121

I did an nmap scan on an advanced office printer that has a domain name and is accessible from outside the corporate network. Surprisingly I found many open ports like http:80, https:443, and svrloc:427 and some others. The OS fingerprint says somewhere: "...x86_64-unknown-linux-gnu...", which may indicate that this is some sort of an embedded Linux running some server software for the printer's functionality.

How can I know whether this printer is increasing the attack surface on the network? For example, can it be exploited through a remote privilege escalation vul. and then launch a tunneling attack on other hosts in the network?

hsnm
  • 1,281
  • 1
  • 10
  • 11
  • 29
    You'd be surprised how much fun you can have with printers and photocopiers ;) – Polynomial Nov 06 '12 at 16:29
  • @Polynomial I'm scared about this. I have been trying to search around but couldn't find many useful info. I need to check how much my printer is capable to do to see if a relatively dangerous attack can succeed. I haven't been able to find much info about the OS or hardware specs for my printer. Will it allow for some privilege escalation? Is it running CUPS for ipp? I have no idea yet. – hsnm Nov 06 '12 at 16:38
  • 1
    Check for vulnerabilities in the manufacturers web interface too. – ewanm89 Nov 06 '12 at 16:54
  • 33
    If you want a step by step tutorial, defer to the movie Office Space. – Moses Nov 06 '12 at 17:01
  • 3
    It might help with answers if you tell us why it needs to be accessible from outside (e.g. remote admin? automatic consumable ordering? remote printing?) – Graham Hill Nov 06 '12 at 17:04
  • @GrahamHill I have no answer this and I'm surprised. This printer is managed by some other admins. I'm auditing the security of the network and haven't talked to them yet. – hsnm Nov 06 '12 at 17:08
  • 13
    Also be aware that most printers/copiers/scanner these days store images of what was printed/copied/scanned within printer memory. And since your printer is accessible outside of your network.... I'm sure you can see where this is going. – k1DBLITZ Nov 06 '12 at 17:43
  • @k1DBLITZ It's worse than that. It usually stores it onto a temp filesystem, which may not even be a ramdisk. Often the printing operations are dispatched by a printing daemon to maintain asynchronous operation. You'll sometimes find that certain printing operations are just shell scripts that log their status to a file, which the daemon reads back out for job status reporting. – Polynomial Nov 06 '12 at 20:41
  • 2
    @Moses I thought that this post was about Office Space when I read it :) – tlehman Nov 06 '12 at 23:12
  • Be glad its not a wireless printer. Those are the bane of my existence. – mikebabcock Nov 07 '12 at 00:50
  • @mikebabcock what kind of problems are you facing with wireless printers? – hsnm Nov 08 '12 at 03:32
  • 1
    Many office printers have wifi access which allows remote attack vectors without physical protection options. Secure wireless is always attackable, as is the network stack on the device itself, and the likelihood that security updates will be forthcoming is very low. – mikebabcock Nov 08 '12 at 04:32
  • someone wrote a [webserver in Post Script](https://www.pugo.org/project/pshttpd/)... – ThoriumBR Sep 16 '20 at 19:57

8 Answers8

150

You can have some serious fun playing with printers, photocopiers and other such devices - even UPSes. Security is usually an afterthought at best, if not totally absent.

Stuff I've seen:

  • Default credentials used everywhere, and web-based config panels storing passwords in plain-text, often within a generated config file. I've never seen anything better than plain MD5 on passwords, and in one case I saw CRC32.
  • Document names and usernames leaked via SNMP, usually via open read access to the device and over SNMPv1/2 where no transport security is used.
  • Default or hilariously weak SNMP private namespace names (usually "private", "SNMP" or the manufacturer name), allowing you to reconfigure TCP/IP settings, inject entries into the routing table, etc. remotely, and there are often ways to alter settings that can't be set in the control panel. It's pretty trivial to soft-brick the device.
  • UPnP enabled on the device in default setup, allowing for more remote configuration fun. Often you can print test pages, hard-reset the device, reset web-panel credentials, etc. Again it's usually possible to modify TCP/IP settings and other networking properties.
  • Very outdated 2.2.x and 2.4.x kernels, often with lots of nice root privilege escalation holes.
  • Badly written firmware upgrade scripts on the system, allowing you to flash arbitrary firmware to internal microcontrollers. You could use this to brick the device, or install a rootkit if you're willing to spend a lot of time developing it.
  • Custom or old SMB daemons, often vulnerable to RCE. Easy to pwn remotely.
  • Services running as root, user groups set up incorrectly, file permissions improperly set.
  • Printing jobs ran asynchronously by executing shell scripts, making it easy to escalate your privileges up to that of the daemon (often root).
  • Poorly written FTP servers built into the device. I'd bet good money that a fuzzer could crash most of those FTP daemons.
  • All of the usual webapp fails, but especially file upload vulnerabilities.

