Exploiting Vulnerabilities in Multifunction Printers

Exploiting vulnerabilities in

Multifunction Printers

Pete ArzamendiConsultant, 403 Labs,

LLC

Pete Arzamendi• Consultant at 403 Labs

• Both a Qualified Security Assessor (QSA) and a Payment Application Qualified Security Assessor (PA-QSA) for the Payment Card Industry (PCI)

• Former packet monkey, with over 10 years of experience in the Information Technology field

• Worked with small, medium businesses, local and state authorities on computer forensic cases and security assessments

• Hobbies include malware analysis and vulnerably research • Member of the foofus.net team

Introduction

403 Labs, LLC• Full-service information security and compliance consulting firm headquartered in

Milwaukee with additional offices in Chicago and San Francisco

• Experts in the Payment Card Industry (PCI)

• Qualified Security Assessor (QSA)

• Payment Application Qualified Security Assessor (PA-QSA)

• Approved Scanning Vendor (ASV)

• PCI Forensics Investigator (PFI) (just approved, expect to be listed shortly)

• Penetration testing, including web applications

• Experienced in handling computer forensic investigations

Introduction

• History of printers• MFP functions and features • MFP flaws and vulnerabilities• Leveraging MFP during penetration testing• Development of an automated harvesting tool

‘PRAEDA’• Q/A

Agenda

• LDAP: The Lightweight Directory Access Protocol is an application protocol for reading and editing directories , A directory in this sense is an organized set of records: for example, a telephone directory is an alphabetical list of persons and organizations with an address and phone number in each "record".

• SMB: Server Message Block (SMB), mainly used to provide shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network.

• SMTP: Simple Mail Transfer Protocol (SMTP) is an Internet standard for electronic mail (e-mail) transmission .

• AD: Active Directory (AD) is a directory service created by Microsoft. Active Directory allows administrators to assign policies, deploy and update software. Active Directory networks can vary from a small installation with a few computers, users and printers to tens of thousands of users, many different network domains and large server farms spanning many geographical locations.

Terms and jargon

• Gary Starkweather is credited with inventing the Laser Printer at Xerox in 1969

• The first multifunction printer/copier, the "Xerox Printer 100," 1987

• March 1991 – The HP LaserJet IIISi, the world’s first networked printer

• The first true multifunction printer/fax/copier were introduced in the early 1990s

History of Multifunction Printers

In 2011 you really can’t buy just a printer

MFP functions and features


• Looking for features and functions that can be leveraged to gain information that could be leveraged in attacking other systems• Email

• Server settings• Address books

• Faxing• Contact info• User name• Address books


• Scanning• Windows authentication

• System• Users

• FTP authentication• LDAP

• Access credentials• Logging

• User names• Remote retrieval of print, scan or fax jobs

Toshiba functions and features


Network Path

Username

Password


Canon functions and features




HP functions and features


HP M4345, 9250, CM6040


MFP flaws and vulnerabilities

Security Bypass • Various brands and models suffer from a vulnerability

allowing bypass of security authentication

Example: Toshiba e-STUDIO /TopAccess/Administrator/Setup/ScanToFile/List.htm


/TopAccess//Administrator/Setup/ScanToFile/List.htm

An extra slash / and full access is allowed


Security Bypass

Example: Home/Office HP Officejet /index.htm?cat=info&page=faxAddrBook1


Security Bypass /index.htm?cat=info&page=faxAddrBook1

An extra page= and full access is allowed/index.htm?cat=info&page=page=faxAddrBook1


Forceful Browsing• Gain access to web pages and files by just knowing the

correct URL path

• Typically find that a number of devices, printers and network appliances correctly secure cgi, htm and html extension files, but allow unauthenticated access to other file types


