Finding to ShmooCon each and every 12 months is always demanding (as is attempting to get residence). Mother Nature appears to appreciate disrupting the travel to and from the convention, which is held in Washington, D.C in January or February of every single year. Even with the weather concerns, I've often identified it to be a convention worth attending. It functions excellent talks, top safety scientists sharing ideas and ideas and several added occasions this kind of as "Firetalks" and "Hacker Karaoke".

Nessus-Shmoo-sm.png

From Printer to Domain Admin

I've often been fascinated with the notion of attacking printers. The frequent misconception of "oh, it is only a printer" helps make them a prime goal for attackers due to the fact folks imagine that printers pose tiny to no safety risk. This mindset normally translates to the following situations, which support to fuel my fascination:

  • Individuals do not issue printer or MFD (multi-perform gadget) protection into their buying selections. Features and expense rank just before safety in this case.
  • Printers are normally a "fire and forget" installation when they are set up and working no one particular would like to touch them once again for dread of breaking them (as most of us know, users get really upset if they can't print).
  • Organizations are purchasing a lot more printers as the price decreases and performance will increase, believing that it leads to increased productiveness. I have frequently heard that much more printers have been obtained and put in to prevent men and women from acquiring to walk as well significantly to the printer. Just how significantly is also significantly anyhow? 20 feet? 30 feet? As a cubicle employee, couldn't you advantage from a good stroll to the printer?
  • Printers have a tendency to last a extended time (in a technology context anyhow)and can be in operation on the network for much more than ten decades, extended following security updates are obtainable.
  • To my information there are no anti-virus or anti-malware merchandise for printers or MFDs.
  • Printers may not incorporated in your IT management method with respect to vulnerability testing, patch management and security monitoring.

Numerous safety researchers, which includes myself, have also identified that the manufacturers of printers and MFDs usually do not apply correct security into the advancement and implementation of the products. The vulnerabilities that are getting disclosed are relatively basic and effectively-comprehended troubles outside of the embedded programs area. Vulnerabilities these as password disclosure, authentication bypass, and weak encryption are examples of the problems that have been identified.

At this year's convention there have been two talks that centered all around uncovering vulnerabilities in printers and MFDs. The initial was titled "Printer to PWND: Leveraging Multifunction Printers Throughout Penetration Testing" by Derel Heiland and Pete Arzamendi. They targeted gadgets from 3 various manufacturers, each with the same twist. The very first phase was to establish a vulnerability that would grant them entry to the internet-based mostly management interface on the gadgets. Every system took on a slightly distinct taste for example, a single gadget would let you to bypass authentication by sending multiple parameters to it (this kind of as 'page=page='), others would permit you access by just placing in an further "/" when generating a request and other folks allowed you to right download the configuration backups with out prompting for a username and/or password.

The second phase was to appear at the info you can accumulate from the printer. This was damaged up into two groups:

  • Authentication - A lot of printers help LDAP for the two authenticating end users and populating the handle guide. As soon as you've obtained accessibility to the management interface you are able to read the username and password employed to connect to the LDAP or Active Directory server.
  • Username/Email handle harvesting - A number of printers imported the Advert handle guide, which enables you to then use password brute-forcing attempts across the total domain. Also, the inner logs from numerous printers allow you to read the usernames of individuals who have printed to the system.

1 of the most glaring vulnerabilities is that the ability to go through the passwords to Ad or LDAP is as easy as viewing the supply code of the management HTML pages. When the management page is displayed, the password subject is made up of the infamous dots that obfuscate the password. Nonetheless, if you use your net browser to view the HTML source code several printers screen the password in clear-text, and a handful of "encrypt" them (some using base64 encoding).

Derl and Pete produced a device referred to as "PRAEDA" (Latin for “taken in war”, or "booty"), which is a Perl-based mostly device that will scan for printers that have known vulnerabilities and then extract the data from it, like person lists and credentials.

imme.jpg
The "IM Me" is a modest gadget whose first intent was to enable you to IM your pal over a wireless connection although away from your computer. As it turns out, this device can be modified to act as a spectrum analyzer and transmitter for various wireless signals. A talk at this year's ShmooCon showcased how to modify this system and other hardware, to check FHSS (Frequency Hopping Spread Spectrum) protocols such as Bluetooth. The other good feature of this system is the hot pink shade that permits you to make a trend assertion even though hacking wireless protocols.

