Hacking Printers, And compromise a whole network Options

[Draco18s]

Man.

Truth really is stranger than fiction. I don't think anyone in ShadowRun has ever hacked a corporation by sending in their resume.

http://youtu.be/njVv7J2azY8

[tete]

Printers have always been a big security problem. SNMP isnt secure and drivers and firmware updates on printers are a pain. Todays printers even have hard drives so you can no only store a sniffer on them but capture the traffic to the device so no one get suspicious.

[ShadowJackal]

Printers are a serious security issue. Well, the ones connected to the internet are. An office I worked in had some serious security issues with their large all in one (A professional five figure machine). It consistently got virus', would spit out spam and would fax and transmit without command. This was an issue when you have sensitive information like we had. So, it had to be locked via a series of PIN #'s and permissions. AKA, two PIN#'s to get in, to print, only outgoing faxes, all incoming transmissions were blocked and we had to set it up to be able to review all transmissions via the web and a daily printed report.

You never think about the printers, but yeah, they are just as capable as a computer, and far less secure.

[Draco18s]

Printers are a serious security issue. Well, the ones connected to the internet are.

He shows that the printer doesn't even need to be connected to the internet directly in order to be compromised, simply connected to a network connected to internet capable machines.

[ShadowJackal]

He shows that the printer doesn't even need to be connected to the internet directly in order to be compromised, simply connected to a network connected to internet capable machines.

Thinking about it I'm not surprised, you wouldn't need that direct connection if you can access the network point. Anyways. I only watched a few minutes of it. Will have to pop back over and watch it when I get some time. What I saw was good!

[Draco18s]

Thinking about it I'm not surprised, you wouldn't need that direct connection if you can access the network point. Anyways. I only watched a few minutes of it. Will have to pop back over and watch it when I get some time. What I saw was good!

He demonstrates the vulnerability by having someone on the network print a PDF (his "resume") which compromises the printer. He didn't need direct access through the firewall in order to get a foothold. The demo is about a half hour in (I'm thinking it was almost exactly the 40 minute mark).

[ShadowJackal]

He demonstrates the vulnerability by having someone on the network print a PDF (his "resume") which compromises the printer. He didn't need direct access through the firewall in order to get a foothold. The demo is about a half hour in (I'm thinking it was almost exactly the 40 minute mark).

*I don't need to learn a new trick. I don't need to learn a new trick. I don't need to learn a new trick.*


(IMG:style_emoticons/default/grinbig.gif)

[Draco18s]

*I don't need to learn a new trick. I don't need to learn a new trick. I don't need to learn a new trick.*


(IMG:style_emoticons/default/grinbig.gif)

Hehe. He doesn't show any of the technical details, but you have to figure out how to compile a custom RFU file. Which he did, and it took him about two months.

[ShadowJackal]

Hehe. He doesn't show any of the technical details, but you have to figure out how to compile a custom RFU file. Which he did, and it took him about two months.

And see, I figure if you can get onto the network and onto the server I'd imagine its home free from there.

[tete]

And see, I figure if you can get onto the network and onto the server I'd imagine its home free from there.

You dont need to touch the server if you can get on the same subnet. Which a well designed system wont let you do that (through multiple ways incase you bypass one). Thats actually one of the exciting features in Windows Server 08 it the ability to route you to your own VLAN through health checks so you can get on nothing, partial or full access. This doesn't mean you shouldnt keep your switch ports locked down or IDS online, etc. Its just a new layer to add.

[Udoshi]

Printers have always been a big security problem. SNMP isnt secure and drivers and firmware updates on printers are a pain. Todays printers even have hard drives so you can no only store a sniffer on them but capture the traffic to the device so no one get suspicious.

Man, hasn't windows printer and file sharing been basically the golden ticket to compromising a system, since like, port 80 in windows OS in the 90's? Twenty years ago?

I'm not even a hardcore geek, and I know that.

[Draco18s]

Man, hasn't windows printer and file sharing been basically the golden ticket to compromising a system, since like, port 80 in windows OS in the 90's? Twenty years ago?

I'm not even a hardcore geek, and I know that.

May have been. I don't know the details regarding what you're talking about, so I don't know.

In any case, this isn't about using the printer sharing to propagate a virus, it's about using a physical printer to propagate a virus. It doesn't matter how a computer prints to that printer, but by doing so it infects itself (or infects the printer).

[tete]

It doesn't matter how a computer prints to that printer, but by doing so it infects itself (or infects the printer).

