 If I could have everybody find a seat, we're going to try to start early. My name is Little Wolf, it's also Dennis Madison as you see up there. I'm going to be talking about attacking printers and other network attached devices. Looks like we're going to have a DC phone home next at 12 o'clock and I've also been instructed to tell you to drink plenty of water. I think I'd agree with that because it's hot out there. Anyways, let's start. I do want to start off by saying I make no apologies for my email address. As you might notice, I do have cox.net up there. Where else for the wolves to hang out, but in the sheep's pens. And if you believe cox.net is very secure, I won't say any more than that just in case there might be some cox employees in the room. I'm going to talk real quickly about printers and I'm going to go into a couple disclaimers. I know there's some feds in the room so I might as well disclaim myself. We're going to talk about printer history, why printers are so evil and then we're going to talk about the specific attacks. I'm going to spend a lot of time on the attacks. I'm hoping that this was an hour long presentation. I'm going to try to do it in 50 minutes. So without further ado, first of all, why this particular talk does not violate the DMCA. First of all, we're not going to be talking about cryptographic algorithms. First of all, as far as printers are concerned, there are no cryptographic algorithms. So we throw that right out of the way. We're not going to talk about any software to break cryptographic algorithms. We're not going to talk about any hardware to break cryptographic algorithms. We are not going to break any other laws either, hopefully. We're not going to be exceeding lawful access to our own equipment. And as far as I know, disclosure of vulnerabilities is not illegal yet. Like tearing what Richard Clark said about vulnerability disclosures, except for the fact that the government is probably the worst person to announce vulnerabilities to because they don't listen. Full disclosure is key to security awareness. If you're not participating in full disclosure, there's a lot of stuff going on behind the scenes that you have no idea what's going on. First of all, what about printers? Well, let's look at the other applications in OSes out there. We're doing a pretty good job of locking things down. We've got a long way to go. But we're doing a pretty good job. The problem is, we've got a lot of other devices on our network that are not running Windows 2000, that are not running OpenBSD, which are not running Linux. They're running dumb little operating systems that are very easily vulnerable to attack and very easy to exploit them. Security is a necessity of business. You can't go anywhere nowadays without thinking about security, especially post 9-11 and how it messes up everything that we do. Security of computers is definitely growing. Security of printers and other network attached devices is not growing. I work with printer manufacturers an awful lot. The most common response I get back from them is who cares. All these are printers. These are things people print to. Potential attacks against these devices definitely increase as we go move to lock down the operating systems. I mean, it's a target of opportunity. As people get locked out of the regular targets of opportunity, the Windows 2000 boxes, so on and so forth, they'll switch over to attacking printers. Now why are printers so bad? First of all, users have had a very long history with printers. Printers have been around since computers were around. You think of a typewriter, that's a pretty good example. Hey, you click on the keyboard, it actually prints something to paper. Older non-network printers are fairly secure. I don't hear too many attacks on old HP2 machines, although it can happen. Serial parallel printers brought a whole new realm of attack. You went from unidirectional, where you print out to the printer and nothing comes back to bidirectional, where you have a two-way communications between the computer and the printer. There were a small number of flaws in those printers, but they were not enough to really concern people. Of course, you had scripting languages like PostScript, PJL, and PCL. We're going to talk about all those things. Those were scripting languages added to make the computing experience or the printing experience a lot better. The problem with serial printers was also that they were very easy to track attackers, especially when they're plugged into the exact same computer that the printer is plugged into. Of course, attacking a printer plugged into your serial or parallel port was a pretty bad business decision. When we started adding print servers to the network and starting putting printers behind print servers, we had a little bit of a problem, because now the printers were behind systems that were vulnerable to attack. Things like SAMBUS shares, IPX, LPR, all of these things have had problems in the past. Servers were more likely to be compromised than the computers were. You write an LPR attack to take out the actual server that's serving that printer instead of the printer itself. Of course, then we screwed everything up by adding network printers to the networks that were out there. Manufacturers began adding or seeing a need to add protocols to printers, things like web browsing, web