Software packages
Info from http://hacking-printers.net/wiki/index.php/Software_packages
In the recent years, printer vendors have started to introduce the possibility to install custom software on their devices. The format of such ‘printer apps’ is proprietary and SDKs are not available to the public. The feature of writing customized software which runs on printers was intended and is reserved for resellers and contractors, not for end-users. Hereby a printer fleet can be adapted to the special needs and business processes of a company; document solution providers can easily integrate printers into their management software. One popular example is NSi AutoStore [1] which can be installed on many MFPs and automatically uploads scanned or copied documents to predefined locations. Obviously, the feature to run custom code on a printer device is a potential security threat. Furthermore code signing of software packages is potentially harder than it is for firmware as software is not only written by the printer manufacturer but by a broader range of developers who need to be in possession of the secret key to sign their software. Therefore it is logical to include the secret key in SDKs which are protected by being exclusively available from developer platforms. This article is an effort to systematically gather information on vendor-specific software platforms/SDKs.
Vendors
In the following a rough outline on the software platforms provided by major printer vendors to extend functionality of their devices is given.
HP (Chai/OXP)
HP introduced their ‘Chai Appliance Platform’ platform in 1999 to run Java applications on LaserJet printers. While an SDK had been open to the public at first [2], access was later restricted to members of HP's developer network. Chai servlets which come as .jar
files which originally needed to be certified and signed by HP before they would be accepted by a printer device. [3] discovered a flaw in the deployment process: by installing EZloader – an alternative loader software provided by HP which had already been signed – they were able to upload and run their own, unsigned Java packages. As it seems, code signing was completely dropped by HP for later Chai versions: [4] were able to write and execute a proof-of-concept printer malware which listens on port 9100 and uploads incoming documents to an FTP server before printing them. Their code is based on [5] who extended the device to support load-balancing and included the required SDK files and proprietary Java libraries in their demonstration. With the libraries, arbitrary Java code can be complied and executed on older HP LaserJets by uploading the .jar
files to a ‘hidden’ URL: http://printer/hp/device/this.loader
. This attack can be carried out if no password has yet been set for the embedded web server. Otherwise, the password must first be retrieved from /dev/rdsk_jdi_cfg0
with PostScript (see file system access) or bypassed by resetting the device to factory defaults. A web attacker can upload the .jar
file using CSRF if the victim is currently logged into the printer's embedded web server. For newer devices, HP uses the web services based ‘Open Extensibility Platform’ (OXP) instead of Chai for which no SDK is publicly available.
Canon (MEAP)
The ‘Multifunctional Embedded Application Platform’ (MEAP) is a Java-based software platform introduced by Canon in 2003 for their imageRunner series and extended to web services in 2010. Third party developers can obtain the MEAP SDK for a fee of $5,000 which is certainly out of scope for research purposes.
Xerox/Dell (EIP)
The ‘Extensible Interface Platform’ (EIP) [6] was announced in 2006 by Xerox for various MFPs. The architecture – which is also supported by a few rebadged Dell devices – is based on web services technology. The SDK is freely available for registered developers.
Brother (BSI)
The ‘Brother Solutions Interface’ (BSI) is an XML-based web architecture launched in 2012 for scanners, copiers and printers. Access to the SDK is available to licensed developers.
Lexmark (eSF)
The ‘Embedded Solution Framework’ (eSF) was launched in 2006 for Lexmark MFPs. The SDK to develop Java applications is reserved for ‘specially qualified partners’. According to [7] ‘these applications must be digitally signed by Lexmark before being adopted’ using 2048-bit RSA signatures.
Samsung (XOA)
The ‘eXtensible Open Architecture’ (XOA) was introduced by Samsung in 2008 and comes in two flavours: the XOA-E Java virtual machine and the web services based XOA-Web. The SDK is only available to Samsung resellers.
Ricoh (ESA)
The ‘Embedded Software Architecture’ (ESA) [8] was launched by Ricoh in 2004. The Java based SDK/J is available to developers after a registration.
Kyocera/Utax (HyPAS)
The ‘Hybrid Platform for Advanced Solutions’ (HyPAS) [9] has been released by Kyocera in 2008. Applications are based either on Java or on web services. The SDK is only available for members of the ‘HyPAS Development Partner Programme’ and applications have to be approved by Kyocera.
Konica Minolta (bEST)
The ‘bizhub Extended Solution Technology’ (bEST) [10] which is based on web services was introduced by Konica Minolta in 2009. Access to the SDK requires ‘platinum membership level’ in the developer program for a fee of $4,000 which is out of scope for independent researchers.
Toshiba (e-BRIDGE)
The ‘e-BRIDGE Open Platform’ (e-BRIDGE) was released by Toshiba in 2008 to customize their high-end MFPs based on web services technology. An SDK is not available to the general public.
Sharp (OSA)
The ‘Open Systems Architecture’ (OSA) [11] was announced by Sharp in 2004. The SDK used to develop web services is fee-based and applications need to be validated by Sharp before they can be installed on an MFP.
Oki (sXP)
The ‘smart eXtendable Platform’ (sXP) [12] which is based on web services was launched by Oki Data in 2013 for their MFP devices. Oki does not publish any information regarding an official developer program or publicly available SDK.
Results
On older HP laser printers, arbitrary Java bytecode can be executed as demonstrated by [3] and [4]. Security is based on the password of the embedded web server which can be easily retrieved with PostScript or bypassed by restoring factory defaults. It is hard to make a reasoned statement on the security of other software platforms because of lacking access to the SDK and/or proper technical documentation. A comparison of platforms, applied technologies and – where known – software package deployment procedures is given below:
Vendor
Platform
Embedded Java
Web services
Deployment
HP
Chai/OXP
✔
✔
web server
Xerox/Dell
EIP
✔
unknown
Canon
MEAP
✔
✔
unknown
Brother
BSI
✔
unknown
Lexmark
eSF
✔
unknown
Samsung
XOA
✔
✔
web server
Ricoh
ESA
✔
unknown
Kyocera/Utax
HyPAS
✔
✔
USB drive
Konica Minolta
bEST
✔
unknown
Toshiba
e-Bridge
✔
unknown
Sharp
OSA
✔
unknown
Oki
sXP
✔
unknown
How to test for this attack?
Obtain an SDK and write your own proof-of-concept application or find a ‘printer app’ which already does what you want (for example, automatically upload scanned documents to FTP). Also check which protection mechanisms exist to install custom software on the device.
Who can perform this attack?
Depended on how software packages are deployed.
Last updated