Man.

Truth really is stranger than fiction. I don't think anyone in ShadowRun has ever hacked a corporation by sending in their resume.

http://youtu.be/njVv7J2azY8

Printers have always been a big security problem. SNMP isnt secure and drivers and firmware updates on printers are a pain. Todays printers even have hard drives so you can no only store a sniffer on them but capture the traffic to the device so no one get suspicious.

Printers are a serious security issue. Well, the ones connected to the internet are. An office I worked in had some serious security issues with their large all in one (A professional five figure machine). It consistently got virus', would spit out spam and would fax and transmit without command. This was an issue when you have sensitive information like we had. So, it had to be locked via a series of PIN #'s and permissions. AKA, two PIN#'s to get in, to print, only outgoing faxes, all incoming transmissions were blocked and we had to set it up to be able to review all transmissions via the web and a daily printed report.

You never think about the printers, but yeah, they are just as capable as a computer, and far less secure.

He shows that the printer doesn't even need to be connected to the internet directly in order to be compromised, simply connected to a network connected to internet capable machines.

Thinking about it I'm not surprised, you wouldn't need that direct connection if you can access the network point. Anyways. I only watched a few minutes of it. Will have to pop back over and watch it when I get some time. What I saw was good!

He demonstrates the vulnerability by having someone on the network print a PDF (his "resume") which compromises the printer. He didn't need direct access through the firewall in order to get a foothold. The demo is about a half hour in (I'm thinking it was almost exactly the 40 minute mark).

*I don't need to learn a new trick. I don't need to learn a new trick. I don't need to learn a new trick.*

Hehe. He doesn't show any of the technical details, but you have to figure out how to compile a custom RFU file. Which he did, and it took him about two months.

And see, I figure if you can get onto the network and onto the server I'd imagine its home free from there.

You dont need to touch the server if you can get on the same subnet. Which a well designed system wont let you do that (through multiple ways incase you bypass one). Thats actually one of the exciting features in Windows Server 08 it the ability to route you to your own VLAN through health checks so you can get on nothing, partial or full access. This doesn't mean you shouldnt keep your switch ports locked down or IDS online, etc. Its just a new layer to add.

Man, hasn't windows printer and file sharing been basically the golden ticket to compromising a system, since like, port 80 in windows OS in the 90's? Twenty years ago?

I'm not even a hardcore geek, and I know that.

May have been. I don't know the details regarding what you're talking about, so I don't know.

In any case, this isn't about using the printer sharing to propagate a virus, it's about using a physical printer to propagate a virus. It doesn't matter how a computer prints to that printer, but by doing so it infects itself (or infects the printer).

Thats not exactly correct... You can't infect yourself using UDP packets to a printer because there is no comfirmation that the packets reached their destination. However if you have a sniffer on the printer you now know the ipaddress (and possibly the mac address) of the computer so you can try to attack it directly. We have been dealing with similar attacks for years ever since the ram got big enough to hold programs on the printer.

[edit] heck most printers you buy today have more ram on them than a windows 95 machine had back in the day. You can run a fully GUI linux distro with 80 meg, and a port scanner and sniffer are not anywhere near that much.

[edit 2] I'm not saying his speach is bad though and he brings up some good points but its not new.

You can, however, send a Post Script to the printer that executes a LDP command (the same command used to update the firmware) which reads in a RFU (Remote Firmware Update) file (also contained in the post-script) and create a zombie printer.

That printer then has a HUGE range of control over the network (primarily because firewalls and other security protocols and scanning software ignore printers).

The guy even demonstrates gaining administrator access to a remote machine on the same network as the printer simply by having control of the printer.

A printer infected in this way could be programed to distribute to the computers on the network the necessary components required to infect additional printers (and thus be self-replicating).

He is taking a giant leap there. Most IDS scans traffic on all ipaddresses, thats just good security practice.



A smaller leap, but a believable leap as many people like bi-directional printer functions still your local anti-malware solution should stop an attack (even from the printer, in the demo he just uses an known XP exploit that updates would have stopped) IF the local firewall accepts the TCP connection to begin with. Also the sending the resume bit is unlikely as your spam filter should flag that email attachment as a threat. I have no problems with the idea though as its been possible for years and using a printer botnet is very believable especially if you can gain physical access to the building to upload your malware to the first printer. Its even more believable that this botnet could be used to send alot of spam as its pretty easy to get a mailserver to pass your email on.