serving, telnet, FTP, SNMP. Think of all the different protocols that we know are very bad as far as the security concern is there. These protocols basically leave these printers wide open. There are a large number of insecure protocols out there. Most of them are actually put into a printer. Of course, the idea is functionality over security. You add these services to your printers and it makes the customers happy because they have a number of ways of connecting. Of course, I'm not just talking about printers, although I am in this particular talk talking about printers, there are other secure devices out there. They have the same problems or very similar problems. Things like webcams, photocopiers, web appliances, network file servers. All of these things are vulnerable to very similar attacks. Think of all the network file servers that are going up all over the place and think about how they're set up. Do they set them up so that they have one particular protocol that users access? Now, usually they have everything under the sun running. One thing is that these are all theoretical attacks. I will go over practical examples. Not all of these attacks will work on all printers that are out there. I can tell you my share of experience with printers, most of the attacks that you're going to see here are in one way or another added to every printer that's out there. Not many known attacks are out there. If you looked at BugTrack three years ago when I post my first network printer vulnerability, there really wasn't much talk about printers and printer security. Look at BugTrack now. There's a lot of talking about security. As a matter of fact, there's a whole thread on security right now of printers. I do definitely welcome the help. Anytime anybody has anything to send to me, I'll definitely look at it. Excuse me. Talk about physical security attacks. This is where you have physical access to the machine and everybody knows that physical access means root. Even in printers, the printers themselves are physically addressable. They are physical. They can be easily replaced with another device. One of the nicest things about printers is that nobody expects that the printer is going to be doing the things that you can make it do. You can put a device in line with the printer. You can essentially plug something into the printer that will listen to the traffic that's going back and forth between the printer and the rest of the network. Some easy mistakes. Users do innocently unplug devices for the resources that they have. You have a port that's available. Users may come along, pull the network connection, plug it into their laptop. This does happen quite regularly. Users will steal IP addresses and network identification so that they can actually access the network. Let's see. Hardcore espionage. Instead of having simple attacks where a user comes in sits down, unplugs the network connection and plugs in whatever they want to listen to the network. We're actually talking about corporate espionage here. Where an attacker walks into the building, pulls the network connection plugs it into their laptop and is now able to sniff the network. How many networks out there do not have sensitive internal data that's not supposed to be given out to everyone? I bet you even your home users don't want their credit card information and tax stuff going out to the rest of the world. Another nice thing about having a port that the printer used to have is that you can disrupt normal traffic and all sorts of bad stuff out. You can replace the printer with an espionage friendly device. Throw something in there in the printer's place. You perform a physical man in the middle attack. Plug the printer into the back of your laptop. Plug the network connection into your laptop and actually have the laptop forward all print jobs to the printer. Of course the hard disks. Most of the printers out there now have hard disks so you can definitely perform a laboratory attack. Take the printer back, pull out the hard drive, look at it. Especially since most of these hard drives that are in printers are IDE based. They're the regular stuff you find in computers. And for the most part they use no encryption or they use proprietary encryption. Stuff that's usually easily breakable. The one thing that I really like about printers is the fact that they never erase the print jobs. They just print over them. What that means is if you can pull out that hard drive and you have a very long print job that was printed you can recover most of it. What about firmware? Every printer has firmware. What is firmware? Static software. What does that mean? We can take it apart. Matter of fact some printers are nice enough to actually give us an interface to access the memory and pull things apart for ourselves. We'll talk about the back doors later. What can you do? Disassemble the code, recompile it, figure out how the firmware updates since most of these things do remote firmware update. Figure out how that works. Upload your own code. Well you know probably some of you in this room believe that back in 1991 during the Gulf War the US government actually put a virus into a printer and sent it over to Iraq. Of course for most of you you know that this was an April Fool's joke. It was pretty well debunked. Of course, why put a virus into a printer? There's so many other better