Thats not exactly correct... You can't infect yourself using UDP packets to a printer because there is no comfirmation that the packets reached their destination. However if you have a sniffer on the printer you now know the ipaddress (and possibly the mac address) of the computer so you can try to attack it directly. We have been dealing with similar attacks for years ever since the ram got big enough to hold programs on the printer.

[edit] heck most printers you buy today have more ram on them than a windows 95 machine had back in the day. You can run a fully GUI linux distro with 80 meg, and a port scanner and sniffer are not anywhere near that much.

[edit 2] I'm not saying his speach is bad though and he brings up some good points but its not new.

[Draco18s]

Thats not exactly correct... You can't infect yourself using UDP packets to a printer because there is no comfirmation that the packets reached their destination. However if you have a sniffer on the printer you now know the ipaddress (and possibly the mac address) of the computer so you can try to attack it directly. We have been dealing with similar attacks for years ever since the ram got big enough to hold programs on the printer.

[edit] heck most printers you buy today have more ram on them than a windows 95 machine had back in the day. You can run a fully GUI linux distro with 80 meg, and a port scanner and sniffer are not anywhere near that much.

You can, however, send a Post Script to the printer that executes a LDP command (the same command used to update the firmware) which reads in a RFU (Remote Firmware Update) file (also contained in the post-script) and create a zombie printer.

That printer then has a HUGE range of control over the network (primarily because firewalls and other security protocols and scanning software ignore printers).

The guy even demonstrates gaining administrator access to a remote machine on the same network as the printer simply by having control of the printer.

A printer infected in this way could be programed to distribute to the computers on the network the necessary components required to infect additional printers (and thus be self-replicating).

[tete]

primarily because firewalls and other security protocols and scanning software ignore printers

He is taking a giant leap there. Most IDS scans traffic on all ipaddresses, thats just good security practice.

The guy even demonstrates gaining administrator access to a remote machine on the same network as the printer simply by having control of the printer.

A smaller leap, but a believable leap as many people like bi-directional printer functions still your local anti-malware solution should stop an attack (even from the printer, in the demo he just uses an known XP exploit that updates would have stopped) IF the local firewall accepts the TCP connection to begin with. Also the sending the resume bit is unlikely as your spam filter should flag that email attachment as a threat. I have no problems with the idea though as its been possible for years and using a printer botnet is very believable especially if you can gain physical access to the building to upload your malware to the first printer. Its even more believable that this botnet could be used to send alot of spam as its pretty easy to get a mailserver to pass your email on.

[edit]
So heres the deal, IF you can get a malware attachment to be printed out and the workstation has not been updated the demo attack COULD work.

[Draco18s]

He is taking a giant leap there. Most IDS scans traffic on all ipaddresses, thats just good security practice.

There are 75,000 printers that are publically printable-to world wide.

Something like 46 of them are governmental (of which 16 belong to the US).

I forget how many were named "Payroll"

9 belonged to universities.

Given that security hole, which is painfully obvious...

But yes.

A smaller leap, but a believable leap as many people like bi-directional printer functions still your local anti-malware solution should stop an attack (even from the printer) IF the local firewall accepts the TCP connection to begin with.

I don't know what kind of security the target machine had.

Also the sending the resume bit is unlikely as your spam filter should flag that email attachment as a threat.

Not really. The file that's attached is just a PDF. It's got post script in it, but what PDF doesn't? And even if it was possible to scan the post script file to see if it contained an RFU, he says that it's possible to inject code into the printer that will generate its own RFU, thus making it impossible to scan for (without having a post script emulator in the virus/network scanner).

Even then, it can only identify that an RFU is there, but not what it does (an may prevent legitimate firmware updates) as the RFU format is closed source and under NDA.

I have no problems with the idea though as its been possible for years and using a printer botnet is very believable especially if you can gain physical access to the building to upload your malware to the first printer. Its even more believable that this botnet could be used to send alot of spam as its pretty easy to get a mailserver to pass your email on.

The real issue is that this type of attack isn't limited to printers. It could (potentially) work on any network enabled peripheral device, such as your network storage drive. And it'd be neigh impossible to clean the firmware chip, as he shows that with the HP printers, the BIOS ROM chip is in fact a flash memory chip with write capability, and the only way to get the virus off is in fact to buy a new printer.

[hobgoblin]

And to build on this:
https://www.youtube.com/watch?v=3kEfedtQVOY

[tete]

The real issue is that this type of attack isn't limited to printers. It could (potentially) work on any network enabled peripheral device, such as your network storage drive. And it'd be neigh impossible to clean the firmware chip, as he shows that with the HP printers, the BIOS ROM chip is in fact a flash memory chip with write capability, and the only way to get the virus off is in fact to buy a new printer.