[edit]
So heres the deal, IF you can get a malware attachment to be printed out and the workstation has not been updated the demo attack COULD work.

There are 75,000 printers that are publically printable-to world wide.

Something like 46 of them are governmental (of which 16 belong to the US).

I forget how many were named "Payroll"

9 belonged to universities.

Given that security hole, which is painfully obvious...

But yes.



I don't know what kind of security the target machine had.



Not really. The file that's attached is just a PDF. It's got post script in it, but what PDF doesn't? And even if it was possible to scan the post script file to see if it contained an RFU, he says that it's possible to inject code into the printer that will generate its own RFU, thus making it impossible to scan for (without having a post script emulator in the virus/network scanner).

Even then, it can only identify that an RFU is there, but not what it does (an may prevent legitimate firmware updates) as the RFU format is closed source and under NDA.



The real issue is that this type of attack isn't limited to printers. It could (potentially) work on any network enabled peripheral device, such as your network storage drive. And it'd be neigh impossible to clean the firmware chip, as he shows that with the HP printers, the BIOS ROM chip is in fact a flash memory chip with write capability, and the only way to get the virus off is in fact to buy a new printer.

And to build on this:
https://www.youtube.com/watch?v=3kEfedtQVOY

BIOS EPROM, its not a ROM chip its an EPROM which has been common for along time. I think you and I are aproaching it from different angles. I see 75,000 printers and I go meh thats a small number. I deal with over 300,000 servers on a daily basis (world wide). We have sites with over 1,000 printers. I watch this video and I think "it might be able to infect a single subnet, maybe" but thats the end of the damage and I agree printers are a huge security problem. They have been since I've been working proffessionally in IT since 2003. It was one of the first things we were taught as noob systems administrators at IBM. So im not shocked by a firmware attack on them at all because they have been around for awhile. And yes we flag PDFs because Adobe is notorious for viruses now that Microsoft has patched a good chunk of Office flaws Acrobat is probably now the #1 hit on the anti-spam box for malicious code.

75000 that are directly vulnerable. 500,000,000 that are indirectly vulnerable.

Hogwash, just because your safe deposit box was unlocked in the bank vault that night doesnt mean someone doesnt have to get into the bank and through the vault. Thats why we have IDS, sometimes there are legitimat reasons why you have to leave a security hole. You could also possible get sick from venturing outside of your home... There are OSX and Linux viruses to, but few people get them (especially the linux ones, seeing how you would have to browse the internet in root) that number is nothing more than a scare tactic.

[edit] Computer security is like an onion, you dont have just one layer. Even RADIUS servers are between two firewalls and firewalling your network from itself has been common practice since the 90s.

Did...did you not watch the video?
The guy shows how he doesn't need to hack the firewall in order to get access to the printer.

You still have to get through the Access Point (Gateway) firewall to access the network in the first place. Most printers on Networks are not totally unprotected, even according to the numbers you provided (75,000 vs 500,000,000 IIRC... What is that 100th of 1%).

No.

No you do not.

It works like this:

1) You are SuperSecure Co. You have a wall around your office will armed guards, not to mention an equally well defended internal network (i.e. firewall).
2) You are also hiring.
3) I send you my resume in PDF format (also potentially Word doc, maybe a few others, the only requirement is that it has the ability to use Post Script).
4) You print the resume.
5) I now have a TCP connection through your firewall that is undetected.

At no point did I ever touch the firewall or your network. The exploit is hidden inside an innocuous document.

Also, need I point out that determining if that document contains malicious code (without executing the potentially-malicious code) is an unsolvable problem?

Post Script is a Turing Complete language and any attempt to determine what it does using a computer program simplifies down into a Halting Problem.

I guess, that sounds plausible. I don't deal with that sort of thing.
In theory at least. I guess in practice, it is becomming a problem, the video provided notwithstanding?
But how common is it really?
And how easy is it to plug that hole when found? If it takes two months to decode (wasn't that what someone said about how long it took this guy to break some sort of encryption, or somethin?) and 10 minutes to set someone back 2 months, I do not really see this as being all that viable. Any stats to determine commonality?

