From Hacking Printers
Jump to: navigation, search

The Simple Network Management Protocol (SNMP) is a port 161/udp protocol, designed to manage various network components like routers. The architecture is defined in RFC3411 [1]. Information offered by a managed system is not subject to the standard itself but defined in separate hierarchical database files, so called MIBs (management information bases). A MIB consists of various OID (object identifier) entries, each one identifying a variable to be either monitored (SNMP GetRequest) or modified (SNMP SetRequest). An example of retrieving the hrDeviceDescr value (OID, textual description of a device) from the ‘Host Resources MIB’ as defined in RFC1514 [2] is shown below:

snmpget -v1 -c public printer iso.
iso. = STRING: "hp LaserJet 4250"

While SNMP is not printer-specific, many printer manufacturers have published MIBs for their network printer model, often including security-sensitive functionality. A generic approach to create a vendor-independent ‘Printer MIB’ was taken in RFC3805 [3]. SNMP broadcast is used in printing software like CUPS or PRET to quickly discover network printers in the local subnet and enumerate their capabilities. As a stand-alone language, SNMP can only be exploited if the attacker has access to port 161/udp of the printer device and the community string is known (usually set to public by default). On HP devices however, SNMP can be embedded within PJL and therefore included into arbitrary print jobs as so called PML commands.

Related articles: PML

  1. RFC3411: An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks, D. Harrington, R. Presuhn and B. Wijnen, 2000
  2. RFC1514: Host Resources MIB, P. Grillo and S. Waldbusser, 1993
  3. RFC3805: Printer MIB v2, R. Bergman, I. McDonald and H. Lewis, 2004