Ruhr University Researchers have uncovered significant security flaws in multi-function printers which may be exploited remotely by hackers to shut down the printers, or more worryingly, modify documents or steal user passwords. Hackers might aslo exploit the flaws in order to physically damage printers.
The security flaws have already been found in HP, Lexmark and Dell multi-function printers. Twenty such printers are now recognised as containing the flaws.
The relevant printer security flaws are found in common printing languages, first developed some 32 years ago, that are used by manufacturers. The researchers have stated that it may be possible to exploit the flaws in PJL and PostScript languages remotely by employing advanced cross-site printing techniques, should users be convinced to visit a purpose built website. The researchers have named the method of remotely hacking PostScript printers “CORS spoofing”. That said, any individual connected to the printers could theoretically take advantage of the flaws.
In order to illustrate the manner in which the weaknesses might be exploited, the researchers at Ruhr University have developed a tool dubbed the Printer Exploitation Toolkit (PRET). PRET can be used in order to profit from the flaws through USB or via network access. They succeeding in using the tool to modify print jobs, capture data that had been sent to the printer, access the printer file systems and even physically damage the printer itself. Github has published proof of concepts which show how the flaws may potentially be exploited in order to steal users’ details.
Alarmingly, the researchers also highlight that other devices than the printer may be hacked because of the flaw. They warn that attackers could escalate themselves into a network by using the printer device as an entry point.
Although exploiting security flaws is ordinarily a complicated process which requires extensive knowledge of the language and systems, in the present case the ‘hacking’ of multi-function printers is relatively simple.
These vulnerabilities are found in many printers, including some from brands like Dell, HP, Lexmark, and Samsung; e.g. the HP LaserJet 1200, 4200N and 4250N, the Samsung Multipress 6345N, and the Dell 3130cn all contain the flaw.
The Ruhr University researchers warn that the printers can’t handle with usernames which are longer than 150 characters. When long usernames get sent to the printers, the printers crash and have to be restarted manually. They pointed out that should the right shell code and return address be used, the security weaknesses in the printers may permit remote code execution.
Prior to the problem being fixed, risk can be mitigated by not keeping printers offline. Raw port 9100/tcp printing should be disabled if it is not essential. It should be remembered that such techniques do not fully protect the devices, rather they make it more difficult for hackers to exploit the flaws. To protect devices, it is recommended that the printers be sandboxed in a separate VLAN and access via a hardened print server be limited.
Access to copy rooms should be restricted to authorized personnel and instructions should be provided to employees on how to report any unusual printouts, e.g. HTTP headers, as they may indicate printers come under a cross-site printing attack.
