In January The Schmoo Group held its annual get together called ShmooCon 2011. This is an annual east coast hacker convention in the US where people discuss critical information security issues and demonstrate technology exploitation, inventive software and hardware solutions.
This year Deral Heiland and Pete Arzamendi presented a discussion on serious vulnerabilities in multifunction printer (MFP) security. In this presentation they focused on gathering data from MFPs and using it to access other systems on a network. By taking advantage of poor printer security and vulnerabilities they grabbed an abundance of information including usernames, email addresses and passwords. They used that information to get administrative access into email servers, file servers and Active Directory domains.
Many of the security problems are the result of businesses not changing default settings on these systems. In one case the default administrator username is Admin and the default password is 123456. Since most networked printers are accessible through a browser for easy configuring and administration, forced browsing techniques work well to exploit them. For those not familiar with the term, forced browsing is a way to access restricted parts in a web server directory. This kind of attack occurs when the attacker forces a URL by accessing it directly instead of following links.
Heiland found one of these by accident. He was copying and pasting something into a browser and accidentally put an extra “/” into the URL. He bypassed the MFP security and could directly call Administrative functions on the system.
Another one is that many printers allow you to export settings to a file. Some of these exports include clear-text passwords. Other printers show you passwords in clear text in the HTML files, even though they are hidden in the administrative console pages. You have to love some of these things, if they weren’t so scary.
Heiland created a program called PRAEDA (Latin for plunder) to automate the gathering of this information to help with penetration testing that exposes these weaknesses. It’s written in Perl and available at Foofus.net. Currently the program can access about 30 different models, but will eventually have more. If your MFP doesn’t have the appropriate data security features, you are most likely vulnerable.
Here are a few tips to help prevent exploiting your MFPs:
- Change your password from the default
- Isolate printers on a VLAN
- Patch printers when new software is available
- Use accounts with limited access (write only)
If you suspect a problem, talk to your IT department or your MFP service provider to make sure you are locked down. The entire video of Heiland and Arzamendi’s talk is below if you want to watch it. It’s 50 minutes long, so make sure you are in a comfortable chair with snacks and a beverage.
Photo credit Yo Spiff