BIOS EPROM, its not a ROM chip its an EPROM which has been common for along time. I think you and I are aproaching it from different angles. I see 75,000 printers and I go meh thats a small number. I deal with over 300,000 servers on a daily basis (world wide). We have sites with over 1,000 printers. I watch this video and I think "it might be able to infect a single subnet, maybe" but thats the end of the damage and I agree printers are a huge security problem. They have been since I've been working proffessionally in IT since 2003. It was one of the first things we were taught as noob systems administrators at IBM. So im not shocked by a firmware attack on them at all because they have been around for awhile. And yes we flag PDFs because Adobe is notorious for viruses now that Microsoft has patched a good chunk of Office flaws Acrobat is probably now the #1 hit on the anti-spam box for malicious code.

[Draco18s]

I see 75,000 printers and I go meh thats a small number.

75000 that are directly vulnerable. 500,000,000 that are indirectly vulnerable.

[tete]

500,000,000 that are indirectly vulnerable.

Hogwash, just because your safe deposit box was unlocked in the bank vault that night doesnt mean someone doesnt have to get into the bank and through the vault. Thats why we have IDS, sometimes there are legitimat reasons why you have to leave a security hole. You could also possible get sick from venturing outside of your home... There are OSX and Linux viruses to, but few people get them (especially the linux ones, seeing how you would have to browse the internet in root) that number is nothing more than a scare tactic.

[edit] Computer security is like an onion, you dont have just one layer. Even RADIUS servers are between two firewalls and firewalling your network from itself has been common practice since the 90s.

[Draco18s]

Hogwash, just because your safe deposit box was unlocked in the bank vault that night doesnt mean someone doesnt have to get into the bank and through the vault.

Did...did you not watch the video?
The guy shows how he doesn't need to hack the firewall in order to get access to the printer.

[Tymeaus Jalynsfe...]

Did...did you not watch the video?
The guy shows how he doesn't need to hack the firewall in order to get access to the printer.

You still have to get through the Access Point (Gateway) firewall to access the network in the first place. Most printers on Networks are not totally unprotected, even according to the numbers you provided (75,000 vs 500,000,000 IIRC... What is that 100th of 1%). (IMG:style_emoticons/default/smile.gif)

[Draco18s]

You still have to get through the Access Point (Gateway) firewall to access the network in the first place.

No.

No you do not.

It works like this:

1) You are SuperSecure Co. You have a wall around your office will armed guards, not to mention an equally well defended internal network (i.e. firewall).
2) You are also hiring.
3) I send you my resume in PDF format (also potentially Word doc, maybe a few others, the only requirement is that it has the ability to use Post Script).
4) You print the resume.
5) I now have a TCP connection through your firewall that is undetected.

At no point did I ever touch the firewall or your network. The exploit is hidden inside an innocuous document.

Also, need I point out that determining if that document contains malicious code (without executing the potentially-malicious code) is an unsolvable problem?

Post Script is a Turing Complete language and any attempt to determine what it does using a computer program simplifies down into a Halting Problem.

[Tymeaus Jalynsfe...]

No.

No you do not.

It works like this:

1) You are SuperSecure Co. You have a wall around your office will armed guards, not to mention an equally well defended internal network (i.e. firewall).
2) You are also hiring.
3) I send you my resume in PDF format (also potentially Word doc, maybe a few others, the only requirement is that it has the ability to use Post Script).
4) You print the resume.
5) I now have a TCP connection through your firewall that is undetected.

At no point did I ever touch the firewall or your network. The exploit is hidden inside an innocuous document.

Also, need I point out that determining if that document contains malicious code (without executing the potentially-malicious code) is an unsolvable problem?

Post Script is a Turing Complete language and any attempt to determine what it does using a computer program simplifies down into a Halting Problem.

I guess, that sounds plausible. I don't deal with that sort of thing.
In theory at least. I guess in practice, it is becomming a problem, the video provided notwithstanding?
But how common is it really?
And how easy is it to plug that hole when found? If it takes two months to decode (wasn't that what someone said about how long it took this guy to break some sort of encryption, or somethin?) and 10 minutes to set someone back 2 months, I do not really see this as being all that viable. Any stats to determine commonality?

[Udoshi]

Its more that now the exploit is in the wild, people are going to be working on making printer rootkits.

Even if it wasn't common before, its going to BE increasingly more common as people figure it out.