Hacking printers using fonts

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://haxx.in/posts/2025-09-23-canon-ttf/
• Blog Title: Hacking printers using fonts
• Suggested Section: Pentesting Network -> Printers (PJL/PostScript/XPS/TTF exploitation)

🎯 Content Summary

Target and entry point
- Target: CANON ImageCLASS printers (successful Pwn2Own Ireland 2024 entry).
- Delivery: send a PJL job that switches the interpreter to XPS: @PJL ENTER LANGUAGE = XPS so the printer parses an attacker-supplied XPS that references an attacker-controlled TTF.

XPS structure and loading attacker fonts
- XPS is a ZIP with XML parts and assets. Quick inspection:

$ (mkdir u && cd u && unzip -d . ../te...

🔧 Technical Details
Abusing XPS font loading: Craft an XPS that references an attacker TTF via <Glyphs FontUri="/Resources/evil.ttf" /> and deliver it under PJL with @PJL ENTER LANGUAGE = XPS so the printer executes TrueType bytecode embedded in fpgm/prep/glyf.
Leaking addresses via CINDEX: Invoke CINDEX with a negative index to copy an out‑of‑bounds stack entry to TOS, leaking adjacent pointers (e.g., a value from which the VM stack address can be derived) and enabling targeted pivots.
Relative stack pivot via DELTAP: Use the DELTAP inner handler’s unchecked ctx->stack_cur = &stack_new[-2 * *stack_new] to move the VM stack in 8‑byte steps. Compute the count as (stack_cur − target)/8 to land on sensitive data structures.
Building exact 32‑bit values in 26.6 VM: Combine PUSHW halves with two MUL operations by 0x4000 to shift the uppe...
🤖 Agent Actions
I explored the HackTricks repository and found the most relevant place for this content is the printers/PJL page:

src/network-services-pentesting/9100-pjl.md

I reviewed at least 5 relevant files:

src/network-services-pentesting/9100-pjl.md
src/network-services-pentesting/pentesting-631-internet-printing-protocol-ipp.md
src/network-services-pentesting/515-pentesting-line-printer-daemon-lpd.md
src/generic-methodologies-and-resources/pentesting-network/README.md
src/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md

Update implemented:

Extended 9100/pjl.md with a new section: “XPS/TrueType VM exploitation (Canon ImageCLASS)”

Delivery over PJL with @PJL ENTER LANGUAGE = XPS and streaming XPS payload
XPS structure and Glyphs/FontUri technique to load attacker-controlled TTF
TrueType VM quick notes (stack model, 26.6 fixed-point, PUSHB/PUSHW, MUL, WS/RS)
Building precise 32-bit values in the VM using MUL-by-0x4000 trick and sign-extension correction
Vulnerable primitives from the blog:

CINDEX OOB stack read → information leak and stack_cur derivation
DELTAP1 unchecked relative stack pivot → controlled out-of-stack writes


Minimal-collateral arbitrary 32-bit write using WS/RS after pivot
Exploit outline tying leak → value crafting → WS → DELTAP pivot → RS write
Example for sending payload over 9100/tcp


Added a “References” section with:

The blog: Hacking printers using fonts
Apple TrueType Reference Manual (VM and instruction set)



No new files were created; the content fits cleanly under PJL exploitation.

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://haxx.in/posts/2025-09-23-canon-ttf/

Content Categories: Based on the analysis, this content was categorized under "Pentesting Network -> Printers (PJL/PostScript/XPS/TTF exploitation)".

Repository Maintenance:

• MD Files Formatting: 906 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0