things to do. Put a sniffer in there so you can see the traffic. Perform denial of service attacks against the network which are much easier to do than viruses. What about unauthenticated remote access? I'm talking about back doors into the printer. Do you believe that every printer out there has a back door? I do. Allowing remote access to any machine is very risky. Allowing remote access to a printer is especially risky. You throw unauthenticated, unencrypted access to that and basically you have a route waiting to happen. One of the first protocols that we're familiar with, SNMP simple network management protocol. Printers love this. I don't know why. There's nothing they really need to do to do management. But for some reason a lot of printer manufacturers throw SNMP into their network or into their printers and then of course they don't allow you to turn them off. With SNMP v1 and v2 the authentication mechanism was extremely easy to mess around with. SNMP v3 is supposed to be a lot better. However it's still possible that they don't throw the authentication stuff on which could be a problem. SNMP is default by most printer manufacturers. Another really bad thing is that few of them allow you to turn it off. As a matter of fact most of the printer manufacturers out there don't have any sort of feature to turn SNMP off at all. Some printers have additional non-standard community strings. What that means is they use those community strings for something like firmware updates. What you need to do is run a sniffer on the network. Every time you do a sniffer update on your HP printer and you'll see a lot of community strings going across there that are not public and private. Network protocols such as FTP, LPR, IPP you name it. All of these have methods or ways of actually reconfiguring the printer remotely. Even LPR and SNB if you send PGL or PCL scripts to the printer you will definitely be able to reconfigure the printer. There may also be undocumented commands for printers. Send it in undocumented command as part of your print job and it may do something that it's not supposed to. HGP and Telnet of course these are both unencrypted but they also may actually lack an administrator password which means that attackers can get into them. Most of these services can be turned off in the printers. There are some printers out there that are still stupid that they will not allow you to turn these services off. However, most of the ones that I've seen nowadays come out actually allow you to turn this stuff off. One of the nice services that are on printers is the app socket interface 9100. This is really nice for printing jobs too. It's really nice because it's bi-directional. So you can send PGL scripts to the printer and it will actually return the responses to you. All you need to do is use NC or Telnet in order to access it. Some PGL. You may not understand what's up here on the screen but I can tell you that this particular script does very little. All it does is it changes the ready message display that you see on the screen to Little Wolf owns you. It also prints out the file systems. Yes, I do recommend going to the embedded systems one because it sounds like it's going to be really cool as well. Just a response, you send this particular PGL script to the printer, comes back with all sorts of nice information messages including telling us that there is in fact a RAM disk loaded on this particular printer. Which of course has read-write access. The nice thing about this of course is this is where you can throw all your exploits if you're worried about somebody coming around and doing forensics on you. One of the most used printer or one of the most misused printer access mechanisms is something that the printers manufacturers love putting into their printers. That is their back doors. This particular mechanism or method is very flawed because it relies purely on security solely through obscurity. Very few of these actually go in and pass would protect their back doors. They certainly do not encrypt the data that's going back and forth. There's many ways or many reasons that the manufacturers use for actually doing this. One of the reasons I've heard is that users may actually forget their passwords. So they want to actually allow some sort of technical support person from across the planet to log into the printer to fix the passwords. Another problem of course is unlicensed software. According to the manufacturers they believe there's a lot of pirates out there who are using their software or their hardware illegally. And they might want to actually throw this back door in there to prevent that from happening. It may actually be used for a number of other reasons. I've heard printer manufacturers say all sorts of things. The one I like most is hey we just threw it in there because everyone else does. It's a good one. Of course this particular problem with back doors is if it fails there's nothing else to prevent you from having an attacker break into your system. Of course just ask tectronics about that. One of the best examples of a printer back door was a web server on a printer whose manufacturer I've course mentioned. They do not exist anymore. I outlived them. Thank you. If you go to this particular printer manufacturer and type in the printer name then ncl-subjects.html is a nice menu of all the stuff that the