back to article We don't want to alarm you, but PostScript makes your printer an attack vector

Take your printers off the Internet: a bunch of researchers from a German university have found a cross-site printing bug in the ancient PostScript language. If PostScript is the printer driver, the printer is vulnerable to what they call Cross-Site Printing attacks, documented in detail at Hacking Printers here. The bugs …

  1. Pompous Git Silver badge

    Maybe I'm thick...

    ... but why would I connect my printer to the Internet?

    1. Paul Crawford Silver badge

      Re: Maybe I'm thick...

      Because you used Google' cloud print service instead of any sane choice like printing directly from the device?

      It is most of the whole IoT shit-storm really. Printers and any other not-secure and not-updated devices ought to be on a separate sub-net that has firewall rules that (a) have no ability to go out the the internet, and (b) can't initiate connections to your main PCs. OK it makes discovery at little harder, etc, but one machines are known it greatly reduces the impact of something stupid like this happening.

      1. Anonymous Coward
        Anonymous Coward

        Re: Maybe I'm thick...

        It is most of the whole IoT shit-storm really. Printers and any other not-secure and not-updated devices ought to be on a separate sub-net that has firewall rules that (a) have no ability to go out the the internet, and (b) can't initiate connections to your main PCs. OK it makes discovery at little harder, etc, but one machines are known it greatly reduces the impact of something stupid like this happening.

        One dedicated print spooler fixes that - we need to retain print jobs anyway for compliance reasons :).

        I just don't get this fashion to have everything accessible from the outside, but that's maybe because it's old hat for me. I was a very early Internet user so I've had my fun with a static IP address and a dedicated firewall many, many years ago when a public interface didn't get hit by a probe at least once a second. I've been running some tests of late and I was shocked to see just how often someone tries if the door is locked.

        1. Anonymous Coward
          Anonymous Coward

          Re: Maybe I'm thick...

          'One dedicated print spooler fixes that - we need to retain print jobs anyway for compliance reasons :).'

          Aye, maybe so, but when said print spooler starts falling over and dying, you've no IT support in sight and hordes of irate paper-pusher wallahs demanding printouts, then it's very expedient to say 'sod compliance' and bypass said print spooler...

          Not that I'd ever do such a thing, you understand.

          '..I just don't get this fashion to have everything accessible from the outside,'

          I once had to prove that a network of over 2000 internet visible machines did not need to be so by surreptitiously plonking a transparent bridging firewall betwixt them and the outside and blocking inbound connections initiated from outside, left it in that state for a couple of months without anyone complaining before telling anyone about its existence, and gave them the logs of all the dodgy shit that the firewall had blocked as well.

          They required 12 internet visible addresses in total, the rest could have been on a NAT or two.

          '..I've been running some tests of late and I was shocked to see just how often someone tries if the door is locked.'

          Heh, they're persistent buggers, to say the least (hello Shodan and all you fine folks lurking out there on hinet.net..my biggest 'group' offenders) . At the time of this message (4:00amish) I've had notification of 83 port scans so far today, January's total was 16,027.

          And that's just my boring old home broadband connection..

    2. Blitheringeejit
      Boffin

      @Pompous Git - Maybe I'm thick too, but ...

      ...it looks to me from the diagram in the article as though the printer is only connected to the LAN, presumably behind a firewall and NAT. The attack works by a client PC in the LAN hitting an infected website and executing a malicious JS payload locally. That payload exploits the vulnerability in the printer and posts the results back to the attacker.

      At least I think that's what the diagram indicates.

      1. Roland6 Silver badge

        Re: @Pompous Git - Maybe I'm thick too, but ...

        >...it looks to me from the diagram in the article as though the printer is only connected to the LAN...

        One of the attack vectors is to use the victims browser. Given the convergence of PS and PDF, I wonder if a PDF document can be used as a carrier.

        1. Hans 1
          Facepalm

          Re: @Pompous Git - Maybe I'm thick too, but ...

          >Given the convergence of PS and PDF, I wonder if a PDF document can be used as a carrier.