Far more Printer “Hijinx”

Yet another speak on printer security was provided titled "Printers Gone Wild" by Ben Smith, and uncovered vulnerabilities in PJL (Printer Task Language), a technique for printers to manage and deal with print jobs and system configuration. PJL can be accessed over port 9100 TCP on a lot of distinct versions of printers, but this talk concentrated only on those manufactured by Hewlett-Packard.

Even though the presenter stated that PJL was being changed by a new strategy, the set up-base of HP PJL-enabled printers is quite significant [one]. One particular of the interesting factors about Ben's talk, and the functionality that allowed him to carry out his research and create instruments and libraries for exploitation, is that even if SNMP is disabled or blocked, you can nonetheless deliver the printer all of the device management instructions more than PJL, such as modifying the display, rebooting the printer and more. Considering that the PJL port is typically used to let customers to print, this delivers a substantial advantage to attackers.

Modern day printers, and even older ones, have the ability to retailer print work opportunities and other files. Some use a RAMDISK, and other individuals have an real difficult drive. Using the PJL control channel you can upload and download files of your picking to the printer's storage. Ben developed a instrument that implements a distributed, compressed and encrypted file system across multiple printers. The tool is called "printFS" and will be introduced shortly. He also produced an additional device called "printJack" that allows you to manipulate the printer in distinct ways, this kind of as changing the exhibit and printing sound black pages.

Evite: Or How Not to Build a World wide web Application

One of the dangers that often looks to scare me the most about net internet sites right now is how you often do not have a alternative about it choosing up data about you. Evite is these an example. Get a quick poll of your pals and inquire who has utilised it. Numerous folks will most likely state that they have used it to produce an invitation for an occasion. Even so, if you have been invited to an function through Evite, at the extremely minimum your e-mail handle is almost certainly nevertheless in the Evite method even although you might have by no means opened the e-mail.

Enter protection researcher Trent Lo, a cool suave "gown in all black to seem like I lost 5 pounds" protection researcher with a devious smile who likes to set up naked events and his talk "An Evite from Surbo? Almost certainly an Invitation for Trouble". Trent spent some serious time debugging and analyzing the Evite world wide web application. As it turns out, there is small authentication essential in order to handle events, attendees, messages and much more. This implies if you can uncover the exclusive identifier for an Evite celebration (called the EID) you can:

  • Invite oneself (or other visitors)
  • Remove guests
  • Send messages to all attendees
  • Update the status message of any user

Even though this may possibly not have repercussions on a global scale that impacts the worldwide economic climate or the safety of a nation, it does highlight how world wide web application vulnerabilities can manifest by themselves. Trent did highlight one XSS vulnerability on the site. However, all of the other troubles stem from the way the application was developed. An individual in the audience asked if this could be patched or fixed easily, and Trent's impression is that in order to resolve the vulnerabilities in the Evite system, a full re-publish of the code is needed. Even even worse, the very same difficulties were discovered in a earlier iteration of the Evite software, then carried ahead into the model managing right now (http://new.evite.com) and remain unpatched. It underscores the importance of creating in safety from the floor up and testing your application for the duration of the improvement and screening phases to guarantee this does not take place. Until then, I imagine that there will be a couple of parties that will have their gown code modified unexpectedly.

Closing Thoughts

This year's ShmooCon was a amazing encounter that included studying from and interacting with the security neighborhood. It highlighted that there are many other men and women who are seeking into printer and embedded system protection, encountering them on protection assessments and seeing the exact same issues as I've highlighted in the previous. Net applications also carry on to be problematic when it comes to safety, and especially shows when safety architecture is left out completely. I also had a number of conversations exactly where the expression "penetration testing" was outlined. I believe there are exciting concepts and efforts in this place, and I was honored to meet with some of the top penetration testers to start to hash out an “official definition” of a penetration check. As always, I am hunting forward to subsequent yr currently!

[one] Over 10.5 million printer shipments in 2005 by HP alone. Resource: "Hacking printers: for entertaining and profit" by Andrei Costin at Hack.lu 2010 [Note: This is a fantastic go through, and incorporates tips for placing printers on fire!. Even so, I do not condone this conduct in any way shape or sort, unless of course you have permission to do so and its in a managed setting (and that you seize it on video clip and deliver it to me].

Read more:

  • mfds vulnerabilities
  • security risks for evites
  • evite security risks
  • modifying the display HP printer