Tektronix Printer Vulnerabilities
Strike 1 -
To: BugTraq Subject: [Fwd: Printer Vulnerability: Tektronix PhaserLink Webserver gives Administrator Password] Searched the archives to see if this one has already come out, but didn't find it. As more and more printer companies add insecure protocols and daemons to their printers as features to make their machines more available to the end users, they make their printers more available to exploits by hackers as well. Unfortunately, many of the bugs in these printers are available for exploit since often these services come turned on by default and little information is provided up front on how to turn them off. We have contacted Tektronix on numerous occasions about these vulnerabilities, and have received a cold shoulder each time...maybe this will spark some movement now that they know the exploit community has the keys (it is doubtful that the exploit community didn't know this to start with.) Tektronix has a particularly nasty bug which is quite amusing. On their Phaser 740 color printers (they may be on other printers, but I haven't had the access I need to the other printers to find out,) Tektronix packages a webserver, built into the printer, to allow an administrator to access and change the configuration remotely. By opening a standard web-browser and pointing to the printer's URL, this webserver allows any user to access the Status and Configuration of the printer. Luckly, Tektronix is smart enough to require an administrator password be entered in order to prevent just anyone from changing the settings of the printer (well, it was a good idea, but unfortunately as we'll soon see this administrator password is a joke.) Tektronix does recommend that users enter an administrator password, and the manual is quite specific on how this is accomplished (though the manual does state that these passwords are sent unencrypted from the browser to the printer.) Unfortunately, using some hidden and undocumented URL's, the administrator password is shown to anyone without any sort of authentication and allows anyone to bypass this password to directly reconfigure the printer, which kinda defeats the purpose entirely. To grab the administrator password, just use the URL http://printername/ncl_items.html?SUBJECT=2097. Presto, the password appears in plain text for all the world to see. Of course, you can also change the administrator password here to whatever you want, without needing to provide any authentication information. In a matter of fact, you can change just about any configuration information in the printer without a user id or password by using the URL http://printername/ncl_subjects.html and choose one of the subjects listed. So, if the administrator went through all the trouble of shutting down the insecure services like telnet and ftp or put in passwords for these services, there is nothing stopping you from going in and changing these passwords and turning these services back on. All you need to do is swipe the administrator password, now you have access to all the configuration options on the printer and can do what you please. I even like the fact that you can use the URL http://printername/ncl_items.html?SUBJECT=1, and set the factory default setting to On, then hit the "Lets change EVERYTHING" button and voila, a brand new printer (and a really good Network DoS, since it kills off the IP address and other important networking information.) An exploit (for just about anything) is trivial... SOLUTIONS: 1. Block Port 80 access to this printer via a router or firewall. This will prevent access to this software from those outside the network. Also, since very rarely will anyone print from outside the local network, setting the default gateway be the same as the IP address will keep outside users from exploiting this service. 2. Disable the PhaserLink Webserver on the printer. This can be accomplished through the control panel, switching the HTTP Protocol to Disabled (Under Printer Configuration | Network Settings | HTTP), but it can also be accomplished via the URL http://printername/ncl_items?SUBJECT=2097, then switch the setting "On" to off. (We are still testing the printer to make sure that this setting permanently disables the functionality of this HTTP server.) However, doing so will prevent you from being able to remotely administer this machine using the web browser. There are other methods, but these two appear to be the best. Dennis (aka Little Wolf)
Strike 2-
To: BugTraq Subject: Tektronix (Xerox) PhaserLink 850 Webserver Vulnerability (NEW) Summary - New Tektronix (Xerox) printers have covered up a security through obscurity flaw discovered in November, 1999 with more security through obscurity. The unauthenticated and unfiltered administrator configuration page on the PhaserLink webserver is now located at the URL http://printername/_ncl_subjects.shtml. Furthermore, Tektronix has added the item "Userid:" to the printer config page, supposidly to add more granularity (or obscurity) to the configuration process. However, this may allow unfiltered and unauthenticated users to discover the administrators valid userid and password. And more, the printer's webserver cannot b turned off using the html interface. Background - On November 16, 1999, I posted a backdoor in the PhaserLink Webserver for Tektronix Printers. The backdoor allowed an attacker unfiltered and unauthenticated access to the configuration of the printer. Many of the Tektronix printers available at the time had this backdoor. A few days later, another bugtraq poster (I'm sorry, cannot find the name in the archive,) discovered that this vulnerability also allowed an unfiltered and unauthenticated user to ultimately physically deny service on the printer by forcing it into Emergency Power Off mode, which meant the printer would turn itself off without properly voiding the ink or crayon reservoir. If the reservoir cooled, the ink or crayons would coagulate, and the printer would be physically damaged. My post, and subsequent discussions on Bugtraq received the attention