Summary - New Tektronix (Xerox) printers have covered up a security through obscurity flaw discovered in November, 1999 with more security through obscurity. The unauthenticated and unfiltered administrator configuration page on the PhaserLink webserver is now located at the URL http://printername/_ncl_subjects.shtml. Furthermore, Tektronix has added the item "Userid:" to the printer config page, supposidly to add more granularity (or obscurity) to the configuration process. However, this may allow unfiltered and unauthenticated users to discover the administrators valid userid and password. And more, the printer's webserver cannot b turned off using the html interface. Background - On November 16, 1999, I posted a backdoor in the PhaserLink Webserver for Tektronix Printers. The backdoor allowed an attacker unfiltered and unauthenticated access to the configuration of the printer. Many of the Tektronix printers available at the time had this backdoor. A few days later, another bugtraq poster (I'm sorry, cannot find the name in the archive,) discovered that this vulnerability also allowed an unfiltered and unauthenticated user to ultimately physically deny service on the printer by forcing it into Emergency Power Off mode, which meant the printer would turn itself off without properly voiding the ink or crayon reservoir. If the reservoir cooled, the ink or crayons would coagulate, and the printer would be physically damaged. My post, and subsequent discussions on Bugtraq received the attention of may concerned administrators, who contacted me about the vulnerability and the fixes for the vulnerability. It also attracted the attention of a Tektronix bigwig which, after two weeks of silence from Tektronix after posting the bug (three weeks after contacting them about the bug,) sent me several threats (legal threats about releasing secret information.) After several meetings and emails flew around, it was mutually decided that this was a bad way of doing business, and that Tektronix would inform us of any other backdoors as well as work with us to fix them. In exchange, I'd not post any further advisories (although I did not agree with this, but due to their apparent effort to fix the problem, I have kept my mouth shut.) Unfortunately, they have not kept up their end of the bargain, and instead have made things more insecure as well as using more security through obscurity to hide the problem exposed in the first vulnerability report. In a matter of fact, the last communications we received from them on this issue was in the beginning of 2000. I think it is time to shake them up again because they obviously didn't learn anything the last time. Vulnerability - Tektronix apparently fixed the problem, but not in a secure fashion. I recently had the opportunity to play with several new 850 printers. The new printers appear to have fixed the problem, at least in a majority of the half-dozen machines I have played with. Typing in the backdoor URL produced an Error 404 message. However, all of the webservers responded to the URL http:/printername/_ncl_subjects.shtml. It appears that Tektronix covered up the URL after I posted the vulnerability report by changing the URL slightly. This was actually discovered during the testing of the printer. We noticed that most of the pages on the server now end with the extension .shtml. However, typing in the filename ncl_subjects.shtml also produced an Error 404. I accidently typed _ncl_subjects.shtml at one point during the testing, and the page popped up. So Tektronix has "secured" the webpage by adding a "_" and an "s". This is litterally the first time I have caught a backdoor by dumb luck, but it only took about 20 minutes of playing. The first URL was given to us by Tektronix Technical Support. But it definately proves that one of the three reasons that security through obscurity fails because of pure dumb-luck. The new URL allows the same sort of access that the previous URL backdoor allowed. Configuration pages themselves live at the URL's http://printername/_ncl_items.shtml&SUBJECT=*, where "*" is the number corresponding to the particular configuration page. Again, Tektronix has included the ability to remotely (and unauthenticated) physically deny service to the printer by setting the "Shutdown" option on the URL http://printername/_ncl_items.shtml&SUBJECT=1 to "Emergency Power Off," but I have yet to find someone willing to allow me to test this. Obviously setting "Factory Default" to true is a much less destructive Denial of Service as it resets the printer, but doesn't damage anything. Tektronix has added a whole new (and very bad) wrinkle to the HTTP config page. As previously discovered, the HTTP Config page on 740 machines allowed users to view the administrator password without any sort of authentication or filtering. This means that any one on the planet can access this information and use it to reconfigure other parts of the machine using the URL http://printername/ncl_items.html&SUBJECT=2097. Tektronix now has both a userid and a password field available in plain-text by typing the URL http://printername/_ncl_items.shtml&SUBJECT=2097. This has the effect of essentially allowing an ignorant user (and believe me, any user which has a printer outside of a firewall is an ignorant one,) to broadcast their standard userid and password to the world. This allows an attacker to discover a potentially legitimate password on other computer systems, and the rest, as they say, is history. Furthermore, Tektronix has taken away one of the two fixes we proposed in the last advisory. One of our suggestions for network administrators to fix the problem was to use the "On" switch on the ncl_items.html&SUBJECT=2097 webpage to turn off the webserver on the printer, which apparently turned off this backdoor quite effectively. However, while the new printers still have this switch, the functionality of the switch has been broken or turned off, so this option is no longer available to network administrators. The only way to protect the printer from attack is to put it behind a firewall. I'm still playing, there may be more... Vendor Contact Status - vendor was contacted nearly 2 weeks ago, using the standard email addresses as well as some of the email addresses I had from before, and any email address I could garnish from the website. Almost all of the emails bounced. Those that didn't bounce were autoresponders, and I have not received any communication beck from the company. I expect they will again contact me 2 weeks after this email hits the list, and will again threaten me with the standard threats and complain that I didn't contact the right people back at their company ahead of time (somehow they expect I have awsome ESP skillz that can be useful in detecting the right people to send the email to, since I obviously have the skillz to find hidden URLs by mistyping my requests.) One thing that Tektronix spouted over and over again was that any hardship over security through obscurity was a local hardship. Nobody else ever complained about it. Feel free to tell them what you think, if you have a Tektronix printer, make your voice against security through obscurity heard, so it doesn't look like I'm the only one who has a problem with it. Shameless Plug - I will hopefully be speaking at this year's Toorcon in San Diego on printer insecurities. Please consult www.toorcon.com for more information. Contact Info - Send me email at ltlw0lfat_private for more information, I am out of town for two weeks, but will get back to you asap.
This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 16:16:09 PDT