          The "convergence" (whatever you mean by that in this context) has nothing to do with it.

          From the article:

          CORS is the mechanism that lets Web pages request data from third-parties (font services, images, and of course advertisements), and it's supposed to be restricted by the same origin policy. “CORS spoofing” demonstrated by the University Alliance Ruhr group breaks those rules and gives an attacker access to a networked printer.

          From the web:

          Access control CORS

          1. Brewster's Angle Grinder Silver badge

            Re: @Pompous Git - Maybe I'm thick too, but ...

            The "convergence" (whatever you mean by that in this context) has nothing to do with it.

            But if you read the article more closely, you'll see they use postscript (a Turing-complete programming language) to write a dummy web server that defeats the browser's built in CORS protection. The question is does the subset of postscript commands available in PDF also allow that?

            I think PDF lacks the showpage operator. And its restricted nature means it's probably a challenge. But I'm not a PDF expert.

            1. Roland6 Silver badge

              Re: @Pompous Git - Maybe I'm thick too, but ...

              The question is does the subset of postscript commands available in PDF also allow that?

              This is the important point - not being any expert on PS or PDF other than knowing that PDF 1.5 and Postscript 3 converged to be more consistent so that a printer that supported PS 3 could very simply be enhanced to support native printing of PDF files. Thus like you I don't know the extent to which CUPS/Airprint printers that support the application/PDF MIME type might be vulnerable to this exploit. Unless informed otherwise, I assume CUPS printers that support the application/postscript MIME type are vulnerable.

      2. This post has been deleted by its author

        1. This post has been deleted by its author

      3. David 132 Silver badge
        Happy

        Re: @Pompous Git - Maybe I'm thick too, but ...

        Blitheringeejit At least I think that's what the diagram indicates.

        Really? All I ascertained from the diagram was that if I have a Citizen Swift dot-matrix printer hooked up to an Escom 486 with 12" CRT monitor, my print-jobs are at risk from headless quadruple-amputee sheep.

        JEEEZ that's bad clip-art.

    3. Wensleydale Cheese
    4. Oh Homer
      Childcatcher

      "Our approach is to abuse WebRTC"

      From the wiki, apparently your printer doesn't actually need to be connected directly to the Internet, it only needs to be discoverable on the host's subnet. WebRTC, Java and VBScript can all be used to "leak the local IP address" - the usual suspects.

      Yet another reason to take WebRTC (and Java and VBScript) outside to be shot.

      Worse still, apparently there is no way to disable WebRTC completely in Chrom(e|ium), as various attempts to do so with extensions can be bypassed, e.g. with an iframe.

      Remind me again, what exactly do we need WebRTC for? Because from where I'm sitting it just looks like malware.

      N.B. WebRTC was the final straw that forced me to abandon Chrom(e|ium) and go back to Firefox. The second last straw was Google removing the ability to install extensions they hadn't "approved", mostly for the purpose of blocking privacy extensions that conflicted with its spamming operations.

    5. Jonathan 27

      Re: Maybe I'm thick...

      Google Cloud Print is pretty much the only option to print from Android devices, or at least the only one my printer supports. I freely admit I have my printer hooked up to the Internet. I mitigate the risk my turning the printer off when I'm not using it, but I guess I must think the convenience is worth the risk.

      1. Orv

        Re: Maybe I'm thick...

        Technically you don't have to have your printer exposed to the Internet to use Cloud Print, *if* you export it from a PC on your LAN. The downside is the PC has to be on and you have to be logged in before you can print. This is how I print to my non-Internet-enabled printer from my Chromebook, via my desktop.

      2. Chemical Bob

        Re: Maybe I'm thick...

        "Google Cloud Print is pretty much the only option to print from Android devices"

        It's the only option for Chromebooks too. Maybe Google will get a clue someday and make the Chrome OS grown up by adding real printing capabilities.

        1. AJ MacLeod

          Re: Maybe I'm thick... @Chemical Bob

          Maybe they are finally getting the message:

          https://chromeunboxed.com/chromebooks-getting-local-printing-options/

          There is also an extension that's been around for a while which allows you to do local printing to many network printers (I forget what it's called, sadly didn't work with my Brother AIO though I believe it works with its replacement model.)