of may concerned administrators, who contacted me about the vulnerability and the fixes for the vulnerability. It also attracted the attention of a Tektronix bigwig which, after two weeks of silence from Tektronix after posting the bug (three weeks after contacting them about the bug,) sent me several threats (legal threats about releasing secret information.) After several meetings and emails flew around, it was mutually decided that this was a bad way of doing business, and that Tektronix would inform us of any other backdoors as well as work with us to fix them. In exchange, I'd not post any further advisories (although I did not agree with this, but due to their apparent effort to fix the problem, I have kept my mouth shut.) Unfortunately, they have not kept up their end of the bargain, and instead have made things more insecure as well as using more security through obscurity to hide the problem exposed in the first vulnerability report. In a matter of fact, the last communications we received from them on this issue was in the beginning of 2000. I think it is time to shake them up again because they obviously didn't learn anything the last time. Vulnerability - Tektronix apparently fixed the problem, but not in a secure fashion. I recently had the opportunity to play with several new 850 printers. The new printers appear to have fixed the problem, at least in a majority of the half-dozen machines I have played with. Typing in the backdoor URL produced an Error 404 message. However, all of the webservers responded to the URL http:/printername/_ncl_subjects.shtml. It appears that Tektronix covered up the URL after I posted the vulnerability report by changing the URL slightly. This was actually discovered during the testing of the printer. We noticed that most of the pages on the server now end with the extension .shtml. However, typing in the filename ncl_subjects.shtml also produced an Error 404. I accidently typed _ncl_subjects.shtml at one point during the testing, and the page popped up. So Tektronix has "secured" the webpage by adding a "_" and an "s". This is litterally the first time I have caught a backdoor by dumb luck, but it only took about 20 minutes of playing. The first URL was given to us by Tektronix Technical Support. But it definately proves that one of the three reasons that security through obscurity fails because of pure dumb-luck. The new URL allows the same sort of access that the previous URL backdoor allowed. Configuration pages themselves live at the URL's http://printername/_ncl_items.shtml&SUBJECT=*, where "*" is the number corresponding to the particular configuration page. Again, Tektronix has included the ability to remotely (and unauthenticated) physically deny service to the printer by setting the "Shutdown" option on the URL http://printername/_ncl_items.shtml&SUBJECT=1 to "Emergency Power Off," but I have yet to find someone willing to allow me to test this. Obviously setting "Factory Default" to true is a much less destructive Denial of Service as it resets the printer, but doesn't damage anything. Tektronix has added a whole new (and very bad) wrinkle to the HTTP config page. As previously discovered, the HTTP Config page on 740 machines allowed users to view the administrator password without any sort of authentication or filtering. This means that any one on the planet can access this information and use it to reconfigure other parts of the machine using the URL http://printername/ncl_items.html&SUBJECT=2097. Tektronix now has both a userid and a password field available in plain-text by typing the URL http://printername/_ncl_items.shtml&SUBJECT=2097. This has the effect of essentially allowing an ignorant user (and believe me, any user which has a printer outside of a firewall is an ignorant one,) to broadcast their standard userid and password to the world. This allows an attacker to discover a potentially legitimate password on other computer systems, and the rest, as they say, is history. Furthermore, Tektronix has taken away one of the two fixes we proposed in the last advisory. One of our suggestions for network administrators to fix the problem was to use the "On" switch on the ncl_items.html&SUBJECT=2097 webpage to turn off the webserver on the printer, which apparently turned off this backdoor quite effectively. However, while the new printers still have this switch, the functionality of the switch has been broken or turned off, so this option is no longer available to network administrators. The only way to protect the printer from attack is to put it behind a firewall. I'm still playing, there may be more... Vendor Contact Status - vendor was contacted nearly 2 weeks ago, using the standard email addresses as well as some of the email addresses I had from before, and any email address I could garnish from the website. Almost all of the emails bounced. Those that didn't bounce were autoresponders, and I have not received any communication beck from the company. I expect they will again contact me 2 weeks after this email hits the list, and will again threaten me with the standard threats and complain that I didn't contact the right people back at their company ahead of time (somehow they expect I have awsome ESP skillz that can be useful in detecting the right people to send the email to, since I obviously have the skillz to find hidden URLs by mistyping my requests.) One thing that Tektronix spouted over and over again was that any hardship over security through obscurity was a local hardship. Nobody else ever complained about it. Feel free to tell them what you think, if you have a Tektronix printer, make your voice against security through obscurity heard, so it doesn't look like I'm the only one who has a problem with it. Shameless Plug - I will hopefully be speaking at this year's Toorcon in San Diego on printer insecurities. Please consult www.toorcon.com for more information. Contact Info - Send me email at ltlw0lf@home.com for more information, I am out of town for two weeks, but will get back to you asap.
Can we go for Strike 3?