Author Topic: HP laser printers: RCE via PostScript (Read 369 times)

madires · « **on:** February 17, 2025, 09:36:20 am »

Certain HP LaserJet Pro, HP LaserJet Enterprise, HP LaserJet Managed Printers – Potential Remote Code Execution and Potential Elevation of Privilege (https://support.hp.com/us-en/document/ish_11953771-11953793-16/hpsbpi04007)

'Certain' is an understatement for 100+ printer models.

5U4GB · « **Reply #1 on:** February 17, 2025, 10:58:42 am »

You can do it with PCL as well. 30-odd years ago I used to modify the LCD displays on the work printers to say things like "Insert 20c" (from video games) or "Out of cheese".

Halcyon · « **Reply #2 on:** February 17, 2025, 11:23:45 am »

Quote from: 5U4GB on February 17, 2025, 10:58:42 am

You can do it with PCL as well. 30-odd years ago I used to modify the LCD displays on the work printers to say things like "Insert 20c" (from video games) or "Out of cheese".

"PC Load Letter" was a personal favourite... since we use A4, not letter.

peter-h · « **Reply #3 on:** February 17, 2025, 03:45:21 pm »

This is better though
https://www.eevblog.com/forum/security/hacking-a-toothbrush/

Nominal Animal · « **Reply #4 on:** February 18, 2025, 02:36:06 am »

Typical print jobs on these printers are executed on these printers, and the results printed on paper; PostScript itself is actually a programming language. The privilege escalation is valid issue, but remote code execution when that's their primary purpose?

SiliconWizard · « **Reply #5 on:** February 18, 2025, 04:20:43 am »

A Postscript interpreter that would allow any kind of escalation is pretty bad IMHO, but if you implement this on a relatively general-purpose OS (which I guess is what printers have now) with no particular isolation, that's what you are bound to get. Maybe the solution is to avoid asking script kiddies to design printers.

peter-h · « **Reply #6 on:** February 18, 2025, 09:40:03 am »

I would have expected the original Laserjet to have been written in assembler

What is the problem with a printer being hacked to run code of the attacker's choosing and use this to print something? I suppose you could do practical tricks like randomly changing currency symbols

What would be a problem, and this is true for anything on a LAN, is using the device to attack other devices from the inside. For example set up a fake DNS server. That could be very useful.

Nominal Animal · « **Reply #7 on:** February 18, 2025, 09:50:13 am »

Yeah, the actual issue is obviously that malformed inputs can cause the PostScript/PCL interpreter to goof up, and execute some of the input as underlying machine code. I was really poking fun at the reporting, as so few people even remember that PostScript is a language, not just an image format of some kind. Would they report a similar bug in the Python interpreter as RCE?


EEVblog Main Site	EEVblog on Youtube	EEVblog on Twitter	EEVblog on Facebook	EEVblog on Odysee

EEVblog Electronics Community Forum

Author Topic: HP laser printers: RCE via PostScript (Read 369 times)

madires

HP laser printers: RCE via PostScript

5U4GB

Re: HP laser printers: RCE via PostScript

Halcyon

Re: HP laser printers: RCE via PostScript

peter-h

Re: HP laser printers: RCE via PostScript

Nominal Animal

Re: HP laser printers: RCE via PostScript

SiliconWizard

Re: HP laser printers: RCE via PostScript

peter-h

Re: HP laser printers: RCE via PostScript

Nominal Animal

Re: HP laser printers: RCE via PostScript

Share me