In association with heise online

11 January 2008, 12:13

Spammers can deliver to your printer

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A paper by Aaron Weaver describes how a web browser can be fooled into connecting to a printer and sending a print job from a crafted HTML page. Networked printers listen on a known port (9100). Once a connection is made to the printer, it attempts to print any data received as soon as the connection is terminated. The most basic example of this attack uses an <img> tag. e.g. <img src="myprinter:9100/Printed_from_the_web"> where myprinter is the IP address of the local printer. This causes the transaction headers of a GET request to be printed once the browser's request has timed out due to lack of an expected response from the printer. However, although this qualifies as a proof of concept, the "user data", for example "Printed_from_the_web", is URL encoded, so unless it is trivial it will probably be somewhat unreadable.

However Weaver also offers a more functional technique: to code an HTML form using the POST method. For example

<FORM ACTION='HTTP://YOURPRINTER:9100' ID='MSGFORM' ENCTYPE='MULTIPART/FORM-DATA' METHOD='POST'>
<TEXTAREA NAME='MSG' ID='MSG' WRAP='NONE' ROWS='50' COLS='100'>
TESTING THIS PRINTER OUT.
</TEXTAREA><INPUT TYPE=SUBMIT VALUE=SUBMIT></FORM>

which allows plain text and preformatted ASCII text art to be delivered intact. This still requires the browser's request to time out, but Weaver suggests that JavaScript can be employed to overcome this deficiency. By use of setTimeout, the request can be terminated as soon as the data have been sent. He also gives an example of the use of JavaScript to allow complex formatting of the injected document using PostScript commands.

The fundamental problem is a complete lack of security at most printers: a permanently open port, normally with no authentication. The only hurdle faced by an attacker is determining the printer IP address. However, an iterator script is hardly challenging to create, and, particularly for printers on home networks, the printer address is unlikely to be difficult or slow to find: most likely in the bottom 16 addresses of the 192.168.0.0 private block.

To protect against such attacks, Weaver suggests setting an admin password on the printer, and ideally piping all print jobs via a trusted print server. However, neither of these options is generally available to the home user. But as the technique is so simple and the ideal vector for its distribution would be Iframe injection into the pages of unsecured legitimate web sites, consumer-oriented printer spam may become commonplace in the future.

See also:

(mba)

Print Version | Send by email | Permalink: http://h-online.com/-735793
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit