View
10.625
Download
0
Category
Tags:
Preview:
DESCRIPTION
403 Labs Consultant Pete Arzamendi discuss the possibilities of exploiting vulnerabilities in multifunction printers.
Citation preview
Exploiting vulnerabilities in
Multifunction Printers
Pete ArzamendiConsultant, 403 Labs,
LLC
Pete Arzamendi• Consultant at 403 Labs
• Both a Qualified Security Assessor (QSA) and a Payment Application Qualified Security Assessor (PA-QSA) for the Payment Card Industry (PCI)
• Former packet monkey, with over 10 years of experience in the Information Technology field
• Worked with small, medium businesses, local and state authorities on computer forensic cases and security assessments
• Hobbies include malware analysis and vulnerably research • Member of the foofus.net team
Introduction
403 Labs, LLC• Full-service information security and compliance consulting firm headquartered in
Milwaukee with additional offices in Chicago and San Francisco
• Experts in the Payment Card Industry (PCI)
• Qualified Security Assessor (QSA)
• Payment Application Qualified Security Assessor (PA-QSA)
• Approved Scanning Vendor (ASV)
• PCI Forensics Investigator (PFI) (just approved, expect to be listed shortly)
• Penetration testing, including web applications
• Experienced in handling computer forensic investigations
Introduction
• History of printers• MFP functions and features • MFP flaws and vulnerabilities• Leveraging MFP during penetration testing• Development of an automated harvesting tool
‘PRAEDA’• Q/A
Agenda
• LDAP: The Lightweight Directory Access Protocol is an application protocol for reading and editing directories , A directory in this sense is an organized set of records: for example, a telephone directory is an alphabetical list of persons and organizations with an address and phone number in each "record".
• SMB: Server Message Block (SMB), mainly used to provide shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network.
• SMTP: Simple Mail Transfer Protocol (SMTP) is an Internet standard for electronic mail (e-mail) transmission .
• AD: Active Directory (AD) is a directory service created by Microsoft. Active Directory allows administrators to assign policies, deploy and update software. Active Directory networks can vary from a small installation with a few computers, users and printers to tens of thousands of users, many different network domains and large server farms spanning many geographical locations.
Terms and jargon
• Gary Starkweather is credited with inventing the Laser Printer at Xerox in 1969
• The first multifunction printer/copier, the "Xerox Printer 100," 1987
• March 1991 – The HP LaserJet IIISi, the world’s first networked printer
• The first true multifunction printer/fax/copier were introduced in the early 1990s
History of Multifunction Printers
In 2011 you really can’t buy just a printer
MFP functions and features
MFP functions and features
• Looking for features and functions that can be leveraged to gain information that could be leveraged in attacking other systems• Email
• Server settings• Address books
• Faxing• Contact info• User name• Address books
MFP functions and features
• Scanning• Windows authentication
• System• Users
• FTP authentication• LDAP
• Access credentials• Logging
• User names• Remote retrieval of print, scan or fax jobs
Toshiba functions and features
Toshiba functions and features
Network Path
Username
Password
Toshiba functions and features
Canon functions and features
Canon functions and features
Canon functions and features
Canon functions and features
HP functions and features
HP functions and features
HP M4345, 9250, CM6040
HP functions and features
MFP flaws and vulnerabilities
Security Bypass • Various brands and models suffer from a vulnerability
allowing bypass of security authentication
Example: Toshiba e-STUDIO /TopAccess/Administrator/Setup/ScanToFile/List.htm
MFP flaws and vulnerabilities
/TopAccess//Administrator/Setup/ScanToFile/List.htm
An extra slash / and full access is allowed
MFP flaws and vulnerabilities
Security Bypass
Example: Home/Office HP Officejet /index.htm?cat=info&page=faxAddrBook1
MFP flaws and vulnerabilities
Security Bypass /index.htm?cat=info&page=faxAddrBook1
An extra page= and full access is allowed/index.htm?cat=info&page=page=faxAddrBook1
MFP flaws and vulnerabilities
Forceful Browsing• Gain access to web pages and files by just knowing the
correct URL path
• Typically find that a number of devices, printers and network appliances correctly secure cgi, htm and html extension files, but allow unauthenticated access to other file types
MFP flaws and vulnerabilities
Forceful Browsing Canon imageRUNNER Export address books
http//target:8080/abook.ldif?AID=1&ACLS=1
• AID= can be incremented to download different address books
• ACLS=1 on imageRUNNER 3000 series• ACLS=2 on imageRUNNER 4000 & 5000
series• Extract user names
MFP flaws and vulnerabilities
Forceful Browsing Canon imageRUNNER Export address books
http//target:8080/abook.ldif?AID=1&ACLS=1
• AID= can be incremented to download different address books
• ACLS=1 on imageRUNNER 3000 series• ACLS=2 on imageRUNNER 4000 & 5000
series• Extract user names• Could also contain password• Accessible host
MFP flaws and vulnerabilities
Forceful Browsing• Canon imageRUNNER
• Export additional functions http://target:8080/usermode.umd
• Usermode.umd is a data file containing printer configuration data in plain text
MFP flaws and vulnerabilities
• Information leak - A look at a few examples• Toshiba e-STUDIO• Canon imageRUNNER• HP MFP
MFP flaws and vulnerabilities
MFP flaws and vulnerabilitiesToshiba Information Leak
MFP flaws and vulnerabilitiesToshiba Information Leak
MFP flaws and vulnerabilitiesToshiba Information Leak
Just because the web form shows ●●●●●●●● doesn’t mean it’s truly hidden
Not uncommon to find data viewable within the web source as plain text
Canon Information Leak
MFP flaws and vulnerabilities
Want to bet this is also viewable in the source?
Canon Information Leak
MFP flaws and vulnerabilities
Although not directly found in the Password: value field, it was still found within a hidden input tag
Once again just need to examine the propertyof the password field
HP Information LeakMFP flaws and vulnerabilities
Once again just need to examine the propertyof the password field
HP Information Leak
value=“ayz123”
MFP flaws and vulnerabilities
What the bad guys are doing…Leveraging MFP vulnerabilities
• HP to domain admin access• HP Color LaserJet CP4025• Extract users’ names from color
job log• User with weak password• Access to workstations • Domain admin token
Leveraging MFP during penetration testing
• Toshiba to payroll• Toshiba e-STUDIO• Extract password from scan-to-file
function• Gain access to AD domain• Gain access to a number of
folders/files/shares• Access to one special file share
“Payroll backup”
Leveraging MFP during penetration testing
• Canon to domain controller• Canon imageRUNNER• Extract LDAP settings• Enumerate domain user info• Remote Desktop access to all
servers
Leveraging MFP during penetration testing
• Fax to pwned• OfficeBridge – Fax system• First device we found credentials
stored on – This is what got this project started
• Extract password from LDAP settings
• Account was domain admin account
Leveraging MFP during penetration testing
01/27/11
Automating the process
What is Praeda?• Latin for robber, plunderer• A tool for the purpose of gathering information from
network appliances through their web management interfaces• Printers• Network appliances
• Beta version written in perl• Goal was to create a simplistic tool that was modular
Automated harvesting Praeda
Automated harvesting Praeda
DataFile Structure
P000005|HP Color LaserJet CP3525 Printers|HP-ChaiSOE/1.0|MP0002P000006|HP Color LaserJet CP3505 Printers|HP-ChaiSOE/1.0|MP0002|P000007||Canon Http Server 2.10|MP0003|MP0004|MP0005P000008||Canon Http Server 2.11|MP0003|MP0004|MP0005P000009|Home - Phaser 7750GX|Allegro-Software-RomPager/4.10|MP0006P000010|Unauthorized|Spyglass_MicroServer/2.01FC1|MP0006P000011|Principal|Spyglass_MicroServer/2.01FC1|MP0006P000012|Home|Spyglass_MicroServer/2.01FC1|MP0006P000013|Home - Phaser 6360DT|Allegro-Software-RomPager/4.34|MP0006P000014|TopAccess|TOSHIBA TEC CORPORATION|MP0007
Automated harvesting Praeda
• We presently enumerate data from a dozen or more different printer types/versions
• Plan is to grow this to cover as many printers as we can find• Looking for other simple methods for identifying printer
types, present process involves querying web interface for:• Title page• Server type
• Researching encryption methods used by some vendors for backup and clone process outputs• HP• Xerox
• Looking into migrating code to Ruby – early stages of conversion started
Automated harvesting Praeda
Pete ArzamendiBokojan[at]foofus[dot]net
Deral HeilandpercX[at]foofus[dot]net
Beta version of Praeda available at
www.foofus.net
Questions about Praeda
Pete ArzamendiConsultant
403 Labs, LLCparzamendi[at]403labs[dot]com
877.403.LABSwww.403labs.com
Contact Information
Recommended