printer manufacturer of course does not really want you to have access to. As a matter of fact it had access to options that weren't even available via the GUI interface. Of course it also allowed plain text access to the printer password or the administrator password. Most administrators would throw something in there thinking they were secure. And of course the attackers would come along and read their plain text passwords. It even gets better than this. There were a number of denial of service attacks which we'll talk about. This is what happens when you actually I know you can't see this very well but when you pull down the slides from my website you definitely will. If you type in ncl-subjects.html it brought up a whole bunch of options that you could choose from. Of course one of those options if you typed in ncl-items.html question mark subjects equals 2097 would actually pop up the administrator password in plain text. You can see this printer manufacturer actually used password as their password. Of course a year later my favorite company my favorite printer manufacturer came along with a new series of printers. The nice thing about it in some of these prayers was if you tried this old exploit it would not work. Some of them did, some of them didn't. Depended pretty much on when the firmware was actually manufactured. If you typed underscore ncl-subjects.shtml it would give you exactly the same thing that the other thing did. Of course how did this actually come to be as far as me finding it? I accidentally mistyped the URL. I started typing stuff in. I knew that ncl-subjects.html did not work. I noticed all of the web pages had .shtml so I tried that first. During the process of the five minutes that I was actually working on breaking this particular printer I accidentally pressed an underscore at the beginning and sure enough the page came up. Of course when I told the manufacturer about this they responded six weeks after I posted the bug track. Keep in mind that I posted the message to them and all the regular channels four weeks ahead of that. So it was almost two and a half months after originally finding it that I finally received a response from the manufacturer. Of course their response was the URL was not a security fix. It was a functionality fix. I can understand the .shtml. I just do not understand the underscore in front of the URL. Sorry you didn't get me there. Unfortunately these same folks have ignored this particular problem. They are still print, well of course they're not. The company that bought them out Xerox is now still producing these printers and of course these printers still have these back doors. Third party back doors. Well we have access to the firmware and some of these printers. Let's download the firmware, decompile it, add our own back doors to the system. You guys are hackers. You can figure out how to do that. Denial of service attacks. It's easier than everything else on the planet. All you need to do is make a connection to the printer. If you make a connection more than eight times to the AppSocket interface you've pretty much denied access to anybody else printing. So it is a problem. You even hear some of these scripts that were out there circulating a couple months ago such as the IDA attack taking down HP printers. Or the Telnet attack. Even stuff that they should not break are actually being broken by these scripts. Of course overwhelming traffic like I said the AppSocket interface is a great way to do that. Of course you can always just connect to the printer. Start wasting resources. Most of these of course don't have any sort of authentication mechanism to prevent you from printing. One of the nice things I discovered about the configuration or the back door configuration is that you can actually change the IP address of the printer. And by doing so the administrator basically had to go up to the printer console and change the IP address back. It wasn't as easy as connecting to a web page to find the particular what it had been changed to. Even nicer feature was a little button on the configuration menu that allowed you to reset the printer to the factory defaults. Of course that was even worse than changing the IP address because now the administrator had to go in and set the machine back up the way it was before. Nice feature emergency power off. I won't go into it too much because Techtronics says there's nothing there. There's no issue involved with that. However I had several other people tell me that it was really nice taking a 360 down or 370 down. Those were the wax chips by just basically putting it into emergency power down. Sure may not actually cause physical access to the machine but every single time you power down the system it has to dump those wax crystals. You waste a lot of stuff doing that. Removing changing services running on the machine or changing passwords of course all can be done through the back door. Big thing access to distribution of information. Most of the printer manufacturers out there didn't care about anything I've set up until this point. When I started saying that important data that was on the customer's network was being compromised they started listening. Of course why? Most companies believe that information is important sensitive and worth money. That's what they're in business for. Exposure of that information can lead to