
Printers are spontaneously printing odd "SQL" strings - jpswade
https://discussions.apple.com/thread/4220060
======
rachelbythebay
I'm waiting for the great network printer security apocalypse. A bunch of
these things are in a great position to turn around and launch attacks on the
"chewy on the inside" networks of so many companies. Maybe this has already
happened.

My printer has a dumb little print server running an embedded flavor of Linux
and a publicly known hard-coded (!) root password. While mine is going to the
slag heap sooner or later for that and several other fundamental problems, you
can guess that many many more of them are out there just waiting to be taken
for a ride.

These dumb little boxes may be underpowered, but once you get inside and set
them up to forward packets for you, their raw CPU speed becomes less of an
issue. You can run all of the fun attacks from a "real" machine and just let
it bounce you to the inside world.

Hypothetically speaking, of course.

~~~
mjhall
These two 28C3 talks[0,1] discuss the precursor to such an apocalypse.

[0]:
[http://events.ccc.de/congress/2011/Fahrplan/events/4871.en.h...](http://events.ccc.de/congress/2011/Fahrplan/events/4871.en.html)

[1]:
[http://events.ccc.de/congress/2011/Fahrplan/events/4780.en.h...](http://events.ccc.de/congress/2011/Fahrplan/events/4780.en.html)

~~~
axx
I was going to submit those. Thanks!

------
cs702
Many, perhaps most network-connected printers, NAS units, and other devices
(e.g., home-automation hardware) simply assume that the local network they
connect to will be securely protected from external attack, so they're not
configured to withstand even the simplest of attacks.

This is exactly the _opposite_ of what many security experts recommend:
ideally all devices should be secure regardless of whether the network they're
on is secure or not. With more and more devices offering remote-Internet-
access functionality every day, this principle of security is becoming ever
more fundamental.

Bruce Schneier's personal WiFi network at home is fully open, because -- in
his own words: "If I configure my computer to be secure regardless of the
network it's on, then it simply doesn't matter. And if my computer isn't
secure on a public network, securing my own network isn't going to reduce my
risk very much."[1]

Like rachelbythebay, I'm also waiting for the great network printer security
apocalypse.[2]

\--

[1]
[http://www.schneier.com/blog/archives/2008/01/my_open_wirele...](http://www.schneier.com/blog/archives/2008/01/my_open_wireles.html)

[2] <http://news.ycombinator.com/item?id=4412522>

\--

UPDATE: Just for the heck of it, I ran a fairly fast scan (nmap -T4 -A -v -PE
[IP address]) on an HP all-in-one printer accessible over my LAN, and there
were a LOT of open ports -- see pasted results below. I then pointed my
browser to port 9100 on the printer, which instantly printed the HTTP headers
without complaint. The printer's configuration page reports that it is
"secured" by an administrative password.

    
    
      PORT     STATE SERVICE      VERSION
      80/tcp   open  http         HP PhotoSmart/Deskjet printer http config (Virata embedded httpd 6_0_1)
      139/tcp  open  netbios-ssn?
      6839/tcp open  tcpwrapped
      7435/tcp open  tcpwrapped
      8089/tcp open  tcpwrapped
      9100/tcp open  jetdirect?
      9101/tcp open  jetdirect?
      9102/tcp open  jetdirect?
      9110/tcp open  unknown
      9220/tcp open  hp-gsg       HP Generic Scan Gateway 1.0
      9290/tcp open  hp-gsg       IEEE 1284.4 scan peripheral gateway
      9500/tcp open  unknown

~~~
dfc
Rerun with "-sV --allports"

    
    
       --allports (Don't exclude any ports from version detection) .
           By default, Nmap version detection skips TCP port 9100 because some
           printers simply print anything sent to that port, leading to dozens
           of pages of HTTP GET requests, binary SSL session requests, etc.
           This behavior can be changed by modifying or removing the Exclude
           directive in nmap-service-probes, or you can specify --allports to
           scan all ports regardless of any Exclude directive.
    

PS I think the "-A" and "-T4" is redendant. I think aggressive mode sets the
timing to 4 among other things.

~~~
cs702
dfc: running nmap with "--allports" could make the printer waste a lot of
paper, so I won't do it. (FWIW, by pointing my browser to the jetdirect port,
I was able to control the timing of the http request with more precision and
cancel printing immediately after the first page came out.)

PS. No, I was not trying to replicate what happened -- just trying to get a
quick sense of how many ports are open. Sorry for the misunderstanding.

~~~
dfc
Did you read what I posted? The man page excerpt that I included specifically
mentions weird printer behavior.

When you posted the nmap scan report I thought you were trying to replicate
what had happened. Otherwise its not really news that print devices have a lot
of ports open.

In order to not waste paper you can just have one or two sheets in the tray...

------
stordoff
> "[...] we're all forwarding port 9100 or 631 to our printer to allow
> ourselves to print from outside the network, which sets up an HTTP server at
> that address open to the internet. All it takes is for somebody to put the
> appropriate GET request in [...]"

> "Both of our printers have public IP addresses"

It looks like the printer are publicly accessible, and some automated tool
(nmap?) is just scanning them for vulnerabilities, open ports, or similar. Not
too surprising really.

