exploiting vulnerabilities in multifunction printers
DESCRIPTION
403 Labs Consultant Pete Arzamendi discuss the possibilities of exploiting vulnerabilities in multifunction printers.TRANSCRIPT
![Page 1: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/1.jpg)
Exploiting vulnerabilities in
Multifunction Printers
Pete ArzamendiConsultant, 403 Labs,
LLC
![Page 2: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/2.jpg)
Pete Arzamendi• Consultant at 403 Labs
• Both a Qualified Security Assessor (QSA) and a Payment Application Qualified Security Assessor (PA-QSA) for the Payment Card Industry (PCI)
• Former packet monkey, with over 10 years of experience in the Information Technology field
• Worked with small, medium businesses, local and state authorities on computer forensic cases and security assessments
• Hobbies include malware analysis and vulnerably research • Member of the foofus.net team
Introduction
![Page 3: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/3.jpg)
403 Labs, LLC• Full-service information security and compliance consulting firm headquartered in
Milwaukee with additional offices in Chicago and San Francisco
• Experts in the Payment Card Industry (PCI)
• Qualified Security Assessor (QSA)
• Payment Application Qualified Security Assessor (PA-QSA)
• Approved Scanning Vendor (ASV)
• PCI Forensics Investigator (PFI) (just approved, expect to be listed shortly)
• Penetration testing, including web applications
• Experienced in handling computer forensic investigations
Introduction
![Page 4: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/4.jpg)
• History of printers• MFP functions and features • MFP flaws and vulnerabilities• Leveraging MFP during penetration testing• Development of an automated harvesting tool
‘PRAEDA’• Q/A
Agenda
![Page 5: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/5.jpg)
• LDAP: The Lightweight Directory Access Protocol is an application protocol for reading and editing directories , A directory in this sense is an organized set of records: for example, a telephone directory is an alphabetical list of persons and organizations with an address and phone number in each "record".
• SMB: Server Message Block (SMB), mainly used to provide shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network.
• SMTP: Simple Mail Transfer Protocol (SMTP) is an Internet standard for electronic mail (e-mail) transmission .
• AD: Active Directory (AD) is a directory service created by Microsoft. Active Directory allows administrators to assign policies, deploy and update software. Active Directory networks can vary from a small installation with a few computers, users and printers to tens of thousands of users, many different network domains and large server farms spanning many geographical locations.
Terms and jargon
![Page 6: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/6.jpg)
• Gary Starkweather is credited with inventing the Laser Printer at Xerox in 1969
• The first multifunction printer/copier, the "Xerox Printer 100," 1987
• March 1991 – The HP LaserJet IIISi, the world’s first networked printer
• The first true multifunction printer/fax/copier were introduced in the early 1990s
History of Multifunction Printers
In 2011 you really can’t buy just a printer
![Page 7: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/7.jpg)
MFP functions and features
![Page 8: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/8.jpg)
MFP functions and features
• Looking for features and functions that can be leveraged to gain information that could be leveraged in attacking other systems• Email
• Server settings• Address books
• Faxing• Contact info• User name• Address books
![Page 9: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/9.jpg)
MFP functions and features
• Scanning• Windows authentication
• System• Users
• FTP authentication• LDAP
• Access credentials• Logging
• User names• Remote retrieval of print, scan or fax jobs
![Page 10: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/10.jpg)
Toshiba functions and features
![Page 11: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/11.jpg)
Toshiba functions and features
![Page 12: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/12.jpg)
Network Path
Username
Password
Toshiba functions and features
![Page 13: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/13.jpg)
Canon functions and features
![Page 14: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/14.jpg)
Canon functions and features
![Page 15: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/15.jpg)
Canon functions and features
![Page 16: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/16.jpg)
Canon functions and features
![Page 17: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/17.jpg)
HP functions and features
![Page 18: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/18.jpg)
HP functions and features
HP M4345, 9250, CM6040
![Page 19: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/19.jpg)
HP functions and features
![Page 20: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/20.jpg)
MFP flaws and vulnerabilities
![Page 21: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/21.jpg)
Security Bypass • Various brands and models suffer from a vulnerability
allowing bypass of security authentication
Example: Toshiba e-STUDIO /TopAccess/Administrator/Setup/ScanToFile/List.htm
MFP flaws and vulnerabilities
![Page 22: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/22.jpg)
/TopAccess//Administrator/Setup/ScanToFile/List.htm
An extra slash / and full access is allowed
MFP flaws and vulnerabilities
![Page 23: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/23.jpg)
Security Bypass
Example: Home/Office HP Officejet /index.htm?cat=info&page=faxAddrBook1
MFP flaws and vulnerabilities
![Page 24: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/24.jpg)
Security Bypass /index.htm?cat=info&page=faxAddrBook1
An extra page= and full access is allowed/index.htm?cat=info&page=page=faxAddrBook1
MFP flaws and vulnerabilities
![Page 25: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/25.jpg)
Forceful Browsing• Gain access to web pages and files by just knowing the
correct URL path
• Typically find that a number of devices, printers and network appliances correctly secure cgi, htm and html extension files, but allow unauthenticated access to other file types
MFP flaws and vulnerabilities
![Page 26: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/26.jpg)
Forceful Browsing Canon imageRUNNER Export address books
http//target:8080/abook.ldif?AID=1&ACLS=1
• AID= can be incremented to download different address books
• ACLS=1 on imageRUNNER 3000 series• ACLS=2 on imageRUNNER 4000 & 5000
series• Extract user names
MFP flaws and vulnerabilities
![Page 27: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/27.jpg)
Forceful Browsing Canon imageRUNNER Export address books
http//target:8080/abook.ldif?AID=1&ACLS=1
• AID= can be incremented to download different address books
• ACLS=1 on imageRUNNER 3000 series• ACLS=2 on imageRUNNER 4000 & 5000
series• Extract user names• Could also contain password• Accessible host
MFP flaws and vulnerabilities
![Page 28: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/28.jpg)
Forceful Browsing• Canon imageRUNNER
• Export additional functions http://target:8080/usermode.umd
• Usermode.umd is a data file containing printer configuration data in plain text
MFP flaws and vulnerabilities
![Page 29: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/29.jpg)
• Information leak - A look at a few examples• Toshiba e-STUDIO• Canon imageRUNNER• HP MFP
MFP flaws and vulnerabilities
![Page 30: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/30.jpg)
MFP flaws and vulnerabilitiesToshiba Information Leak
![Page 31: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/31.jpg)
MFP flaws and vulnerabilitiesToshiba Information Leak
![Page 32: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/32.jpg)
MFP flaws and vulnerabilitiesToshiba Information Leak
Just because the web form shows ●●●●●●●● doesn’t mean it’s truly hidden
Not uncommon to find data viewable within the web source as plain text
![Page 33: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/33.jpg)
Canon Information Leak
MFP flaws and vulnerabilities
Want to bet this is also viewable in the source?
