the usual suspects.

Yet another reason to take WebRTC (and Java and VBScript) outside to be shot.

Worse still, apparently there is no way to disable WebRTC completely in Chrom(e|ium), as various attempts to do so with extensions can be bypassed, e.g. with an iframe.

Remind me again, what exactly do we need WebRTC for? Because from where I'm sitting it just looks like malware.

N.B. WebRTC was the final straw that forced me to abandon Chrom(e|ium) and go back to Firefox. The second last straw was Google removing the ability to install extensions they hadn't "approved", mostly for the purpose of blocking privacy extensions that conflicted with its spamming operations.

2
0
Bronze badge

Re: Maybe I'm thick...

Google Cloud Print is pretty much the only option to print from Android devices, or at least the only one my printer supports. I freely admit I have my printer hooked up to the Internet. I mitigate the risk my turning the printer off when I'm not using it, but I guess I must think the convenience is worth the risk.

1
0
Orv
Silver badge

Re: Maybe I'm thick...

Technically you don't have to have your printer exposed to the Internet to use Cloud Print, *if* you export it from a PC on your LAN. The downside is the PC has to be on and you have to be logged in before you can print. This is how I print to my non-Internet-enabled printer from my Chromebook, via my desktop.

1
0
Orv
Silver badge

Re: Maybe I'm thick...

"... but why would I connect my printer to the Internet?"

This is a big problem on college campuses, where the ethernet network is generally open to the Internet. Most new networked printers have firewalls (if someone has bothered to configure them), but old ones generally don't. There was a scramble to lock printers down at one institution I've worked at when they started spewing anti-Semitic propaganda sent from IP addresses in eastern Europe...

An additional issue is networked copier/printers that are leased or on maintenance contracts. The companies that handle them tend to get testy if their access is cut off.

0
0
Bronze badge

Re: Maybe I'm thick...

"Google Cloud Print is pretty much the only option to print from Android devices"

It's the only option for Chromebooks too. Maybe Google will get a clue someday and make the Chrome OS grown up by adding real printing capabilities.

1
0

Re: Maybe I'm thick... @Chemical Bob

Maybe they are finally getting the message:

https://chromeunboxed.com/chromebooks-getting-local-printing-options/

There is also an extension that's been around for a while which allows you to do local printing to many network printers (I forget what it's called, sadly didn't work with my Brother AIO though I believe it works with its replacement model.)

0
0
Anonymous Coward

Re: Maybe I'm thick...

'One dedicated print spooler fixes that - we need to retain print jobs anyway for compliance reasons :).'

Aye, maybe so, but when said print spooler starts falling over and dying, you've no IT support in sight and hordes of irate paper-pusher wallahs demanding printouts, then it's very expedient to say 'sod compliance' and bypass said print spooler...

Not that I'd ever do such a thing, you understand.

'..I just don't get this fashion to have everything accessible from the outside,'

I once had to prove that a network of over 2000 internet visible machines did not need to be so by surreptitiously plonking a transparent bridging firewall betwixt them and the outside and blocking inbound connections initiated from outside, left it in that state for a couple of months without anyone complaining before telling anyone about its existence, and gave them the logs of all the dodgy shit that the firewall had blocked as well.

They required 12 internet visible addresses in total, the rest could have been on a NAT or two.

'..I've been running some tests of late and I was shocked to see just how often someone tries if the door is locked.'

Heh, they're persistent buggers, to say the least (hello Shodan and all you fine folks lurking out there on hinet.net..my biggest 'group' offenders) . At the time of this message (4:00amish) I've had notification of 83 port scans so far today, January's total was 16,027.

And that's just my boring old home broadband connection..

1
0
Silver badge
Headmaster

Re: "pretty much the only option"

Actually there are quite a few more options beyond Google's Cloud Print, including the HP Print Service Plugin and PrintBot.

0
0
Silver badge

Re: Maybe I'm thick... @Chemical Bob

>Maybe they are finally getting the message...

