Searched the archives to see if this one has already come out, but didn't find it. As more and more printer companies add insecure protocols and daemons to their printers as features to make their machines more available to the end users, they make their printers more available to exploits by hackers as well. Unfortunately, many of the bugs in these printers are available for exploit since often these services come turned on by default and little information is provided up front on how to turn them off. We have contacted Tektronix on numerous occasions about these vulnerabilities, and have received a cold shoulder each time...maybe this will spark some movement now that they know the exploit community has the keys (it is doubtful that the exploit community didn't know this to start with.) Tektronix has a particularly nasty bug which is quite amusing. On their Phaser 740 color printers (they may be on other printers, but I haven't had the access I need to the other printers to find out,) Tektronix packages a webserver, built into the printer, to allow an administrator to access and change the configuration remotely. By opening a standard web-browser and pointing to the printer's URL, this webserver allows any user to access the Status and Configuration of the printer. Luckly, Tektronix is smart enough to require an administrator password be entered in order to prevent just anyone from changing the settings of the printer (well, it was a good idea, but unfortunately as we'll soon see this administrator password is a joke.) Tektronix does recommend that users enter an administrator password, and the manual is quite specific on how this is accomplished (though the manual does state that these passwords are sent unencrypted from the browser to the printer.) Unfortunately, using some hidden and undocumented URL's, the administrator password is shown to anyone without any sort of authentication and allows anyone to bypass this password to directly reconfigure the printer, which kinda defeats the purpose entirely. To grab the administrator password, just use the URL http://printername/ncl_items.html?SUBJECT=2097. Presto, the password appears in plain text for all the world to see. Of course, you can also change the administrator password here to whatever you want, without needing to provide any authentication information. In a matter of fact, you can change just about any configuration information in the printer without a user id or password by using the URL http://printername/ncl_subjects.html and choose one of the subjects listed. So, if the administrator went through all the trouble of shutting down the insecure services like telnet and ftp or put in passwords for these services, there is nothing stopping you from going in and changing these passwords and turning these services back on. All you need to do is swipe the administrator password, now you have access to all the configuration options on the printer and can do what you please. I even like the fact that you can use the URL http://printername/ncl_items.html?SUBJECT=1, and set the factory default setting to On, then hit the "Lets change EVERYTHING" button and voila, a brand new printer (and a really good Network DoS, since it kills off the IP address and other important networking information.) An exploit (for just about anything) is trivial... SOLUTIONS: 1. Block Port 80 access to this printer via a router or firewall. This will prevent access to this software from those outside the network. Also, since very rarely will anyone print from outside the local network, setting the default gateway be the same as the IP address will keep outside users from exploiting this service. 2. Disable the PhaserLink Webserver on the printer. This can be accomplished through the control panel, switching the HTTP Protocol to Disabled (Under Printer Configuration | Network Settings | HTTP), but it can also be accomplished via the URL http://printername/ncl_items?SUBJECT=2097, then switch the setting "On" to off. (We are still testing the printer to make sure that this setting permanently disables the functionality of this HTTP server.) However, doing so will prevent you from being able to remotely administer this machine using the web browser. There are other methods, but these two appear to be the best. Dennis (aka Little Wolf) -- Dennis W. Mattison SPAWAR Network Security Team SAIC - Center for Information Security Technology (CIST) Ph: (619) 553-2343 Email: dwmattat_private, mattisondat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:13:04 PDT