Researchers at Ruhr University have discovered security flaws in multi-function printers that could be exploited remotely by hackers to shut down the printers, or worse, manipulate documents or steal passwords. It is also possible for hackers to exploit the flaws to cause physical damage to printers.
The researchers have so far identified security flaws in multi-function printers manufactured by computer hardware giants HP, Lexmark and Dell. At least 20 multi-function printers are known to contain the flaws.
The printer security flaws exist in common printing languages used by printer manufacturers – languages that were first developed some 32 years ago. According to the researchers the flaws in PJL and PostScript languages could potentially be exploited remotely using advanced cross-site printing techniques if users are convinced to visit a specially crafted website. The technique for remotely hacking PostScript printers has been termed CORS spoofing by the researchers. However, anyone connected to the printers could also exploit the flaws.
To demonstrate how the flaws could be exploited, the researchers developed a tool called the Printer Exploitation Toolkit (PRET). PRET could be used to exploit the flaws via USB or through network access. The researchers were able to use this tool to manipulate print jobs, capture data sent to the printer, access printer file systems and even physically damage the device. Proof of concepts have been published on Github showing how the flaws could be exploited to steal users’ credentials.
Worryingly, the researchers point out that the printer is not the only device that can be hacked. “An attacker can escalate her way into a network, using the printer device as a starting point.”
While exploiting security flaws can be a complex process requiring substantial knowledge of the language and systems, in this case ‘hacking’ the printers is relatively easy.
A wide range of printers contain these vulnerabilities, including some of the most popular printers from Dell, HP, Lexmark, and Samsung – the HP LaserJet 1200, 4200N and 4250N, the Samsung Multipress 6345N, and the Dell 3130cn for example.
The researchers point out that the printers cannot deal with usernames of more than 150 characters. If long usernames are sent to the printers they crash and require a manual restart. However, it was pointed out that if the right shell code and return address are used, the security flaws in multi-function printers could allow remote code execution.
Until the problem is fixed, users can mitigate risk by not exposing their printers to the Internet. System administrators should also disable raw port 9100/tcp printing if it is not required. These techniques only make it harder for the flaws to be exploited. They do not protect the devices. To do that, the researchers recommend sandboxing the printers in a separate VLAN and limiting access via a hardened print server.
System administrators should ensure that access to copy rooms is limited to authorized personnel and suggest that instructions are provided to staff to report any odd printouts such as HTTP headers, as these could indicate printers have been subjected to a cross-site printing attack.