~~~
jvdh
It is not surprising that printers just accept (possibly malformed) requests
just from anywhere?

~~~
kd0amg
If I remember the presentation I saw on this, some don't even verify firmware
updates.

[http://ids.cs.columbia.edu/sites/default/files/CuiPrintMeIfY...](http://ids.cs.columbia.edu/sites/default/files/CuiPrintMeIfYouDare.pdf)

<http://engineering.columbia.edu/can-you-trust-your-printer>

------
cantankerous
After playing around with it. I think that what is causing this to happen is
that the JetDirect port on the printer (usually 9100) is getting written to by
a port scanner. This will cause a printer using JetDirect to print out
whatever gets sent to it on that port. Try it yourself if you have a printer
that implements it. For me it was a Brother HD-5370DW.

1\. telnet <printer> 9100

2\. Type a hello world message.

3\. Close the connection

4\. The printer will print out whatever you typed. At least it did for me.

~~~
b_emery
Wow, this works on my HP printer. That would explain the reams of pages I get
that look like this:

GET <http://www.baidu.com/> HTTP/1.1

Host: www.baidu.com

Accept: _/_

Pragma: no-cache

User-Agent:

~~~
a_bonobo
I sometimes get the same ones at work! It's the crawler from the Baidu-search-
engine checking if the printer is a web-server.

I contacted ITS about it (obviously, you shouldn't be able to print from
outside the university) but they haven't really given it any work. It surely
is a security hole, and a minor waste of ink & paper.

~~~
tedunangst
Actually, it's somebody searching for an open proxy, note the inclusion of
http and hostname in the GET. The baidu crawler wouldn't be so ridiculous as
to request its own homepage from your server. Somebody is testing to see if
they can get your server to proxy to baidu for them.

~~~
a_bonobo
But why so often then? Surely at some point you'd know there's an open port
there and stop querying it.

~~~
tedunangst
Surely at some point these same people would realize there's no admin.php on
my web server, but there they are, still looking for it...

~~~
k6b
because they are automated bots...

------
cantankerous
The strings contain "sqli" which some of the posters inferred to mean they
were experiencing a SQL injection. I doubt this is actually the case. I will
say, though, that I have a Brother printer like the one described where I work
and have seen similar odd strings on papers that come out of it. At least one
time, it's just printed gibberish. I think the common denominator is that
these printers are openly shared on a network with a public IP (at least mine
is...it's at a big University with public IPs fore everybody). I don't know if
this is related or not, though.

~~~
CWuestefeld
_The strings contain "sqli" which some of the posters inferred to mean they
were experiencing a SQL injection. I doubt this is actually the case._

I'm certain you're correct. I've seen many SQL injection attacks, and not one
of them has ever labelled itself as such.

~~~
CWuestefeld
Seven hours after posting, I've racked up 21 points for this comment.

I think this shows a defect in the blind voting we've had here for the last
year or so. There's no way this off-hand comment is worth that much karma, but
nobody can see that I'm being overcompensated for it.

(Sorry for the OT meta-post)

------
dagw
Spoke with a a security guy years ago who got called to a company after they'd
been accused of running a warez server. After a bit of digging around he
finally found the server on a printer that was running some ancient un-patched
version Solaris.

------
JonnieCache
Don't trust your printer! There were a lot of demos of printer hacks at 28c3
and basically I think I might not print anything ever again. A lot of these
things have their firmware implemented in postscript. Updating the firmware
consists of printing a special document. It's pretty mental tbh. Your jaw will
be scraping along the floor at some of the holes these things have.

Print Me If You Dare: <http://www.youtube.com/watch?v=njVv7J2azY8>

Hacking MFPs: <http://www.youtube.com/watch?v=PqL5P46m_zQ>

EDIT: Beaten by 4 hours. Oh well.

------
lftl
I've got a HP printer pretty similar to the one mentioned in the thread. In
the course of trying to set it up, I by chance pointed my browser to the
printer's network printing port. Interestingly enough it printed out all my
browser headers. It seems like these printers just spit out anything that hits
that port.

