Remote printer spam made easy
Security researcher demonstrates a way to use cross-site scripting to remotely spam an internal network printer.
Security researcher Aaron Weaver claims visiting a random Web site could send unwanted print requests to your nearest office printer.
In a paper published in November (PDF), and cited on Wednesday in a blog by Jeremiah Grossman of White Hat Security, Weaver demonstrates the code necessary for sending a formatted page to a remote network printer, and, in an another example, to an intranet addressable fax machine. Since most network printers are behind the corporate firewall and therefore don't have security enabled, Weaver says that a simple iframe added to an Internet Web site could cause an internal network printer to start printing remotely.
The attack is derived from techniques employed within a project called hacking network printers by Adrian "Irongeek" Crenshaw. Weaver notes that most network printers listen on port 9100 and that you can telnet to port 9100, type text, and, once you disconnect, the text will print remotely. That's fine, but he ventures further that network printers also accept PostScript and Printer Control language (PCL) code as well, which creates more interesting printouts.
Weaver writes "within the last year there have been new discoveries on attacking the intranet from the Internet. This involves setting an image tag or script tag to an internally addressable IP address and then the browser will request the 'image' resource. Several attacks can be accomplished; port scanning, fingerprinting devices, and changing internal router settings."
Add to that list, printer spam. "The attack could be initiated by creating a hidden iframe, and then creating a form and submitting the contents to the printer. Since the connection will not close, a setTimeout could be used to cancel the request so that the printer would print the request."
As a demonstration, Weaver shows how to send an ASCII-drawn advertisement for frogs, and later, using PCL, a message in 20-point Courier: "Your printer is mine!"
One positive use for this would be for the IT or HR department to send a persistent banner reminding employees about the company's printer use policies. A negative use would be to remotely spam all the printers on the local intranet.
At the end of the short paper, Weaver offers some remediation. "First always have an administrator password set on your printer. Secondly look at restricting access to the printer so that it only accepts print jobs from a centralized print server."