Forceful Browsing Canon imageRUNNER Export address books

http//target:8080/abook.ldif?AID=1&ACLS=1

• AID= can be incremented to download different address books

• ACLS=1 on imageRUNNER 3000 series• ACLS=2 on imageRUNNER 4000 & 5000

series• Extract user names


Forceful Browsing Canon imageRUNNER Export address books

http//target:8080/abook.ldif?AID=1&ACLS=1

• AID= can be incremented to download different address books

• ACLS=1 on imageRUNNER 3000 series• ACLS=2 on imageRUNNER 4000 & 5000

series• Extract user names• Could also contain password• Accessible host


Forceful Browsing• Canon imageRUNNER

• Export additional functions http://target:8080/usermode.umd

• Usermode.umd is a data file containing printer configuration data in plain text


• Information leak - A look at a few examples• Toshiba e-STUDIO• Canon imageRUNNER• HP MFP


MFP flaws and vulnerabilitiesToshiba Information Leak



Just because the web form shows ●●●●●●●● doesn’t mean it’s truly hidden

Not uncommon to find data viewable within the web source as plain text

Canon Information Leak


Want to bet this is also viewable in the source?

Canon Information Leak


Although not directly found in the Password: value field, it was still found within a hidden input tag

Once again just need to examine the propertyof the password field

HP Information LeakMFP flaws and vulnerabilities

Once again just need to examine the propertyof the password field

HP Information Leak

value=“ayz123”


What the bad guys are doing…Leveraging MFP vulnerabilities

• HP to domain admin access• HP Color LaserJet CP4025• Extract users’ names from color

job log• User with weak password• Access to workstations • Domain admin token

Leveraging MFP during penetration testing

• Toshiba to payroll• Toshiba e-STUDIO• Extract password from scan-to-file

function• Gain access to AD domain• Gain access to a number of

folders/files/shares• Access to one special file share

“Payroll backup”


• Canon to domain controller• Canon imageRUNNER• Extract LDAP settings• Enumerate domain user info• Remote Desktop access to all

servers


• Fax to pwned• OfficeBridge – Fax system• First device we found credentials

stored on – This is what got this project started

• Extract password from LDAP settings

• Account was domain admin account


01/27/11

Automating the process

What is Praeda?• Latin for robber, plunderer• A tool for the purpose of gathering information from

network appliances through their web management interfaces• Printers• Network appliances

• Beta version written in perl• Goal was to create a simplistic tool that was modular

Automated harvesting Praeda


DataFile Structure

P000005|HP Color LaserJet CP3525 Printers|HP-ChaiSOE/1.0|MP0002P000006|HP Color LaserJet CP3505 Printers|HP-ChaiSOE/1.0|MP0002|P000007||Canon Http Server 2.10|MP0003|MP0004|MP0005P000008||Canon Http Server 2.11|MP0003|MP0004|MP0005P000009|Home - Phaser 7750GX|Allegro-Software-RomPager/4.10|MP0006P000010|Unauthorized|Spyglass_MicroServer/2.01FC1|MP0006P000011|Principal|Spyglass_MicroServer/2.01FC1|MP0006P000012|Home|Spyglass_MicroServer/2.01FC1|MP0006P000013|Home - Phaser 6360DT|Allegro-Software-RomPager/4.34|MP0006P000014|TopAccess|TOSHIBA TEC CORPORATION|MP0007


• We presently enumerate data from a dozen or more different printer types/versions

• Plan is to grow this to cover as many printers as we can find• Looking for other simple methods for identifying printer

types, present process involves querying web interface for:• Title page• Server type

• Researching encryption methods used by some vendors for backup and clone process outputs• HP• Xerox

• Looking into migrating code to Ruby – early stages of conversion started


Pete ArzamendiBokojan[at]foofus[dot]net

Deral HeilandpercX[at]foofus[dot]net

Beta version of Praeda available at

www.foofus.net

Questions about Praeda

Pete ArzamendiConsultant

403 Labs, LLCparzamendi[at]403labs[dot]com

877.403.LABSwww.403labs.com

Contact Information

Date post:	13-Jan-2015
Category:	Technology
Upload:	403-labs-llc
View:	10,622 times
Download:	0 times