Re: [Fwd: Printer Vulnerability: Tektronix PhaserLink

From: Dennis W. Mattison (dwmattat_private)
Date: Thu Nov 18 1999 - 09:28:03 PST

  • Next message: elfchiefat_private: "Re: Tektronix PhaserLink Webserver Reveals Admin Password" 

    This is a cryptographically signed message in MIME format.

--------------msD2610E30DD3B1406D473C5CE
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Apparently the 740, 780, and 840 printers are vulnerable.  According to
Bernhard Schneck and Gerhard den Hollander, the 350 and 560 printers are not
(confirmed on one of our printers here) vulnerable to this attack.  However,
this leaves me to wonder of there isn't some other undocumented feature in
these printers which is exploitable.

For those who asked, I actually didn't come up with this alone, I just put all
the pieces together to figure out how it could be exploited.  Like the 3Com
backdoor, and Microsoft's various remote administration tools, this bug is
something that Tektronix probably threw into their printers to help customer
support personnel working on printer problems remotely configure their client's
printers.  The bug is not the undocumented URLs themselves, but the fact that
these URLs allow a remote and unauthorized user to change printer
configurations without any sort of authentication or control.  Tektronix
requires a password be provided on their configuration pages in order to make
any changes, however, using these URLs the changes can be made without needing
a password.

The hint on the URL to recover a lost administrator password was first given to
one of our customers by the Tektronix folks, he forwarded it to us and from
there, we ran with it, discovering all the hidden treasures.  It is probably
safe to assume that the other printers have a similar hidden URL, maybe a
social engineering call to one of the Tektronix support personnel could get it
(they might be a little less sympathetic now that this is out though.)

Ronan Waide wrote:

> On November 16, dwmattat_private said:
> > Tektronix has a particularly nasty bug which is quite amusing.  On their
> > Phaser 740 color printers (they may be on other printers, but I
> > haven't had
>
> Confirmed for phaser 780.
> --
> waiderat_private / Small Planet Ltd. / +353-1-8303455 / +353-1-8300888 (Fax)
> "Multithreadedness, like object-orientedness, is a matter of perception.
>  If it seems multithreaded, it is.  All else is an implementation detail."
>                                                   - Jamie Zawinski

--
Dennis W. Mattison
SPAWAR Network Security Team
SAIC - Center for Information Security Technology (CIST)
Ph: (619) 553-2343 Email: dwmattat_private, mattisondat_private