a lot of bad things. Especially embarrassment. Vulnerabilities and prayers may actually allow this particular type of attack. We'll talk about some of them. First of all I've pretty much talked sniffers to death. If you don't know what a sniffer is I'm sure a lot of the folks that are going to be up here in the later talks will be telling you what it is. Basically you can listen to traffic on the network. Print job forwarding. This was a nice feature in a lot of the printers that I've come across. What will actually forward the information about the print job to you via email or through syslog or through a number of other things. Of course it may not actually print out the whole entire print job. Most printers don't do that. But they do give you some valuable information. A lot of valuable information such as how many print jobs have actually gone through this printer. Is it a high yield printer? How much ink has been used on the printer? How much paper has been used? Whether it's got transparencies. All sorts of stuff. A firmware modification of course can make print job forwarding very possible too. The reason I bring this up of course was a friend of mine was accused of saying in a newspaper one time that an attack on his systems were actually allowed print jobs to be sent to Russia. Of course he did not actually say that but when I discovered some of this print job forwarding capabilities under the printer he got very, very, very worried about things. Talked about print job notification. Of course it prints out all sorts of nice things. Title of document printed. Number of bytes, characters who printed it out, where they printed it out from. All sorts of nice things. You can change this. In the case of the TechTronics fairly easy through the back door. Other printers have other methods of accessing it. You can definitely look at my white paper. There's some more discussion about other printers in there. Nice thing about the report for the Phaserlink actually tells you all sorts of really cool stuff like the name of the print job. How many pages were actually printed? The user ID who printed it. Nice thing about this, social engineering. Call the guy up. Hey, your print job wasn't working too well. You might want to print it again. Then sit by the printer and wait for it to come out again. A lot more in depth information that it sends out. You can look at the white paper for this stuff. Access to and distribution of information through RAM disks and file systems. Of course printers now have the ability to actually create RAM disks and file systems for storing files for the spooler. Bum with these printers is sometimes they're not actually locked down so you can actually get access to the spooler directory just by FTPing to the printer. Luckily HP has a right only one so it makes it a little different. I have seen other ones that have read write. I have not actually been able to pull stuff out of the spooler if those read write ones though. I'm still working on it. Bear with me. Bouncing and ACL hopping. One of the nice things about printers is they've got some vulnerabilities in them that have been around since the dawn of computers. FTP bounce attacks is one of the nicest ones. I want to scan your network. I just use the FTP bounce attack within MAP. Looks perfectly fine. Victim actually believes the printer is attacking them which most likely the victim will go back to the printer manufacturer and say to the printer administrator, why are you attacking me? The printer administrator will say I'm not attacking you that's a printer. You must be mistaken. See bouncing printers can get you past ACLs. Poor man's web browser. All sorts of fun stuff. Talked this one to death. Basically using FTP. Do all sorts of really cool stuff. Floating through two nicks. This was actually an interesting one because I was working on a project where they were attaching a printer to two networks. One of those networks was considered very sensitive. The other one was considered not sensitive. Basically public domain. And they were very interested about having those printers forward the packets across the interface. Unfortunately that meant me actually going back to HP and trying to work with them to tell me whether or not this was possible. If I could get access to the firmware I would be a grateful person. But unfortunately with HP I have not been able to figure out a way to get access to the firmware. See and oh by the way HP said it was not possible. I have yet to see if other ones are not. Internet printing protocol. One of the nice things about the IPP is the fact that it allows users to print URIs to the printer. So instead, or send URIs to the printer. So instead of actually pulling it up on a web browser and clicking the print button they could actually just tell the printer hey go out and get this particular URI that's the universal resource locator stuff URIs and pull it down and print it for me and I'll go pick it up at the printer. So what does this mean? Well this means a potential attacker could come along and actually send a URI for a particular print job they don't normally have access to to the printer. Because some of these printers have back doors in them that allow you access to the print jobs it might be easy to pull those things down. IPP version 1.1 has a lot more on security it has a lot more on the particulars of