Here's where things get extra fun. Once you've pwned the printer, you can usually get hold of usernames and other juicy information from SMB handshakes. You'll also often find that the password to the printer's web control panel is re-used for other network credentials.

At the end of the day, though, the printer is an internal machine on the network. This means that you can use it to tunnel attacks to other machines on the network. On several occasions I've managed to get gcc and nmap onto a photocopier, which I then used as a base of operations.

What's the solution? First, you need to recognize that printers and photocopiers are usually fully-fledged computers, often running embedded Linux on an ARM processor. Second, you need to lock them down:

  • Update the firmware of the device to the latest version.
  • Firewall the printer off from the internet. This should be obvious, but it's often missed. TCP/IP-based printers / photocopiers usually bind to 0.0.0.0, so they can quite easily sneak onto the WAN.
  • If you can make the printer listen only to traffic from the LAN, do so.
  • Change the default credentials on the web control panel. Again, obvious, but still not done very often.
  • Find any services running on the device and attempt to break into them yourself. Once you're in, change passwords and turn off what's unnecessary.
  • Get yourself an SNMP discovery tool and dig around what's available for your printer. SNMP has a bit of a learning curve, but it's worth taking a look.
  • If you do internal network monitoring, set up a rule to watch for anything unusual coming out of the printer. This cuts false positives right down and gives you a good indication of when something dodgy is happening.

All in all, if it's a device plugged into your network it is probably pwnable, and should be part of your risk management.

Stephen King
  • 201
  • 2
  • 12
Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • 9
    Very comprehensive answer. I'll read this carefully and see what's possible on my side. I like the fact that these are possibly using very old kernels with enough security holes to give remote privilege escalation and easily launch a tunneling attack. – hsnm Nov 06 '12 at 17:09
  • It helps greatly to put devices with embedded processors like this on an intelligent switch so you can designate traffic allowed in and out on a per-port basis. – mikebabcock Nov 07 '12 at 00:49
  • 1
    @mikebabcock the problem is to identify which is legitimate traffic? – hsnm Nov 07 '12 at 14:23
  • 2
    @hsnm Not too difficult for obvious stuff - should your printer be allowed to initiate outgoing TCP connections? Should your printer be allowed to perform DNS queries? Do you really need to allow UPnP and SNMP traffic to reach it? – Polynomial Nov 07 '12 at 14:39
  • 2
    @hsnm as polynomial implies, the best policy is often to allow in bound 515/9100 for printing, and no connections initiated by the printer at all. This prevents a rooted printer from being used to attack other devices, even if it doesn't prevent rooting the printer. – mikebabcock Nov 07 '12 at 23:34
  • 1
    @mikebabcock Keep in mind that some printers don't use 9100, so you might not need anything other than 515. Of course, you may also need to temporarily allow inbound connections to port 80 if you're changing printer settings. – Polynomial Nov 08 '12 at 06:50
  • @Polynomial I wasn't being exhaustive or exclusive, only giving an example, but yes. Technically, the slash indicates 'or' meaning 515 or 9100, not both. In 99% of cases for me, I restrict access to port 515 if available because it provides a better protocol anyway. – mikebabcock Nov 08 '12 at 14:08
  • 1
    +1 for great answer, though I think you forgot another, more physical, aspect (admittedly not within the scope of the OP's question, I guess). Most printers have hard-drives, which can be accessed either via their input interfaces or simply removed and stolen. Why bother listening to the printer's communications when you can simply let it sit for a few weeks and grab the whole disk to get all the cached documents? Simple. – haylem Nov 08 '12 at 16:18
  • @haylem I wouldn't say *most* printers have them. Most that I come across have no non-volatile storage outside of the small EEPROM used for storing settings and firmware, which is usually soldered onto the board. More modern photocopiers do tend to have a small hard disk (at least 5GB usually) or a much larger EEPROM which stores the mounted filesystem. – Polynomial Nov 08 '12 at 16:25
  • @Polynomial: I'd say most *office* printers have them though. Maybe I make an assumption on the size of the offices though. – haylem Nov 08 '12 at 16:27
  • @haylem Most of our "office" printers are just bog-standard off-the-shelf consumer-grade laser or inkjet printers, so they're not exactly hardcore. We do have a photocopier with internal storage, though. – Polynomial Nov 08 '12 at 16:29
  • 8
    I feel like throwing my printer out of the window after reading this. – Herr Nov 08 '12 at 17:33
  • +1 for `*serious* fun`. I once heard a story of a printer that had a bug where the rollers would spin at maximum RPM and ignite paper dust + paper in the machine, causing a fire. If you can modify the firmware, you could conceivably cause this to happen intentionally. – Ella Rose Mar 27 '18 at 16:47
17

The major issue here is that your printer is accessible from outside your network. I've never seen a situation where printers need to be accessible from outside a network, and I mean ever! I suggest you get that fixed, and urgently!