At least that is (slightly) better than MS, who don't provide out-of-the-box CUPS print capabilities on their Win10 tablets etc., Which is a little surprising given Airprint/CUPS (using MIME types application/PDF, image/JPEG and image/URF) has been on iPads since iOS 4.2 (2010) and is now widely supported by printer manufacturers (although it seems that many cheaper printers only support image/JPEG).

0
0
Silver badge

Re: @Pompous Git - Maybe I'm thick too, but ...

The question is does the subset of postscript commands available in PDF also allow that?

This is the important point - not being any expert on PS or PDF other than knowing that PDF 1.5 and Postscript 3 converged to be more consistent so that a printer that supported PS 3 could very simply be enhanced to support native printing of PDF files. Thus like you I don't know the extent to which CUPS/Airprint printers that support the application/PDF MIME type might be vulnerable to this exploit. Unless informed otherwise, I assume CUPS printers that support the application/postscript MIME type are vulnerable.

0
0

This post has been deleted by its author

Silver badge

What about wireless printers?

When out and about in a nearby town over the weekend I was looking for the free wireless service that's available there and was surprised to see a couple of HP printers advertising themselves.

2
0
Silver badge

Re: What about wireless printers?

If it does postscript it's probably a fair game.

People forget that postscript is:

1. A programming language in its own right

2. Implementations have never seen a proper security audit.

17
0
Silver badge

Re: What about wireless printers?

"If it does postscript it's probably a fair game."

Should be easy enough to work that out, because their wireless Ids looked like a model number.

The idea of a Postscript webserver is not new. First hit from a search gave me this post from 2002

2
0
Silver badge

And who 'owns' Postscript?

None other than our favourite software company Adobe "There is NOTHING wrong with Flash" Systems.

27
0
Anonymous Coward

Ohh hp printers they are fun... some of the older models you had to do special key presses to actually turn the wifi off... using the software control panel would only set it to hidden and thus allow you to connect and change all sort of nice things...

As for postscript, thank god for years ive defaulted to pclX unless a specific request/requirement has been made for ps, thankfully i think there is maybe a couple of rips on larger mfc devices that i know that are still using ps... thankfully they are going away soon :)

Adobe... Bringing you all the good 0 day exploit vectors for many years to come.

3
0
Silver badge

"some of the older models you had to do special key presses to actually turn the wifi off"

Owner of old HP printer here. What's this wifi of which you write?

5
0
Bronze badge

"some of the older models you had to do special key presses to actually turn the wifi off"

My preferred method is to disable the wifi circuit and/or antenna with wire-cutters.

1
0
Bronze badge
Paris Hilton

"they call Cross-Site Printing attacks"

Surely if you've made your printer internet-facing, the whole purpose of that is to allow cross-site printing?

4
1
Silver badge

"if you've made your printer internet-facing, the whole purpose of that is to allow cross-site printing"

or you simply didn't know any better.

0
0
Anonymous Coward

Of course, you could always change the server password to something other than 0!

3
0
Facepalm

what could go wrong

I went to see a financial advisor to discuss a pension last week and took a printed summary of my finances. He replied by email declining his services with a PDF attachment of my summary with the words " I am returning your paperwork".

Most people do not understand the basics of physics. Not only has he still got a copy, so has his printer/scanner, his ISP, my ISP, GCHQ and anyone who wants to infiltrate this morons probably defenceless IT system.

Exasperated of Cornwall

28
0

Re: what could go wrong

You've forgotten that the NSA also now have a copy. Donald is no doubt currently working out how to screw you over for your pension.

6
1
Angel

Re: what could go wrong

Is that Donald as in Duck?

1
0
Silver badge
Linux

HTTP makes your printer an attack vector

"Cross-site printing (XSP) attacks empower a web attacker to access the printer device as demonstrated by [1] who use a hidden Iframe to send HTTP POST requests" ref

So it's a bug in the HTTP protocol rather than any defect in PostScript.