          1. Roland6 Silver badge

            Re: Maybe I'm thick... @Chemical Bob

            >Maybe they are finally getting the message...

            At least that is (slightly) better than MS, who don't provide out-of-the-box CUPS print capabilities on their Win10 tablets etc., Which is a little surprising given Airprint/CUPS (using MIME types application/PDF, image/JPEG and image/URF) has been on iPads since iOS 4.2 (2010) and is now widely supported by printer manufacturers (although it seems that many cheaper printers only support image/JPEG).

      3. Oh Homer
        Headmaster

        Re: "pretty much the only option"

        Actually there are quite a few more options beyond Google's Cloud Print, including the HP Print Service Plugin and PrintBot.

    6. Orv

      Re: Maybe I'm thick...

      "... but why would I connect my printer to the Internet?"

      This is a big problem on college campuses, where the ethernet network is generally open to the Internet. Most new networked printers have firewalls (if someone has bothered to configure them), but old ones generally don't. There was a scramble to lock printers down at one institution I've worked at when they started spewing anti-Semitic propaganda sent from IP addresses in eastern Europe...

      An additional issue is networked copier/printers that are leased or on maintenance contracts. The companies that handle them tend to get testy if their access is cut off.

  2. Wensleydale Cheese

    What about wireless printers?

    When out and about in a nearby town over the weekend I was looking for the free wireless service that's available there and was surprised to see a couple of HP printers advertising themselves.

    1. Voland's right hand Silver badge

      Re: What about wireless printers?

      If it does postscript it's probably a fair game.

      People forget that postscript is:

      1. A programming language in its own right

      2. Implementations have never seen a proper security audit.

      1. Wensleydale Cheese

        Re: What about wireless printers?

        "If it does postscript it's probably a fair game."

        Should be easy enough to work that out, because their wireless Ids looked like a model number.

        The idea of a Postscript webserver is not new. First hit from a search gave me this post from 2002

  3. macjules Silver badge

    And who 'owns' Postscript?

    None other than our favourite software company Adobe "There is NOTHING wrong with Flash" Systems.

  4. Anonymous Coward
    Anonymous Coward

    Ohh hp printers they are fun... some of the older models you had to do special key presses to actually turn the wifi off... using the software control panel would only set it to hidden and thus allow you to connect and change all sort of nice things...

    As for postscript, thank god for years ive defaulted to pclX unless a specific request/requirement has been made for ps, thankfully i think there is maybe a couple of rips on larger mfc devices that i know that are still using ps... thankfully they are going away soon :)

    Adobe... Bringing you all the good 0 day exploit vectors for many years to come.

    1. Doctor Syntax Silver badge

      "some of the older models you had to do special key presses to actually turn the wifi off"

      Owner of old HP printer here. What's this wifi of which you write?

    2. HieronymusBloggs

      "some of the older models you had to do special key presses to actually turn the wifi off"

      My preferred method is to disable the wifi circuit and/or antenna with wire-cutters.

  5. Anonymous Coward Silver badge
    Paris Hilton

    "they call Cross-Site Printing attacks"

    Surely if you've made your printer internet-facing, the whole purpose of that is to allow cross-site printing?

    1. Doctor Syntax Silver badge

      "if you've made your printer internet-facing, the whole purpose of that is to allow cross-site printing"

      or you simply didn't know any better.

  6. Anonymous Coward
    Anonymous Coward

    Of course, you could always change the server password to something other than 0!

  7. Colin Bull 1
    Facepalm

    what could go wrong

    I went to see a financial advisor to discuss a pension last week and took a printed summary of my finances. He replied by email declining his services with a PDF attachment of my summary with the words " I am returning your paperwork".

    Most people do not understand the basics of physics. Not only has he still got a copy, so has his printer/scanner, his ISP, my ISP, GCHQ and anyone who wants to infiltrate this morons probably defenceless IT system.