Its more that now the exploit is in the wild, people are going to be working on making printer rootkits.

Even if it wasn't common before, its going to BE increasingly more common as people figure it out.

You'd know all of this if you'd just watch the video.

He found the bug and was able to demonstrate that it works, oh, last November or thereabouts.

The video was filmed Dec 26th (including a live demonstration).

HP put out a patch for fifty six of its printers Dec 23rd.

That's how recent the exploit is. He's not releasing technical details so that people have time to update their firmware before malicious hackers can either a) duplicate his research or b) get their hands on the technical details of his research (and thereby not need to do the research). It is unknown how many printers may have already been infected (without anyone knowing) due to this exploit.

Patching the exploit still leaves open the Buffer Overflow attack in the RFU's compression algorithm's version number.*

It's not so much that it takes 2 months to decode and 10 minutes to set someone back 2 months, it's that the exploit is so bad that it's actually IMPOSSIBLE to undo the hacker's work (as their malicious code can overwrite, and make permanently unwritable, the "factory settings" chip). Even if they don't do that, and that the machine can be cleaned, it's not like you actually set the hacker back 2 months worth of work: the decoding they had to do is still valid (also, the RFU format isn't encrypted it's merely compressed, and the language format is unknown**).

What the firmware update did is to disable the printer's ability to be remotely updated (such that it's disabled by default). As well as some other things, probably, to make this exploit less likely and harder.

*That is, the decompresser version being used has a known vulnerability.

**At least, it was unknown at the start of the project.

Gotcha...
Makes Sense.
Have not been able to watch the video for some reason, but that is okay. Can't get it at work, and my home system is giving problems lately. No worries. Thanks for the Info.

Weird.

Yeah... What can you do? Oh well...

I wrote down a transcript of the video down. I can email the pdf for you to print out, if you'd like.

Really?



*This message has been deleted by the security gatway for potentually malicious code please contact the help desk if you needed to see this document*



*Blocked by router*
*IDS detectes unauthorised IP traffic, moving device to unhealthy network*

[edit] why do you think a printer would be allowed to send data outside of its own subnet?


It works on the demo because hes not using best practices, its him a router/firewall, printer, and two laptops. Theres no network segmentation, IDS, Spamfilter or any other common security features.

... and again this happens ALL THE BLANK BLANK TIME with printers. They are the bane of security admins, thats one of the reason we have so many other monitoring devices and break networks up into chunks. You not going to let a printer forward information beyond its subnet! And if you see a printer trying you shut that segment off till you have gone through it with a fine comb. The hack itself is nothing new, it just allows a printer to try to infect local subnet machines but those machines should be protected by updates and their own anit-malware software, because the desktops (unlike printers) probably have some access outside of there subnet because regardless of security people have to be able to do their jobs. The printer is not going to get out to the internet unless it hacks a workstation first.

And yes I watch the whole thing a second time, and got emails from HP back when it happend, and the security focus alerts, and secunia warnings, and talked with my co-workers as to what to do if we lost a subnet... Printers have always been this bad, its just now they have hardware better than computers that ran windows 95 so you now as a hacker have room to cause some damage.

[edit] Heres a quick list of known problems with HP Laserjets from security focus. Some of them (including the earliest one) there is no patch yet

HP Printers and HP Digital Sender Firmware Update Remote Code Execution Vulnerability
2012-01-09
http://www.securityfocus.com/bid/51324

HP Printers and Digital Senders Remote Firmware Update Security Bypass Vulnerability
2011-11-30
http://www.securityfocus.com/bid/50876

HP Multiple LaserJet Printers PJL Directory Traversal Vulnerability
2011-08-08
http://www.securityfocus.com/bid/44882

HP Multiple LaserJet Printers Unspecified Directory Traversal Vulnerability
2010-04-13
http://www.securityfocus.com/bid/33611

HP Printer FTP Print Server List Command Buffer Overflow Vulnerability
2006-12-19
http://www.securityfocus.com/bid/21666

No worries, Nezumi. But Thanks...