~~~
igrekel
Yes, I used to do a netcat on printers to print for free in college.

~~~
ZoFreX
Tip for networked computers in colleges, schools, workplaces, and similar
environments: You can upload postscript files to them via FTP, this lets you
bypass the printer queue running on a server somewhere. Why would you want to
do this? Various nefarious reasons, but the reason I did it was because in
90+% printer outages at university, it was the queue server and not the
printer itself experiencing a fault.

If you don't know the IP address of the printer, you can normally get them to
print out a diagnostics page by fiddling with the buttons, and this page will
contain that information. So far I have always succeeded at logging in with
guest credentials.

To network admins who don't want people bypassing their queues: vlan your
printers!

~~~
hrrsn
We had this problem when I was still at high school. It worked for the most
part, but when us photography students started printing to the photo printer
all hell broke loose. Things would frequently take 30+ minutes to go through
the Pharos print server. At the time they had just hired a new IT guy so we
asked him if he could set the printer up on our personal laptops (we only had
3 workstations in the room). After much frustration he managed to get it
running, except he accidentally set them up to print directly to the printer,
not via the print server. Magically things started popping out after a minute
or two, which got the teacher inquisitive. Eventually they realised that we
weren't being charged for printing anymore when the print information had our
personal computer usernames rather than ID numbers but couldn't blame us as
they had set it up themselves. After being told not to do that anymore, we all
just set up secondary users with our ID numbers so it all looked legit.

~~~
ZoFreX
Ah, yes - I forgot to mention that side effect, bypassing the print queue will
also mean you don't get charged (assuming your institution has a print credits
system set up).

------
ioquatix
I once found a public printer which I don't think was supposed to be public.
There wasn't any way to contact the owner since it appeared to be in a
different country based on IP address.

...so I set it up as a printer and printed a bunch of lolcats to it.. A few
days later it wasn't accessible any more =)

~~~
Achshar
You could have, you know, printed out that the printer was publicly accessible
on the printer itself.

~~~
ioquatix
Yeah, that was part of the lolcats image. I can't quite remember what I did
but it wasn't malicious.

~~~
Achshar
The guy on the other side must have had an interesting day. Suddenly lolcats.

------
alanbyrne
<snip> I'm going to guess that the common theme here is that we're all
forwarding port 9100 or 631 to our printer to allow ourselves to print from
outside the network, which sets up an HTTP server at that address open to the
internet. </snip>

Seriously?! Ignoring the fact that I can't remember when I last print
something, who needs to print to their house from the internet? Can't they
just print it when they get home?

~~~
samstave
Semi off topic anecdote: when I was at Lockheed the head of HR came to me with
a Manila envelope and said "I need to know who printed this and when! And I
need to know now!"

I took the envelope and looked at it... It was a bunch of prints of gay porn
and gay porn websites.

After a few minutes of digging, it was revealed to be one of the directors in
the company had printed them late the night before. Checking the badge system
he wasn't in the building. Checked VPN logs and he was logged in at the time.

He was mistakenly on VPN from his house and printed stuff that went to his
default printer which happened to be the one in the office.

He was previously thought to be a married straight guy.

~~~
tantalor
> He was previously thought to be a married straight guy.

Not sure why this is relevant. Are you saying Lockheed has/had a don't-ask-
don't-tell policy?

~~~
jlgreco
Eh, it could just mean that technological mishaps can have real world
consequences. Presumably the man did not want people to know that he was gay,
whatever the reason for that was we can't say for sure.

------
cantankerous
For what it's worth. This issue (or an issue very similar to this issue) has
been discussed on the nmap seclist.

From the email:

"....However, I've noticed a problem now that I've put this into production.
When it scans a network printer, the printer spews out garbage, I have a
couple wads of paper on my desk with one or two lines of garbage at the top of
each page."

<http://seclists.org/nmap-dev/2006/q3/406>

------
blhack
They're getting portscanned. I'm surprised this isn't common knowledge.

If you throw ascii at a jetdirect printer, it will generally just print it out
for you. I've used this to debug printers before, as well as to goof around
with my coworkers a bit.

------
stevencorona
This reminds me when I was in college- I used to have VNC running on a public
IP without any authentication (on purpose). Randomly, bots would connect, take
over control of the screen, and print a bunch of test characters out in
Notepad before disconnecting.

I don't know if they just hit it by luck or if they were actively looking
for/testing/saving open VNC servers.

~~~
freehunter
You're always being scanned for everything. If I got a penny for every time my
company was swept by a scanner, I'd be making more than my salary.

~~~
fein
This is almost an understatement.

My home servers get SLAMMED on a daily basis by a whole wonderful plethora of
bots. Most recently has been Muieblackcat. Going on the whole salary analogy:
I'd make my current salary plus a bit if I had a penny for ever scan on the
box in my living room. I keep the Ukrainian IP's off my blacklist just for
fun. Nothing sensitive on the server, just my web playpen. I kind of hope that
one of these exploits works one day so I can see where I've slipped up.