There's more to printers than most people realize, but the risks can be managed by keeping them updated, turning off options that are insecure like http, and changing the admin passwords.

GdD
  • 17,291
  • 2
  • 41
  • 63
8

Often printers maintain logs of printed documents, sometimes containing copies of the documents themselves being able to be downloaded remotely. Even if the documents themselves aren't sensitive metadata can sometimes leak information like the file server name, the computer it was sent from, username...

ewanm89
  • 2,043
  • 12
  • 15
6

Generally printers are the unseen and unmitigated risk in a lot of networks. We tend to not think of them as computers, but the fact is almost any modern network printer has a fairly elaborate print server in it, often running some form of embedded linux, and far to often with very little thought given to security. Since they have a full blown micro-controller in them, it is theoretically possible that just about any attack that could be done with a computer or open network jack on your network could also be done from the printer.

In approaching a printer directly connected to the web, I would first ask why it needs to live there instead of going through some other type of print service to request documents be queued to it. If there is a compelling reason for it to live on the outside of your network, is there a reason it needs to be allowed inside? If it's available to the internet, internal users could connect to it via the internet just as someone outside the network could. This could provide some isolation as well.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
3

It is an attack point, so yes, it increases the attack surface of your network. That point could be used to get to another internal web page. Maybe your printer has network credentials that you could steal or replay, etc.

A simple attack on a printer is to change its configuration to save documents both printed or scanned/faxed locally and retreive them later. The printer in itself is irrelevant, it is the data it gives you access to that matters.

Chances are the HTTP(S) ports will give you a web page with a VNC window implemented as a Java applet (our Lexmark printer does that). Even if the physical printer requires us to present our access badge, a VNC connexion will hijack the "session" of someone who is locally at the printer, credentials and all.

What you can do really depends on the printer type and how persistent is the attack.

ixe013
  • 1,912
  • 15
  • 20
  • Thanks for the answer. What you describe is good for an attacker who wants to misuse the printer itself. I'm in particular interested to see how an attacker can use the printer as a hop to attack other machines. This is very important at this point. – hsnm Nov 06 '12 at 16:44
3

This is a unique physical implication of a printer being compromised:

http://it.slashdot.org/story/11/11/29/1752231/printers-could-be-the-next-attack-vector

I've used Nessus and found that even printers with the most basic features that you'll find on home networks have vulns like default credentials and open ports galore.

rutgersmike
  • 131
  • 2
2

Seems odd and you might have a case for it, but it's rare to have a business need to keep a printer accessible outside the firewall AND the VPN. Now I'm generalizing but with an "advance" printer:

  • Bear in mind that a "Secure printer" doesn't increase sales. There is likely very little engineering effort in securing the printer to begin with.
  • Due to above, the software and kernel are likely to be older. i.e. their security vulnerabilities are already known and published
  • Don't think of it as a 'printer' it's essentially a server running Linux. Linux you can't patch or harden easily
  • It is essentially a great launching point for more sophisticated attacks since this situation most likely breaks many security assumptions made in architecting the security policy (eg: FTP password ok since no malicious network sniffers). Faking DNS => MITM => tunneling SSL traffic outside.
  • If it happens to be a scanner many devices cache scanned documents in the temp folder (similarly with in-device printer queues)
DeepSpace101
  • 2,143
  • 3
  • 22
  • 35
1

I'd like to mention a different aspect of this - many copier/device manufacturers will ask that they can access the device remotely as part of their support contact. That surely leads to some companies allowing access directly to the device.

A better solution is to allow external support staff to only connect to a bastion host, and connect to the copier/device from there.

scuzzy-delta
  • 9,303
  • 3
  • 33
  • 54
  • true.. but additional cost and maintenance overhead. – hsnm Nov 06 '12 at 23:04
  • 1
    Agreed, but for most companies it would be prudent and reasonably feasible to introduce that measure. – scuzzy-delta Nov 06 '12 at 23:46
  • Alternatively, whitelist the IP netblock of the manufacturer and firewall the rest off. – Polynomial Nov 07 '12 at 12:29
  • @Polynomial I feel like even if the printer is not accessible outside the network, it's still an attack vector on the network. It could enable more opportunities if you launch a multi-hop attack by going through the printer. For example, an attacker can bring in a laptop and connect to the wireless network (if there is any) and then get to other places through the printer. – hsnm Nov 09 '12 at 02:00
  • @hsnm True, but printers are essential to most businesses. – Polynomial Nov 09 '12 at 06:56