A research team from Ruhr-Universität Bochum discovered that various printers are affected by a dangerous vulnerability in their PostScript implementation.
PostScript Printer Implementation Cases To A Serious Vulnerability
A research team from Ruhr-Universität Bochum in Germany discovered a very serious danger that has been identified in about 20 printers and multi function devices from several vendors. All of them are affected by at least one issue that relies on a bad PostScript implementation. We would like to remind our readers that PostScript is the main language that is used by the devices for interpreting the printer jobs and controlling the output copy.
The researchers presume that the discovered vulnerability has been available in every PostScript-capable printer in 32 years. The bug is also exploitable via the CUPS package (Common Unix Printing System) which is used in Mac OS X, Gnu/Linux and other similar operating systems.
The problem is in the showpage operator which is present in every single PostScript document. It is used to print the current page, the bug allows attackers to abuse it and execute their own custom code. The legitimate application overlays the pages and can allow for a lot of dangerous activities – from playing pranks to carrying out complex sabotage. Abusing this mechanism an attacker can also obtain copies of print jobs when being outside of the target network.
The hackers can exploit the web mechanism and initiate a cross-origin resource sharing attack. This is done by following these steps:
The attacker accesses the device by using a hidden iframe instance to send a HTTP Post request to TCP port 9100 of the target victim device.
The HTTP header is printed as a plain text or discarded based on the printer’s settings.
The POST data can contain arbitrary print jobs like PJL or PostScript commands. This allows web attackers to perform various attacks using the victim’s web browser as a carrier.
In addition an enhanced cross-site printing process has also been discovered. Vendors that are known to have models that are vulnerable with some specific advisories are HP, Dell and Lexmark.
Various HP LaserJet models can be reset to factory default settings.
The Konica Minolta Bizhub C454e, HP LaserJet 4200N, HP LaserJet 4250N and the OKI MC342dn can be exploited to expose their passwords.
The proprietary PJL language used by Brother is vulnerable to memory access.
Some models can be exploited and this causes physical damage to the NVRAM chip.
For more information you can read the team’s full report available here.