Printer Exploitation Toolkit: PRET [398 Days to Congressional MidTerm Elections]

Printer Exploitation Toolkit: PRET

From the post:

PRET is a new tool for printer security testing developed in the scope of a Master’s Thesis at Ruhr University Bochum. PRET connects to a device via network or USB and exploits the features of a given printer language. Currently PostScript, PJL and PCL are supported which are spoken by most laser printers today. This allows PRET to do cool stuff like capturing or manipulating print jobs, accessing the printer’s file system and memory or even causing physical damage to the device. All attacks are documented in detail in the Hacking Printers Wiki.

The main idea of PRET is to facilitate the communication between the end-user and a printer. Thus, after entering a UNIX-like command, PRET translates it to PostScript, PJL or PCL, sends it to the printer, evaluates the result and translates it back to a user-friendly format. PRET offers a whole bunch of commands useful for printer attacks and fuzzing.

Billed in the post as:

The tool that made dumpster diving obsolete (emphasis in original)

I would not go that far, after all, there are primitives without networked printers, or so I have heard. For those cases, dumpster diving remains a needed skill.

Reading Exploiting Network Printers – A Survey of Security Flaws in Laser Printers and Multi-Function Devices (the master’s thesis) isn’t required, but it may help extend this work.


Over the last decades printers have evolved from mechanic devices with microchips to full blown computer systems. From a security point of view these machines remained unstudied for a long time. This work is a survey of weaknesses in the standards and various proprietary extensions of two popular printing languages: PostScript and PJL. Based on tests with twenty laser printer models from various vendors practical attacks were systematically performed and evaluated including denial of service, resetting the device to factory defaults, bypassing accounting systems, obtaining and manipulating print jobs, accessing the printers’ file system and memory as well as code execution through malicious firmware updates and software packages. A generic way to capture PostScript print jobs was discovered. Even weak attacker models like a web attacker are capable of performing the attacks using advanced cross-site printing techniques.

As of July of 2016, Appendix A.1 offers a complete list of printer CVEs. (CVE = Common Vulnerabilities and Exposures.)

The author encountered a mapping issue when attempting to use vFeed to map between CVEs to CWE (CWE = Common Weakness Enumeration).

Too many CWE identifier however match a single CVE identifier. To keep things clear, we instead grouped vulnerabilities into nine categories of attack vectors as shown in Table 3.2. It is remarkable that half of the identified security flaws are web-related while only one twelfth are caused by actual printing languages like PostScript or PJL.
… (page 11 of master’s thesis)

I haven’t examined the mapping problem but welcome suggestions from those of you who do. Printer exploitation is a real growth area in cybersecurity.

I mentioned the 398 Days to Congressional MidTerm Elections in anticipation that some bright lasses and lads will arrange for printers to print not only at a local location but remote one as well.

Think of printers as truthful but not loyal campaign staffers.


Leave a Reply

You must be logged in to post a comment.