Cenzic 232 Patent
Paid Advertising
web application security lab

Cross Site Printing

Aaron Weaver has taken the concept of Inter protocol XSS hacking to the next annoying level. That’s right folks, he has figured out that you can do cross site printing. That is, when you visit a malicious website, it can attempt to connect to and send data to your printer on your local network. The obvious use? You got it, spam!

So now, when you visit sites, there is a potential for them to spam you, similar to the way some people receive FAX spam. While he has only gone so far as to show how you can send ASCII art, it would be interesting to see if a PostScript formatted file could be sent in a way that the printer would understand and print. For the time being, however, we are limited to low def ASCII art spam.

However, there are some fairly complicated programs that do analysis on and generate ASCII art from photos. What will be more nasty is once this turns into actual exploits against the printers themselves - as many printers contain copies of printed materials for weeks or years afterwards. Also, depending on what the spammers put on your printer, it’s possible this could get people fired, depending on the content of the print job (no pun intended). Very interesting research by Aaron Weaver!

15 Responses to “Cross Site Printing”

  1. david Says:

    Very cool. Also look at it from a different direction. If a site is also vulnerable to XSS, send the data collected via XSS to someone else’s printer. What about the various internet-connected printers at corporations and universities? Dump the results of a XSS to a university computer lab printer and go pick it up? Why give away your own IP addr trying to collect data?

  2. Aaron Says:

    If your printer supports PJL (not all do, but most office printer do) then you can go full blow postscript.

    This command sends the PJL command:
    String.fromCharCode(27) + “%-12345X@PJL ENTER LANGUAGE

    Then set it = POSTSCRIPT.

    Then send along the postscript.

  3. vindic Says:

    awesome! go print something :)

  4. sirdarckcat Says:

    awezome it works!!! xD

  5. application.secure Says:

    Ok what about the “all to web application” philisophy???

    You have the same problem with all devices in company which are using web interface to be managed….

    And it seems that more and more devices uses this technics…

  6. farsideman Says:

    I wonder if network copiers are also vulnerable.

  7. Walker Says:

    What browser under risk?

  8. LqIP Says:

    I think - Opera

  9. Ferdball Says:

    Well thats just great. Is this something that should be addressed by the browser vendor, or at the web proxy?

  10. Solrac !! Says:

    Hey this exploit is gr8 but im kinda newbie… not in computer handlig but in XSS protocol and other related things… were i can learn more…

    P.D. Its obious that i cant get the thing workin :P

  11. jackthecoiner Says:

    Google Web Accelerator happens to run on that port as well (localhost):
    http://webaccelerator.google.com/support.html#basics7

  12. C. R. Dick Says:

    I got it to work on Linux by typing http://:9100/garbage
    It printed the standard stuff you’d see in a web server log with a GET.
    I believe it will work from any browser, any OS, they all support HTTP protocol.

    As such this is of limited threat, since the attacker would have to know your printer name or IP ahead of time. I suppose in a University setting you could find it out and just hard code it for a specific printer.

    More interestingly, what exploit would a remote hacker use to scan the local network to get the printer ip or name in general and plug that into a http GET so he can spam it ?

  13. C. R. Dick Says:

    Oops it ate my pseudocode (to avoid XSS no doubt.) I’ll try bbcode That address should be
    http:// [printer ip] :9100/garbage

  14. DigDug Says:

    We just got spammed on our own network printer, inside the corporate LAN just as described. Fortunately the foreign print job was a perfect copy of the washingtonpost.com article on this very subject by robert McMillan. The article quotes Mr. Hansen as saying there was no precedent as of Jan. 9 when the article was published. I’m here to say it has started, but this was the best spam we could get, all about how it’s done so we can reverse engineer and shut it down. I advise other corporate IT folks to start doing the same before some real nasty stuff starts showing up in the receptionist’s tray.

  15. Simone Says:

    Hi, i would to know if it’s possible send this type of script/spam through the network without the print-driver installed in the computer…