--------------msD2610E30DD3B1406D473C5CE
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIIJXwYJKoZIhvcNAQcCoIIJUDCCCUwCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
B5IwggObMIIDBKADAgECAgISLTANBgkqhkiG9w0BAQUFADBcMQswCQYDVQQGEwJVUzEYMBYG
A1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxDDAKBgNVBAsTA1BLSTEXMBUG
A1UEAxMOTWVkIEVtYWlsIENBLTEwHhcNOTkwOTE2MTYyOTMzWhcNMDEwOTE2MTYyOTMzWjCB
nzELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9E
MQwwCgYDVQQLEwNQS0kxEzARBgNVBAsTCkNPTlRSQUNUT1IxJTAjBgNVBAMTHE1hdHRpc29u
LkRlbm5pcy5XLjAyMDAwNTkwNjAxHjAcBgkqhkiG9w0BCQEWD2R3bWF0dEBub3NjLm1pbDCB
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvIQh9THlLPyevbfrIiaIRiy+1CfbXpo6GNDA
mVnLacnKz6CiVFrg0xi/5tzCLy6SWsqhzVHHmVSjSTA2daIxr8b8R9uCNpudqzJlvEFFB6xZ
BVw70eUpR/wysKie5c5YBU6Ie2B3ckXq3P5x8vWDN7hy8+O/qisy1UQ8L8vuBTUCAwEAAaOC
ASYwggEiMBYGA1UdIAQPMA0wCwYJYIZIAWUCAQsDMB8GA1UdIwQYMBaAFPIju1ImGhS6CXJ9
cNJe5ng8aBX8MB0GA1UdDgQWBBRo4W6DRwQ38Vmny64uzD9P7/xdvTAOBgNVHQ8BAf8EBAMC
BaAwDAYDVR0TAQH/BAIwADCBqQYDVR0fBIGhMIGeMIGboIGYoIGVhoGSbGRhcDovL2RzLTEu
Y2hhbWIuZGlzYS5taWw6MzkwL2NuJTNkTWVkJTIwRW1haWwlMjBDQSUyZDElMmNvdSUzZFBL
SSUyY291JTNkRG9EJTJjbyUzZFUuUy4lMjBHb3Zlcm5tZW50JTJjYyUzZFVTP2NlcnRpZmlj
YXRlUmV2b2NhdGlvbkxpc3QlM2JiaW5hcnkwDQYJKoZIhvcNAQEFBQADgYEAJyWRPz1KOlUj
MVEUaIuv1Hatd4AZpK2ozdR9PdAwEAKK5TIk/lJ0Dj+R0WeqEOjiuSbgAp6CMV5RQL3H8ODN
gtP5WpWY38lNpq80JhcsT1rilzg3QyhxAsNBw0fzn/OrKWEueTm/KJUsG+343AIvgqHt4qDu
1VNSeg4pWcYYfREwggPvMIIDWKADAgECAgEjMA0GCSqGSIb3DQEBBQUAMGExCzAJBgNVBAYT
AlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UECxMD
UEtJMRwwGgYDVQQDExNEb0QgUEtJIE1lZCBSb290IENBMB4XDTk4MDgwNjE5NTQ1NFoXDTAz
MDgwNjE5NTQ1NFowXDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEM
MAoGA1UECxMDRG9EMQwwCgYDVQQLEwNQS0kxFzAVBgNVBAMTDk1lZCBFbWFpbCBDQS0xMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqTd9bbYLOvC2mMX/fpiD+4MKcPiO7bCNi+6w6
jGXsyVzEysRDUkOhOR77XJyU6PD/gRV1BgQC+tqLyVKku0u13m8hxAGLP4EXk5S2Egl6Azue
BlVPQcFIpSAoeK3Q69pyE/9WFGCf2VDWM/57IFcHmaBzUM7aWyybNw+VHo+1JwIDAQABo4IB
ujCCAbYwFgYDVR0gBA8wDTALBglghkgBZQIBCwMwHwYDVR0jBBgwFoAUxVnSzvGYlVBmqG3e
MkvWYTXiRrMwDAYDVR0kBAUwA4ABADAdBgNVHQ4EFgQU8iO7UiYaFLoJcn1w0l7meDxoFfww
DgYDVR0PAQH/BAQDAgGGMH4GA1UdEgR3MHWGc2xkYXA6Ly9kcy0xLmNoYW1iLmRpc2EubWls
L2NuJTNkRG9EJTIwUEtJJTIwTWVkJTIwUm9vdCUyMENBJTJjb3UlM2RQS0klMiBjb3UlM2RE
b0QlMmNvJTNkVS5TLiUyMEdvdmVybm1lbnQlMmNjJTNkVVMwDwYDVR0TAQH/BAUwAwEB/zCB
rAYDVR0fBIGkMIGhMIGeoIGboIGYhoGVbGRhcDovL2RzLTEuY2hhbWIuZGlzYS5taWwvY24l
M2REb0QlMjBQS0klMjBNZWQlMjBSb290JTIwQ0ElMmNvdSUzZFBLSSUyY291JTNkRG9EJTJj
byUzZFUuUy4lMjBHb3Zlcm5tZW50JTJjYyUzZFVTP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxp
c3QlM2JiaW5hcnkwDQYJKoZIhvcNAQEFBQADgYEAlQOnyvY3wBzBFqvQmaAJqUUpucy55ErA
ncWtLBJcNP3Q56vAk4/O4gf/0KUe+x8DovQAe5KIn3JMQUoxc98SxV2xj+/tPvUgxPV9d59N
l2lJEGq7eufOnhwE7NNFEDJNub6V2EIpH3VMmDsPqvFJzmqTTzxzrZISXr3vJR7SdFcxggGV
MIIBkQIBATBiMFwxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAK
BgNVBAsTA0RvRDEMMAoGA1UECxMDUEtJMRcwFQYDVQQDEw5NZWQgRW1haWwgQ0EtMQICEi0w
CQYFKw4DAhoFAKCBijAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEP
Fw05OTExMTgxNzI4MDNaMCMGCSqGSIb3DQEJBDEWBBTDCjj3XA/xucPba1HadmNvnn0O/jAr
BgkqhkiG9w0BCQ8xHjAcMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBgkqhkiG9w0B
AQEFAASBgG/FM28vzanQAPl1Taq9Mo7NuO1RxYJkrmO7ePu12nIDtUCFnVAWtjVOzgTXOOQz
dCZi17yOLKH1dOxasLjZWMxw7nqV8AhBLgz5+RfQnxVnSrFNF1Zt019kSAOCH9Z5k0XzRef+
/6jMUh2ddDXvlRKW7UFi/BZUe1Zx7g2Nw/RE
--------------msD2610E30DD3B1406D473C5CE--

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:13:21 PDT