![Page 34: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/34.jpg)
Canon Information Leak
MFP flaws and vulnerabilities
Although not directly found in the Password: value field, it was still found within a hidden input tag
![Page 35: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/35.jpg)
Once again just need to examine the propertyof the password field
HP Information LeakMFP flaws and vulnerabilities
![Page 36: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/36.jpg)
Once again just need to examine the propertyof the password field
HP Information Leak
value=“ayz123”
MFP flaws and vulnerabilities
![Page 37: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/37.jpg)
What the bad guys are doing…Leveraging MFP vulnerabilities
![Page 38: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/38.jpg)
• HP to domain admin access• HP Color LaserJet CP4025• Extract users’ names from color
job log• User with weak password• Access to workstations • Domain admin token
Leveraging MFP during penetration testing
![Page 39: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/39.jpg)
• Toshiba to payroll• Toshiba e-STUDIO• Extract password from scan-to-file
function• Gain access to AD domain• Gain access to a number of
folders/files/shares• Access to one special file share
“Payroll backup”
Leveraging MFP during penetration testing
![Page 40: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/40.jpg)
• Canon to domain controller• Canon imageRUNNER• Extract LDAP settings• Enumerate domain user info• Remote Desktop access to all
servers
Leveraging MFP during penetration testing
![Page 41: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/41.jpg)
• Fax to pwned• OfficeBridge – Fax system• First device we found credentials
stored on – This is what got this project started
• Extract password from LDAP settings
• Account was domain admin account
Leveraging MFP during penetration testing
![Page 42: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/42.jpg)
01/27/11
![Page 43: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/43.jpg)
Automating the process
![Page 44: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/44.jpg)
What is Praeda?• Latin for robber, plunderer• A tool for the purpose of gathering information from
network appliances through their web management interfaces• Printers• Network appliances
• Beta version written in perl• Goal was to create a simplistic tool that was modular
Automated harvesting Praeda
![Page 45: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/45.jpg)
Automated harvesting Praeda
![Page 46: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/46.jpg)
DataFile Structure
P000005|HP Color LaserJet CP3525 Printers|HP-ChaiSOE/1.0|MP0002P000006|HP Color LaserJet CP3505 Printers|HP-ChaiSOE/1.0|MP0002|P000007||Canon Http Server 2.10|MP0003|MP0004|MP0005P000008||Canon Http Server 2.11|MP0003|MP0004|MP0005P000009|Home - Phaser 7750GX|Allegro-Software-RomPager/4.10|MP0006P000010|Unauthorized|Spyglass_MicroServer/2.01FC1|MP0006P000011|Principal|Spyglass_MicroServer/2.01FC1|MP0006P000012|Home|Spyglass_MicroServer/2.01FC1|MP0006P000013|Home - Phaser 6360DT|Allegro-Software-RomPager/4.34|MP0006P000014|TopAccess|TOSHIBA TEC CORPORATION|MP0007
Automated harvesting Praeda
![Page 47: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/47.jpg)
• We presently enumerate data from a dozen or more different printer types/versions
• Plan is to grow this to cover as many printers as we can find• Looking for other simple methods for identifying printer
types, present process involves querying web interface for:• Title page• Server type
• Researching encryption methods used by some vendors for backup and clone process outputs• HP• Xerox
• Looking into migrating code to Ruby – early stages of conversion started
Automated harvesting Praeda
![Page 48: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/48.jpg)
Pete ArzamendiBokojan[at]foofus[dot]net
Deral HeilandpercX[at]foofus[dot]net
Beta version of Praeda available at
www.foofus.net
Questions about Praeda
![Page 49: Exploiting Vulnerabilities in Multifunction Printers](https://reader037.vdocuments.mx/reader037/viewer/2022103110/54b4e7f74a7959cd418b4583/html5/thumbnails/49.jpg)
Pete ArzamendiConsultant
403 Labs, LLCparzamendi[at]403labs[dot]com
877.403.LABSwww.403labs.com
Contact Information