    Exasperated of Cornwall

    1. creepy gecko

      Re: what could go wrong

      You've forgotten that the NSA also now have a copy. Donald is no doubt currently working out how to screw you over for your pension.

      1. cosymart
        Angel

        Re: what could go wrong

        Is that Donald as in Duck?

  8. Anonymous Coward
    Linux

    HTTP makes your printer an attack vector

    "Cross-site printing (XSP) attacks empower a web attacker to access the printer device as demonstrated by [1] who use a hidden Iframe to send HTTP POST requests" ref

    So it's a bug in the HTTP protocol rather than any defect in PostScript.

  9. Dwarf Silver badge

    00 BORED

    Printer programming - nothing new there. Its kind of what its there for - programming a page layout etc. Agree with the other posters that taking a printer off the network, when the diagram shows the connection is via the PC and PC's need to be connected to printers to print to them isn't logical. Most companies would not pass the "business value" test of moving printers to a different subnet even though larger companies are mainly using print servers. Surely most attacks these days would focus on the e-mail enabled scanning features that they all have built in. Amazing where badly trained users will send documents at the press of a button.

    The story made me laugh though as I got a date via a printer once. Back in the old Laserjet 4 days, I changed the 00 READY message to 00 BORED and got a support ticket in, it took a long time to fix as the PA was both interested and hot ! Amazing what you can do with PCL command codes :-), I recall that she was definitely 00 READY !

    1. Anon

      Re: 00 BORED

      PC LOAD FRENCH LETTER

      1. Korev Silver badge
        Joke

        Re: 00 BORED

        The printers here all want American Letter, is that why I'm single?

    2. Stoneshop Silver badge
      Trollface

      Re: 00 BORED

      Back in the old Laserjet 4 days, I changed the 00 READY message to

      Insert Coin to Operate

      which caused the department where this particular printer was located to raise its under-collar temperature: "We're not going to pay to get company documents printed!"

      1. macjules Silver badge

        Re: 00 BORED

        Haha! OMFG I did the same with a Laserjet 4P! They went ballistic.

      2. Orv

        Re: 00 BORED

        "Replace White Toner Cartridge" is another fun one...

      3. Anonymous Coward
        Anonymous Coward

        Re: 00 BORED

        'Insert Coin to Operate'

        Ah, my 3 year old great nephew must have worked there in a previous incarnation, yesterday evening I had to remove a 20p piece from the front SD card slot of our Brother MFC-440CN, the thing was making all sorts of weird beeping noises and flashing obscure error messages on its display when I spotted the shiny object where no shiny object should have been.

        The joys of babysitting I suppose...(to keep him away from feeding the printer any further loose change, I set up my old Korg MS-10, put it through a multi-FX pedal and an amp then let him loose, result: Forbidden Planet soundtrack with added drumbox, oh, how my neighbours must love me...).

  10. ElReg!comments!Pierre

    "Take your printers off the web"?

    Hardly. If anything, the research shows you should PUT your printer on the web, with proper auth/access control. The attack vector here is NOT the printer but the personnal computer (mis)used as the print server.

  11. oldcoder

    You only just noticed?

    I remember reading an OLD hack - done with OS9 I think it was - the user had trouble printing due to an overloaded queue, so every morning he submitted a "special" job - that threw away any job not his...

  12. oldcoder

    I remembered another old one - detected by slow print jobs. Turned out the printer was first forwarding the data to a printer in Russia, then printing locally.

  13. SImon Hobson Silver badge

    Well the article mentions 32 years as the age of PostScript - and guess what, I recall back in the 80s that there were known "issues". One was that you can set an access code for admin/config changes - but it's rarely done.

    So if you send some PS to a printer that sets the access code - you're screwed !

    But personally I like PostScript - it makes sense !

    PCL is a mess - you can't take a "PCL" file made for one device and send it to any other PCL device and expect what comes out to be the same (or in some cases, even similar) - device resolution specific stuff comes to mind. You can with PS - with usually the biggest issue being missing fonts that come out as Courier.

