exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Hacking Printers Advisory 5

Hacking Printers Advisory 5
Posted Jan 31, 2017
Authored by Jens Mueller

This post is about resetting a printer to factory defaults through ordinary print jobs, therefore bypassing all protection mechanisms like user-set passwords.

tags | advisory
SHA-256 | c0d3ac08f94bc071adf9e63784f30829f42fad0694c4e352f9eb78b9c01cd3f8

Hacking Printers Advisory 5

Change Mirror Download
TL;DR:  In the scope of academic research on printer security, various
vulnerabilities in network printers and MFPs have been discovered. This
is advisory 5 of 6 of the `Hacking Printers' series. Each advisory
discusses multiple issues of the same category. This post is about
resetting a printer to factory defaults through ordinary print jobs,
therefore bypassing all protection mechanisms like user-set passwords.
The attack can be performed by anyone who can print, for example through
USB or network. It can even be carried out by a malicious website, using
cross-site printing techniques (see

========================[ Factory Defaults ]==========================

-------------------------[ Affected Devices ]-------------------------

This vulnerability has been verfied for the devices listed below:

- HP LaserJet 4200N (Firmware version: 20050602) a PML based attacks
- HP LaserJet 4250N (Firmware version: 20150130) a PML based attacks
- HP LaserJet P2015dn (Firmware version: 20070221) a PML based attacks
- HP LaserJet M2727nfs (Firmware version: 20140702) a PML based attacks
- HP LaserJet 3392 AiO (Firmware version: 20120925) a PML based attacks
- HP LaserJet CP1515n (Firmware version: 20120110) a PML based attacks
- Lexmark X264dn (Firmware version: NR.APS.N645) a SNMP only
- Lexmark E360dn (Firmware version: NR.APS.N645) a SNMP only
- Lexmark C736dn (Firmware version: NR.APS.N644) a SNMP only
- Dell 1720n (Firmware version: NM.NA.N099) a SNMP only
- Kyocera FS-C5200DN (Firmware version: 2011.05.16) a SNMP only

Further HP printers are likely to be affected.
Vendor informed: 2016-10-17

--------------------[ Vulnerability Description ]---------------------

The `Printer-MIB' (RFC3805) defines the prtGeneralReset Object (OID which allows an attacker to restore factory
defaults (resetToFactoryDefaults(6)) using SNMP (port 161/udp). This is
a legitimate feature, but can also be used by an attacker to
remove/bypass protection mechanisms like user-set passwords for the
embedded web server, PJL and PostScript if the default/public SNMP
community string has not been changed:

snmpset -v1 -c public printer i 6

In many scenarios an attacker does not have the capabilities to perform
SNMP requests because of firewalls or unknown SNMP community strings. On
HP devices however, she can transform SNMP into its PML representation
and embed the request within a legitimate print job:

@PJL DMCMD ASCIIHEX="040006020501010301040106"

This way, anyone who can print can reset the device to factory defaults
and hereby remove any protection mechanisms.

-------------------------[ Proof of Concept ]-------------------------

A Python based proof of concept software entitled Printer Exploitation
Toolkit (PRET) has been published. The attack can be reproduced as follows:

$ git clone https://github.com/RUB-NDS/PRET.git
$ cd PRET
$ ./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> reset

Note that if your printer does not restart and restore factory defaults,
it may still be vulnerable to SNMP based attacks as mentioned above.

-----------------------[ Further Information ]------------------------

Information on this bug/feature of SNMP and PML can be found at:

Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By