printer exploitation
09th Septembder 2019

Network Printers are vulnerable to hackers

Last year's cyber attack in order to promote PewDiePie's youtube channel throws light in another, often disregarded network device i.e. Printer.

A small printer may seem harmless but being a part of network can be an entry point for an attacker to perform malicious activities in a network.

This may sound crazy, but it's true!

The war for "most-subscribed Youtube channel" crown between T-Series and PewDiePie just took an interesting turn after a hacker hijacked more than 50,000 internet-connected printers worldwide to print out flyers asking everyone to subscribe to PewDiePie YouTube channel.

Printer Evolution

printer evolution

Languages used by printers

  • PJL
  • PS
  • PCL

Printer Job Language (PJL)

The Printer Job Language (PJL) was originally introduced by HP but soon became a standard for print job control. PJL resides above other printer languages and can be used to change settings like paper tray or size. It must however be pointed out that PJL is not limited to the current print job as some settings can be made permanent. PJL can also be used to change the printer's display or read/write files on the device. PJL is further used to set the file format of the actual print data to follow.

Manages settings like output tray or paper size


NOT limited to the current print job

PostScript (PS)

The PostScript (PS) language was invented by Adobe Systems between 1982 and 1984. While PostScript has lost popularity in desktop publishing and as a document exchange format to PDF, it is still the preferred page description language for laser printers. PostScript is a stack-based, Turing-complete programming language consisting of almost 400 operators for arithmetics, stack and graphic manipulation and various data types such as arrays or dictionaries. PostScript supports bidirectional communication been host and printer.

Example PostScript code to echo Hello world to stdout is given below:

%! (Hello world) print

Printer Common Language (PCL)

The Printer Command Language (PCL) as specified in is a minimalist page description language supported by a wide variety of vendors and devices. Along with PostScript, PCL represents a de facto standard printer language. Similar to PostScript, it's origins date back to the early 80s with PCL 1 introduced by HP in 1984 for inkjet printers. PCL 3 and PCL 4 added support for fonts and macros which both can be permanently downloaded to the device - however only referenced to by a numeric id, not by a file name, as direct access to the file system is not intended. PCL 1 to 5 consist of escape sequences followed by one or more ASCII characters representing a command to be interpreted. PCL 6 Enhanced or 'PCL XL' uses a binary encoded, object oriented protocol.

An example PCL document to print 'Hello world' is given below:

EHello world

Attack Model

attack model

Framework Used

Framework Used

The main idea of PRET is to facilitate the communication between the end-user and the printer. Thus, after entering a UNIX-like command, PRET translates it to PostScript, PJL or PCL, sends it to the printer, evaluates the result and translates it back to a user-friendly format. PRET offers a whole bunch of commands useful for printer attacks and fuzzing.

Proof of Concept

Network Printers Being Detected
Printer Shell Obtained
Upon Sending PJL command the above printout was obtained.

Counter Measures

  • Employees: Always lock the copy room
  • Administrators: Sandbox printers in a VLAN accessible only via print server
  • Printer vendors: Undo insecure design decisions (PostScript, proprietary PJL)
  • Browser vendors: Block port 9100