hacktricks/network-services-pentesting/pentesting-printers/print-job-manipulation.md
2022-12-05 23:29:21 +01:00

81 lines
6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<details>
<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
</details>
# Content Overlay
One simple way to manipulate the appearance of printouts is to **use** overlays. \
[**PCL**](./#pcl) has a documented function to put **overlay macros** on top of a document. Unfortunately, this feature is **limited to the current print job** and cannot be made permanent. \
[**PostScript** ](./#postscript-ps)does not offer such functionality by default, however it can be programmed into by **redefining the showpage** operator which is contained in every PostScript document to print the current page. The attacker can **hook in there**, execute her own code and then call the original version of the operator.\
Therefore she can overlay all pages to be printed with a custom EPS file. This hack can be used to **add arbitrary graphics or fonts to hard copies of a document** (It is possible to completely alter the appearance of a document by overlaying a blank page and then adding custom content).\
Obviously, such an approach can only be successful if PostScript is used as printer driver and no `StartJobPassword` is set.
![](http://hacking-printers.net/wiki/images/thumb/9/93/Overlay.jpg/300px-Overlay.jpg)
**How to test for this attack?**
Use [**PRET**](https://github.com/RUB-NDS/PRET)'s `cross` or `overlay` commands in ps mode, then disconnect and print an arbitrary document:
```
./pret.py -q printer ps
Connection to printer established
Welcome to the pret shell. Type help or ? to list commands.
printer:/> overlay overlays/smiley.eps
printer:/> cross whoa "HACKED"
printer:/> exit
```
# Content Replacement
Even if an attacker can put an overlay above existing documents, she will not be able to **alter specific values** in the original document unless its exact structure is known. Sometimes ones does not only want to add custom content, but to **parse and replace parts** of the existing document. \
The problem of replacing text in PostScript files can be reduced to the **problem of extracting strings** from the rendered document. This is not trivial, because strings can be dynamically built by the PostScript program itself. Hence, simple parsing and replacing within the document source code is not an option.\
You can use a **redefined `show` operator**. The show operator accepts a string as input, which is painted to a certain location of the current page. By redefining the operator, **text** can elegantly be **extracted**. This approach can also be used for targeted **searching and replacing** in strings immediately **before** they are **painted**. \
The approach is **successful** for **LaTeX** based PostScript documents which are directly sent to the printer while it **fails** for PostScript files generated by **GIMP** which instead of strings **creates raster graphics** of their representation. The same issue occurs for any document format even PostScript itself when processed by CUPS. Theoretically such language constructs could also be parsed and should be subject of further research.
**How to test for this attack?**
Use [**PRET**](https://github.com/RUB-NDS/PRET)'s `replace` command in ps mode, then disconnect and print a PostScript document containing DEF:
```
./pret.py -q printer ps
Connection to printer established
Welcome to the pret shell. Type help or ? to list commands.
printer:/> replace "ABC" "DEF"
printer:/> exit
```
<details>
<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
</details>