And which vulnerability might that be?

Oh, the one I just posted about.

Oops.

I think your not getting what I've been saying since my first post. Yes it exist, yes it "could" happen, but in an enterprise environment its not going to happen because these type of attacks HAVE BEEN HAPPENING SINCE THE 90s!!!!!!! Just because some printers have a firmware problem doesn't mean that a enterprise buisness will have a security problem because printers are already treated as hostile rogue devices. You know how many printers could be used in a enterprise attack, ALL OF THEM, firmware isnt written for security and SNMP (you want to talk about a pile of unsecure stuff there it is) was standard remote administration for years! Thats why we have IDS, IPSec Tunnels, Firewalls against our own workstations, we expect them to be hacked. This isnt news its just confirming things that have been talked about for years. The only new is that HP patched it, (well part of it) where as back in 90s they would have ignored it despite the finding.

[edit] The new problem we have in security right now is smart phones, VPN was/is bad enough but now we have devices connecting outside our network wanting access to our network whos software is controlled by the cell phone company who doesnt give a toss about your security and whos wireless network may as well be using WEP for encryption. Blackhat has been showing off some very interesting botnets that right now buinesses cant scan for because the cell phone company controls the OS (exception iphone). So you would have to root your phones to protect your phones and even then who knows... Oh and dont worry its going to get alot worse before it gets better on firmware (thus why Secure BIOS or Secure Startup or whatever they changed the name to now is out there).

[edit2]


I feel this may be where we hit our impass becuase up till this point I was agreeing with you but calling it a minor problem.
Networking 101 (forgive me if you know this)
Subnet - A way of dividing networks so a computer whos IP is 192.168.1.1 with a subnetmask of 255.255.255.0 CANNOT talk to a computer whos address is 192.168.2.1 without first going through a router. This is used to increase speed on networks as when your computer shouts out for some information only the computers on your subnet recieve the message.
Router (layer 3) - unless it is manually configured to send TCP or UDP traffic (the two primary types of packets used in networking) from device 1 to device 2, it drops the traffic by default.

Let pretend somehow the rogue pdf got on our HR persons computer and she printed (assumed to get through the anit-malware/anti-spam server)

So lets say we have some workstations and printers on the 192.168.1 subnet (not good security practices but believable) and the workstations need to talk to a webserver on the 192.168.2 subnet we can configure our router to allow the workstations to talk to the webserver but not the printers (because its not needed only the workstations need access to those printers). So even without any security the network admin has stopped this attack from working by throwing down a router until that printer can compromise the router or a workstation.

For arugments sake lets say the anti-malware on the computer doesnt pick up the attack (assumption #2) and that IDS is tracking the extra network traffic but doesnt flag it yet(assumption 2.5)
Alright you got a users computer who probably has internet access so you can pick up the routing table needed to get out now you have to get through the intenal firewall/web filter. Lets assume you have a dns space that doesnt look too suspicious and that the IDS settings are not to paranoid (thats 4 assumptions in my mind) and your goal is to grab print jobs as he did. IDS now detects that for every print job you send to this printer another packet goes out to the internet. How long do you think it will be before your computer is flagged and you are moved to quarentine subnet? My guess is you get the next 3-5 documents the user or printer prints, tops. Some networks would have moved you on the first one printed. And thats assuming theres no proxy shinanigas going on.

To side with Tete. With the last company I worked with, we divided departments into different VLANs to segregate the network and then put the printers on their own VLAN so that they couldn't cause issues with the network. This works quite well when one employee picks up a stupid virus that makes it a rogue DNS server that points to more malware sites.

Good practice only lasts until somebody decides "that needs to be done by yesterday, and what do you mean by 'additional budget'?". Then you end up reconfiguring the firewall concept to allow remote deployment of updates via C$...

Cheap, good, fast: Pick two. I guess they don't teach that at MBA school, like a lot of other things they don't teach.

Yes, I'm bitter!

The damage value of this attack isn't that it will give you full access to the network, but a pivot point inside a network that might be secure. And its what someone does when they pivot from the compromised host that makes a difference. A printer may not have access to the entire network (and you would hope not unless its flat, at which point they fail in security). But even a secure network, if a printer was compromised, you might be able to pivot to a desktop DMZ, or shared services DMZ. It depends on how the network is segmented. I've seen infected PDFs own desktops and that is trivial (plugins for attack tools like Metasploit already exist).