~~~
ahi
I vaguely recall that unpatched XP averages just a couple minutes on a network
before being owned. If you didn't have the SP on a disc it was a race between
the updates and the bots. That might have been old linux propaganda though.

~~~
jen_h
Not propaganda, I saw a great example of this once bringing up a Windows
system on a residential line shared with other apartments. Seconds after the
box's "Hey, there, Windows Update, got something for me?", the network slowed
to a crawl and our router's (rejected) incoming connection log grew hot and
heavy. Would be lovely if the massive influx of attempted incoming connections
were just eager WindowsUpdate systems, but unless Microsoft moved their
infrastructure to China and Romania...

Anyway, there's a reason to travel with your own locked-down router and to
never connect through anyone else's connection directly, especially if you're
running Windows. Even that's not foolproof, but at least you've got an Angry
Bouncer protecting the Windows Club. Windows Update connections totally feel
like spotlights and booming bass.

------
drone
Pretty typical behavior when running vulnerability scanning against a printer
target.

Many printers will simply print whatever data comes into certain ports. Have
seen similar behavior many times when running web scanning against a printer
accidentally instead of a webserver.

------
aidos
I get that this just looks like a scan but it's strange that half a dozen
people reported it at the same time (so the problem is likely more
widespread). How long would it take to send these packets to all public ips in
the world (real question, I have no sense of the scale of ip addresses)? I
guess it could be that the ips are known to be running printers by a previous
scan. Maybe the printers contact home and the HP accidentally sent them a bad
message?

------
ethank
I did a project in college where I scanned networks for IPP ports and would
print agit prop to them

The printer panopticon. Oh art school.

~~~
dfranke
Heh... a similar "project" when I was in high school got me sent to the
principal's office once :-)

~~~
ethank
Yeah, I got a nice visit from campus security.

------
fest
It seems to me that someone was scanning their network for specific services-
probably, some DBMS. Printer received the initial communications packet(s) and
happily printed whatever was received.

------
borplk
In the printed stuff it also says 'nmap'

Most probably it comes from someone running penetration testing tools against
the printer on the network

------
jpcosta
Could this be related with Trojan.Milicenso or Trojan.Eorezo? This is the
latest (although its from June/July) threat I know of that prints random stuff

[http://www.symantec.com/connect/blogs/trojanmilicenso-
paper-...](http://www.symantec.com/connect/blogs/trojanmilicenso-paper-
salesman-s-dream-come-true) <http://www.symantec.com/docs/TECH190982>
<http://isc.sans.edu/diary.html?storyid=13519>

------
PaulHoule
this would be a great attack if you could get the printers to print ads!

~~~
ahi
Those are called fax machines.

------
justincormack
There are known attacks on printers eg via firmware upload
<https://lwn.net/Articles/469865/>

Although this mostly looks like scans.

------
axx
With IPv6 and public IPs this is going to be so much fun. :)

------
adrinavarro
From the comments it seems that it's people sharing their printer, apparently
some form of access over the internet (or local network).

~~~
danieldk
Given that these are connected to Airports, they are probably using Back to my
Mac:

<http://en.wikipedia.org/wiki/Back_to_My_Mac>

~~~
grapefruit
Services shared via Back to My Mac aren't directly accessible from the
internet at large. Services shared using Wide-Area Bonjour are publicly
exposed.

------
colton36
For slightly more amusing attacks on printers, there is an android app
available - HP Printer Fun.

[https://play.google.com/store/apps/details?id=com.angryhacke...](https://play.google.com/store/apps/details?id=com.angryhacker.printerfun)

------
SoftwareMaven
One poster said his/her printer did it on a machine not connected to the
network, so it may not be a print server scanning thing.

~~~
sanderjd
Yeah that was the outlier. It seems more likely to me that the poster who said
that failed to properly disconnect the printer from the network.

------
jpswade
I've so far been unable to replicate this problem.

------
android_gg
this is pretty damn scary

------
doctorwho
No need to worry, all Mac's are virus, malware and attack proof and so (by the
law of distortion of reality) are any devices or networks attached to a Mac.
Go about your business and forget about that pesky "security" thing everyone
else likes to talk about. Just etch a picture of Steve striking a thoughtful
pose on the lid of your laptop and all your problems will be forgotten.

~~~
podperson
Thanks for injecting helpful -- not to mention hilariously witty -- points
into this conversation. You left out the following points:

* Apple's stuff is incredibly overpriced

* Apple never invented anything, it's just good at marketing

* Apple's lawsuits are all based on rounded rectangles

* Xerox invented the GUI from scratch and it was perfect

* Anyone who uses an Apple device is a hipster fanboi cultist

~~~
MarvinYork
Welcome to hecklernews.

~~~
podperson
slashdot -> digg -> reddit -> hackernews -> slashdot?

Also: sarcasm is like violence -- any problem it can't solve just requires
more sarcasm.