2
2
Silver badge

00 BORED

Printer programming - nothing new there. Its kind of what its there for - programming a page layout etc. Agree with the other posters that taking a printer off the network, when the diagram shows the connection is via the PC and PC's need to be connected to printers to print to them isn't logical. Most companies would not pass the "business value" test of moving printers to a different subnet even though larger companies are mainly using print servers. Surely most attacks these days would focus on the e-mail enabled scanning features that they all have built in. Amazing where badly trained users will send documents at the press of a button.

The story made me laugh though as I got a date via a printer once. Back in the old Laserjet 4 days, I changed the 00 READY message to 00 BORED and got a support ticket in, it took a long time to fix as the PA was both interested and hot ! Amazing what you can do with PCL command codes :-), I recall that she was definitely 00 READY !

3
1

Re: 00 BORED

PC LOAD FRENCH LETTER

11
0
Silver badge
Joke

Re: 00 BORED

The printers here all want American Letter, is that why I'm single?

9
0
Silver badge
Trollface

Re: 00 BORED

Back in the old Laserjet 4 days, I changed the 00 READY message to

Insert Coin to Operate

which caused the department where this particular printer was located to raise its under-collar temperature: "We're not going to pay to get company documents printed!"

6
0
Silver badge

Re: 00 BORED

Haha! OMFG I did the same with a Laserjet 4P! They went ballistic.

0
0
Orv
Silver badge

Re: 00 BORED

"Replace White Toner Cartridge" is another fun one...

1
0
Anonymous Coward

Re: 00 BORED

'Insert Coin to Operate'

Ah, my 3 year old great nephew must have worked there in a previous incarnation, yesterday evening I had to remove a 20p piece from the front SD card slot of our Brother MFC-440CN, the thing was making all sorts of weird beeping noises and flashing obscure error messages on its display when I spotted the shiny object where no shiny object should have been.

The joys of babysitting I suppose...(to keep him away from feeding the printer any further loose change, I set up my old Korg MS-10, put it through a multi-FX pedal and an amp then let him loose, result: Forbidden Planet soundtrack with added drumbox, oh, how my neighbours must love me...).

0
0
Silver badge

"Take your printers off the web"?

Hardly. If anything, the research shows you should PUT your printer on the web, with proper auth/access control. The attack vector here is NOT the printer but the personnal computer (mis)used as the print server.

0
1
Silver badge

You only just noticed?

I remember reading an OLD hack - done with OS9 I think it was - the user had trouble printing due to an overloaded queue, so every morning he submitted a "special" job - that threw away any job not his...

5
0
Silver badge

I remembered another old one - detected by slow print jobs. Turned out the printer was first forwarding the data to a printer in Russia, then printing locally.

4
0
Silver badge

Well the article mentions 32 years as the age of PostScript - and guess what, I recall back in the 80s that there were known "issues". One was that you can set an access code for admin/config changes - but it's rarely done.

So if you send some PS to a printer that sets the access code - you're screwed !

But personally I like PostScript - it makes sense !

PCL is a mess - you can't take a "PCL" file made for one device and send it to any other PCL device and expect what comes out to be the same (or in some cases, even similar) - device resolution specific stuff comes to mind. You can with PS - with usually the biggest issue being missing fonts that come out as Courier.

I've hand crafted PS - including doing one of the things the article mentions, redefining the showpage operator to put a header on printed faxes with information like date/time/sender. Trivial in PS, "non trivial" with PCL.

8
0
Pint

@SImon Hobson

I've hand crafted PS

Please allow me to offer my sincere commiserations. Perhaps a cold one helps erasing those terrible memories?

3
1
Silver badge

Re: @SImon Hobson

Why ? It's actually quite a nice language to work with and I enjoyed it.

Now, if anyone suggested I had to do anything with PCL then they might learn some new colourful vocabulary.

0
0
Orv
Silver badge

Re: @SImon Hobson

I had to work with HP/GL once...although you can't really call that a "language" I guess. Not with a straight face.

0
0
Anonymous Coward

Mac display

Does this affect Mac displays?

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017