Haven't looked at printers specifically but at last check, the latest gen of email scanners run in a sandbox to detect this sort of behaviour by interpretation what the attachment does upon opening with the appropriate program or executing. That, in theory, would stop a great deal of these attacks, particularly if they rely on exploit code, privileged memory access and invoking reverse shells.

Back to Shadowrun, yeah, this is basically a regular document with a Trojan (RAT) attached (p. 123, Unwired). Only requires a user to be socially engineered into executing. Just get a party Face/pornomancer to take care of that one...

- J.

The damage value of this attack isn't that it will give you full access to the network, but a pivot point inside a network that might be secure. And its what someone does when they pivot from the compromised host that makes a difference. A printer may not have access to the entire network (and you would hope not unless its flat, at which point they fail in security). But even a secure network, if a printer was compromised, you might be able to pivot to a desktop DMZ, or shared services DMZ. It depends on how the network is segmented. I've seen infected PDFs own desktops and that is trivial (plugins for attack tools like Metasploit already exist).

Haven't looked at printers specifically but at last check, the latest gen of email scanners run in a sandbox to detect this sort of behaviour by interpretation what the attachment does upon opening with the appropriate program or executing. That, in theory, would stop a great deal of these attacks, particularly if they rely on exploit code, privileged memory access and invoking reverse shells.

Back to Shadowrun, yeah, this is basically a regular document with a Trojan (RAT) attached (p. 123, Unwired). Only requires a user to be socially engineered into executing. Just get a party Face/pornomancer to take care of that one...

- J.

Or a Hacker with "Chatty" and use Social Networking 2.0.

Got to love AR Relationships.

Right. It gives you a foothold from which to launch future attacks, which can lead to eventual complete network compromise.

Fixed that for you... It is not a forgone conclusion, just a possibility.

Well Draco18s did say can... I can see it working on home users and small IT shops. It just goes to show why you should be hacking your own networks and how valuable a good IDS and disaster recovery plan are. The irony here is that firmware has always been a problem and now that Microsoft finally is starting to come around you have weekly Adobe alerts. I'm sure OSX is next, as more and more people buy Apple...

One of the scariest parts about this experiment is that the demonstrated vulnerability of embedded systems indicates that tons of different devices can get compromised by using (what is likely) a very similar method. Really, the ability to update the firmware to own a device is not only clever, but probably pretty portable.

From there, the complexity of these kinds of attacks can just increase.

Like, if you have an embedded system with a OS you know how to manage and can own that ALSO has a NIC card and a storage device, you can put together some pretty sexy exploits.

For example, if any of these devices require an open connection between the device and an actual workstation, it is plausible to disguise the malicious traffic within the allowed traffic.

I do not know what circumstances would absolutely require a printer to send data to and receive data back from a workstation, but I certainly can think of other devices that would and do.

For example, if you own the printer and can portion off some of its storage space (or as the built in storage space increases in volume), you could easily set up the malware to cache all jobs until the cache is full and then connect and dump all of that data back. In the outlined scenario earlier, some networks wouldn't allow an outbound connection from the printer to the internet, others might allow one or two before shutting things down. If the device in question is capable of storing a large volume of information, the transmission(s) could contain a lot more than just the break room posters reminding employees to put money in the pay-for-the-coffee jar.

Nah, at the MBA classes it is Cheap + Fast = Good (enough for sale).

Seriously, the whole concept can be traced back to one guy with a stopwatch in a 1800s US factory...

And targeting a peripheral node.

"Give me a few seconds, I'm hacking the coffee pot, it's only got Grey IC!"

Precisely. It's not just printers, but any network capable device that's not considered a "computer."

Network Hard drives, printers, scanners, and so on. Even those fancy shmancy new fridges that order you more milk when you're out.

How old is that thing?

"Two weeks. I see a notice here to update it's IC in case of cyberattack, but it keeps getting sent back because of the difficulty in getting Coffee without killing people if they put Black IC on it."