HP Printers: The Hidden Threat
by DarKry (darkry@gmail.com)
I was recently reading a book of fictitious scenarios in which a hacker gains access to a network through a printer.
The book cited a tool called Hijetter available at Phenoelit. Hijetter is a tool for Windows which uses HP's Printer Job Language (PJL) protocol to connect to and perform simple tasks on certain printers.
Curiosity got the best of me so I started doing a little research into what exactly these printers are capable of.
First let's look at some of the features built into these printers; many ship with built-in web servers which allow for remote administration. These servers allow a remote administrator to see the status of the printer, view recent print jobs, and change environment variables.
It is worth mentioning that HP did build in password protection, but it is disabled by default and in fact, in all my exploring I didn't find a single printer that had a password set.
Many of these printers also have a FTP server enabled by default, and again the passwords are a joke.
Different models have different default passwords and to list them here would be pointless (use Yandex/Google).
In case the implications aren't obvious to everyone yet let's review.
These printers have web (HTTP) and FTP servers running out of the box. With a beefy 8 MB of flash memory storage a printer suddenly becomes an attractive place to anonymously store all sorts of fun things. But this is only the tip of the iceberg.
First let's look at how to find printers.
As an administrator is setting up a network he is worried about a lot of things. Keeping the bad guys out is top priority. After configuring a firewall to only allow the right people access to the right ports the rules can start to look like a giant game of Plinko.
It is understandable that blocking the printer spooling port from outside access may not have crossed the admin's mind. In fact there are valid reasons to allow this, for instance, to allow employees to print from home.
All ports aside, a printer definitely doesn't appear to be a threat. After all, what damage can a printer do?
Fire up Nmap and run a scan on your corporate network for machines with port 9100 open.
Once you have a list, try surfing to each address. Chances are most of them will have a web server. Those who are interested in getting their hands dirty can get a library for PJL communication, also from the folks at Phenoelit.
Now so far this has been a relatively benign hack.
We have accessed a printer and the most damage we can do is lock it with an error or print "Insert Coin" on the LCD display. I was starting to get bored with all this and about to move on to bigger and better things when I noticed something strange about some of the newer printers that I was finding.
I kept seeing references to something called Chai Java. This got me interested again.
Could it be that some of these printers actually had a Java Virtual Machine (JVM) built into them?
That would mean that any code I wrote could be run from a printer, but more importantly a printer inside a target network.
After playing around a bit more I found that, yes, this really was possible. From the web server on these printers you can upload code to be run on the printer.
Chai Java is still in its infancy but already it is possible to run all sorts of interesting things. Most importantly, an important step has been removed.
The most difficult step in breaking into a network has always been finding a way past the firewalls. Suddenly instead of searching for a vulnerable machine, an intruder can simply connect to a printer's web site and upload a proxy.
As far as security goes it's as bad as having internal network jacks on the outside wall of your corporate headquarters.
Shouts of course go out to DarkLordZim, BrutalInquisition, Razorwire, and the rest of the crew on mediamonks.