« Cross-Site Printing » or how to attack printers from the Internet?

A study [1] published at the end of 2007 attempts to make light of a new type of attack. This new threat allows the usage of a networked printer located on a local network from the Internet by encouraging the user to visit a malicious website or to open a HTML-formatted e-mail. 

This new attack called “Cross-Site Printing” is based on the well-established techniques used to carry out “Cross-Site Scripting” attacks.

However, this threat is still limited because the attacker needs to know exactly the IP address of an internal printer and moreover, the targeted printer’s behaviour is quite unpredictable in relation to the attack code which is sent.

Analysis:

“Cross-Site Printing” technique is based on the fact that an internal printer keeps open the TCP port 9100. This port is associated to a printing service called “JetDirect”, “Raw” or “AppSocket”. In most cases it is part of the standard open ports on a network printer: 515/TCP – LPD – and 631/TCP – IPP.

The 9100 TCP port can be used to send printing jobs to the publishing equipment without a preliminary authentication. Thereby a simple telnet connection on this port allows printing the characters which are entered in the current session. The actual impression is done at the end of the session.

This kind of behaviour can also be reproduced from a Web browser by connecting to the port 9100 of a network printer using HTTP (http://printer_ip_address:9100).

After that, it becomes fully possible to reproduce this action using a Web page. In order to accomplish such an action which is blind to the victim, the attacker can insert an HTML image tag (<IMG>) containing an HTTP connection as mentioned above in his Web page. As a consequence, when the victim visits a malicious Web page located on a Web server or included in an HTML e-mail, a connection is made on the port 9100 to the IP address hard-coded (in)on the attacker’s page.

It can be interesting to notice that, even at this level, the attacker absolutely needs to know the IP address of the targeted equipment to carry out a suitable attack.

At this point, the attacker can only print text characters on the targeted publishing equipment. Nevertheless, an attacker who uses the PCL language (“Printer Control Language” [2] and [3]) in his attack code will be able to print standard-looking pages. Nowadays, there are some tools allowing someone to convert office or HTML documents to PCL commands ready to be submitted to a printer.

In the PCL language, there are also interesting commands which allow sending Fax. The use of such commands in attack codes could be quite problematic if the targeted equipment is an “All in one” printer (printer, copying machine, Fax). Then, it is theoretically possible for a victim to be attacked by sending a Fax when visiting the malicious Web page. However, the implementation of the PCL commands related with Fax handling strongly depends on the type and model of the targeted printer. This last thing has the consequence to limit the effects of a massive attack.

The study on “Cross-Site Printing” also shows that other PCL commands could allow someone to include a header (banners) to each printed page.

Thus, these techniques could be used by ill-intentioned persons to carry out spam activities in a paper version.

Nevertheless, these kind of attacks can only be used in a targeted way and requires a very good knowledge of the victim’s environment.

However, these techniques are still interesting because they complete the set of known attacks which target networked printers and can be associated with “Cross-Site Request Forgery” (XSRF [4]) attacks, which are usually possible on the administrative Web interfaces of publishing equipments.
 

Some advice:

In order to avoid these kinds of malicious actions, it is advisable to:

• Close the TCP port 9100 on the printer where it seems to be unnecessary
• Filter access to printing services exported by printers : for example, allowing only printing servers to access printers can be a good idea
• Update printer’s firmwares in order to install last security patches.
  

To be protected against “Cross-Site Forgery” attack, it is also advisable to:

• Filter access to each printer’s administration service
• Set complex passwords on administration interfaces
• Don’t use desktop computers having access to the Internet (Web and e-mail) to manage publishing equipment (use dedicated computers instead).

For more information:

[1] – The study on "Cross-Site Printing" : http://aaron.weaver2.googlepages.com/CrossSitePrinting.pdf

[2] - HP PCL Printer Control Language : http://www.piclist.com/techref/language/pcls.htm

[3] - PCL 5 Printer Language Technical Reference Manual : http://h20000.www2.hp.com/bc/docs/support/SupportManual/bpl13210/bpl13210.pdf

[4] - "Cross-Site Request Forgery" : http://en.wikipedia.org/wiki/Cross-site_request_forgery