TLS and SSL which they're using. If you go look at the IPP 1.0 document the particular line that they have is no security problems at this time. So IPP 1.0 is pretty much what all the printer manufacturers are following at the moment. This could be a potential problem. Of course IPP is a new protocol. It has been looked over as far as RFCs are concerned but there's still stuff we don't know about it. There were a couple of discussions I had with the IETF folks where I think they pretty much went on above and beyond telling me I was right in some of this stuff and that there was even more stuff that was available that I hadn't figured out yet. So I'm working on that as well. File storage. One nice thing about printers is you can actually put stuff on them. Throw all your exploits up there. The forensics guys can't figure out where you're putting the stuff. I've actually talked to several forensics folks. Only one of the guys that I've talked to has actually said he will look at a printer to see if something's there. The others went wait printers aren't they just stuff that you can print to? Okay why are these attacks not being used? I mean we're not hearing all this much discussion about them. Well how can we be so sure that they aren't being used? Of course the electronics variabilities were known as much as six months before I exposed them. I actually had a few people send me emails saying thank you very much for exposing that. I was actually using it. Sorry. Numerous attacks are spotted on Class B networks that I have access to. They're IDS's. We see app socket connections all the time. So they are possible. Most likely there would be two reasons that hackers aren't exposing them. First of all, hackers don't know or understand the vulnerabilities. That's possible. Printers are pretty new on the vulnerability front. There's too many easier targets as well. There's a lot of insecure Windows 2000 or Windows XP boxes out there. Much easier to attack than a printer. So what are printer manufacturers doing? Well, the standard stuff. Same stuff you see Microsoft and all these other companies doing. First thing is they're doing nothing. They don't even acknowledge the fact that you send them an email. If they do acknowledge it, usually it's blame the administrator or blame the researcher. Whoever they can fix the blame to. One thing that I like is that several companies have come back and actually threatened me with lawsuits. If you expose this vulnerability, we will go after you. Some of them hide or attempt to hide the vulnerability. HP was really good about this with IntelNet stuff. You go and ask them during RSA 2001. Hey, what's up with your printers? Why are they dying when we're using IntelNet attack scripts against them? Oh, well, we don't know. Or they would tell us all sorts of other stuff. Talk down the risk of the vulnerability. Fix the problem and only release it to those who ask. And of course the smallest group of all of them fix the responsibility or fix the problem and publish the fix. If there are any printer manufacturers in the room you're probably asking at this point, what do you want us to do? I've got five simple things. First thing is to think outside the box. Realize that printers are vulnerable. Don't think that they're not. Second, access control, authentication, encryption, and filtering. These are very easy to add. Some cases access control is only a few lines of code. Give administrator control. Allow them to turn things off if they don't want them on. There's a lot of problems with printer manufacturers as they'll leave stuff on and they won't let the administrator turn them off. Educate, document, and communicate. Don't think that your users are stupid. Unfortunately, most of the printer manufacturers out there believe that majority of their users are stupid. So don't. There are a lot of users out there that are smarter than the folks that are building this stuff. Be open-minded about security. Don't close your mind to the aspect of throwing security into your system. What can you do as a regular user? Well, first of all, never install a printer using its defaults. Always change the printer configuration. Change the printer password. Disable unnecessary services. One nice thing about that exploit with the tectronics printers is you could actually turn off the web interface. Secure necessary services. Use a firewall. I wouldn't put a printer in front of a firewall anyways. There's no reason that folks from any other country on the planet should be printing to your printers. Contact vendors about security concerns. One of the biggest problems I've had when contacting vendors is the fact that they come back and tell me nobody cares about security. If you care about security, you should be yelling at these vendors and telling them to fix their stuff. I know I blew through this thing really quickly. I'm still going to end it with this. If you have any talks, I will plant myself outside in the pool area. You're welcome to come by and talk with me. The PDF, which goes into a lot more detail than I did in this presentation, is up on my website. I'm actually trying to figure out where I'm going to mirror this because I'm a little concerned about mirroring it up on Cox. I also have the magic point presentation available as well. With that, thank you very much. Since we got plenty of time, I might as well.