    I've hand crafted PS - including doing one of the things the article mentions, redefining the showpage operator to put a header on printed faxes with information like date/time/sender. Trivial in PS, "non trivial" with PCL.

    1. Apprentice of Tokenism
      Pint

      @SImon Hobson

      I've hand crafted PS

      Please allow me to offer my sincere commiserations. Perhaps a cold one helps erasing those terrible memories?

      1. SImon Hobson Silver badge

        Re: @SImon Hobson

        Why ? It's actually quite a nice language to work with and I enjoyed it.

        Now, if anyone suggested I had to do anything with PCL then they might learn some new colourful vocabulary.

        1. Orv

          Re: @SImon Hobson

          I had to work with HP/GL once...although you can't really call that a "language" I guess. Not with a straight face.

  14. Anonymous Coward
    Anonymous Coward

    Mac display

    Does this affect Mac displays?

    1. cosymart
      Coat

      Re: Mac display

      Is this referring the dirty mac brigade AKA Flashers or Macintosh Computers? Still trying to figure out why you mention the display?

      1. the spectacularly refined chap Silver badge

        Re: Mac display

        Still trying to figure out why you mention the display?

        NeXT from which MacOS is derived used Display PostScript under the window system so that would have been vulnerable. I'm no expert on Macs but I believe that got reworked and switched to PDF for a superficially similar role in OS X. No, that wouldn't be vulnerable - PDF doesn't have the same generality as PostScript, and lacks decision making and flow control constructs, you just get the basic drawing operators.

    2. cd

      Re: Mac display

      Burberry have a plaid firewall, not sure about others.

    3. macjules Silver badge

      Re: Mac display

      It affects Mac displays if you are using the Essex Girl method of printing

      1) Take screen to photocopier (see IT for extra long cables)

      2) Place screen flat down on photocopier.

      3) Press copy

  15. John Smith 19 Gold badge
    WTF?

    So a compromised PC sends stuff to a compromised printer that can then send it anywhere?

    OK it sounds a bit involved but I imagine could sidestep some types of security on the PC.

    Obvious question is why would you let your printer call out to the net, but I'm guessing it's because people don't realize it can?

    1. Ken Hagan Gold badge

      Re: So a compromised PC sends stuff to a compromised printer that can then send it anywhere?

      "Obvious question is why would you let your printer call out to the net, but I'm guessing it's because people don't realize it can?"

      Sadly, I think there are just as many people who would let their printer call out to the net "because it can" as would do so "because they don't realize that it can".

  16. Herby

    Makes me long for...

    The nice chain printer of old. Those 1403's could really put out the pages, all 132 columns of it, and writing notes on blue bar (I never did like green bar) was the way to go.

    Try hacking a printer like that!

    Yes, I do own a nice line printer, a 300 LPM band printer. Upper AND lower case!

    1. Stoneshop Silver badge
      Boffin

      Re: Makes me long for...

      Chain, belt and drum printers have particular character sequences that cause all the hammers to fire at once printing such a line. A few pages of those will probably blow a fuse if not the entire power supply or, in case of a chain printer, break the chain. How's that for bricking?

      1. Orv

        Re: Makes me long for...

        An old-timer I knew once told stories of sending row after row of hyphens, with carriage returns but no line feeds, to a chain printer in a computer lab. After a while it would weaken the paper and a form feed command would tear it, letting the end of the roll drop out of the printer and taking it offline.

    2. BJS

      Re: Makes me long for...

      If your 1403 had a carriage control tape (like this https://upload.wikimedia.org/wikipedia/commons/thumb/6/63/IBM_1403_carriage_control_tape.agr.jpg/1280px-IBM_1403_carriage_control_tape.agr.jpg), you could adjust it so it wouldn't make proper contact even when there were holes in the tape. As a result, the next form-feed command will empty a box of wide fan-fold paper in a matter of minutes, ejecting it in a dazzling shower of paper powered by the 1403's hydraulics.

  17. herman Silver badge

    "Upper AND lower case!" Like the Blues Brothers: "Country AND Western".

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022