lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 07 Oct 2017 19:17:10 -0400
From: kvnjs <kvnjs@...eup.net>
To: fulldisclosure@...lists.org
Cc: Peter Weidenbach <peter.weidenbach@...e.fraunhofer.de>
Subject: Re: [FD]
	Authentication Bypass in Xerox Printers – It is not a bug! It is a legacy feature ;-)

I can't provide an authoritative list of similarly affected printers, but I 
can confirm that every printer firmware image I've actually bothered to 
inspect (BROTHER, for example) is simply a PS document. (Or, in their case, 
"BR-Script3", if there's really a difference...)

I've used the "print to upgrade" trick as far back as the HP LaserJet V, if 
memory serves. I recall doing it on other Xerox printers in 2009, Samsung 
("Dell") printers around 2010, on through my personal Brother laser (produced 
ca. 2010, I think).

It's frequently available, if un-advertised, through any port that's valid to 
print to, whether that's lpr, ftp, raw / JetDirect, or whatever. Best results 
with raw / JD on 9100/tcp.

I mention this because I don't personally have a large stable of printers to 
test and report on. However, my results over most of the past two decades 
indicate that most print engines across the industry will accept firmware via 
PS, PCL, or similar unless measures are taken at the management level to 
prevent firmware images reaching the print engine--this is frequently 
impossible, since virtually no production printers up through major workgroup 
units have a concept of a "hostile" print job or "hostile content", and the 
vast majority of office printers have no authentication required to submit 
print jobs implemented unless someone has taken considerable pains to ensure 
the only route to the printer is via a Windows print share or similar.

Anyone with wider access to printers can probably have a field day with this 
problem.

My personal EPSON unit uses their own proprietary language ( https://
en.wikipedia.org/wiki/ESC/P ), which I believe is referenced in the Linux 
drivers as the ESC/P2 variant, and is *technically* not vulnerable to this 
problem, insofar as the attack might need to be adapted slightly to avoid the 
more common PS/PCL and/or PJL vectors. Despite having a very fast and capable 
management module and print interface, the printer doesn't appear to 
understand PostScript, PCL, or even PJL. I haven't inspected their firmware 
images to see if they're simply ESC/P2 command lists and a binary blob--but I 
would assume so.

BROTHER printers in particular--or at least the ones I took the time to 
examine--include a hardcoded, non-varying "admin" password embedded at the 
beginning of the document (that is, firmware "image") that is required to 
switch the printer from general jobs acceptance to "firmware download mode". 
It must be included with all firmware images to succeed in upgrading, so of 
course Brother include it with every official firmware image.

The embedded admin password cannot be removed or disabled short of rewriting 
firmware, and presumably it can be accessed via any valid-appearing print job 
with any type of content unless pains are taken to install some form of 
specialized "PostScript firewall" (also PCL firewall, possibly XPS firewall, 
etc.) in between all the enabled I/O interfaces and the rest of the world.

I reported all this to BROTHER years ago, persisted long enough to finally 
talk to someone on their development team, and I was told, essentially, that 
they would "look into" this. I didn't expect any further response at that 
point, and I did not get one.

My point is that this specific vulnerability (possibly including hardcoded 
backdoor credentials) probably applies to tens of thousands of models--or 
more--across most or all of the printing industry. It's just a matter of 
getting access to the printers to prove it.

I encourage more researchers to engage in finding and exposing these flaws and 
shaming the industry into starting to fix the total-trust, zero-security model 
they've used for management and print interfaces for decades.


On Friday, September 1, 2017 10:07:26 AM EDT Peter Weidenbach wrote:
> Document Title:
> ===============
> Authentication Bypass in Xerox Printers – It is not a bug! It is a
> legacy feature ;-)
> 
> Description:
> ============
> Xerox enforces authentication before updating a firmware or install a
> configuration file (clone file) in recent firmware versions. That seems
> quite reasonable. Nevertheless you can still simply “print” them via
> port 631 without authentication.
> 
> Xerox says: “The issue that you discovered is a legacy feature intended
> for the convenience of our customers. […] Xerox has begun adding a
> separate disable for the specific issue you discovered to our most
> recent products.”
> 
> However, what could possibly go wrong?
> Even if it is not possible to execute arbitrary code in clone files
> [1,2,3] any more, clone files include an iptables configuration file.
> Possible threats are:
> - Denial of Service: Close all network ports
> - Steal Information: Forward all Print jobs to somewhere else
> 
> Affected Product(s):
> ====================
> Confirmed:
> Xerox Phaser 6700:
> - 081.140.107.11800
> - 081.140.106.21800
> 
> Not confirmed:
> (They share the same DLM clone/update technique)
> - Xerox ColorQube 8700
> - Xerox ColorQube 8900
> - Xerox Phaser 7800
> - Xerox WorkCentre 3655
> - Xerox WorkCentre 58XX
> - Xerox WorkCentre 59XX
> - Xerox WorkCentre 6655
> - Xerox WorkCentre 722X
> - Xerox WorkCentre 75XX
> - Xerox WorkCentre 78XX
> - Xerox WorkCentre 797X
> 
> Vulnerability Disclosure Timeline:
> ==================================
> 2017-06-29: Notification and information exchange with Xerox.
> 2017-07-25: Xerox confirmed the issue
> 2017-08-28: Xerox claims the issue to be a legacy feature
> 2017-09-01: Public Disclosure.
> 
> PoC:
> ====
> Pre-Requirements:
> Clone files or Firmware updates must be enabled in printer’s configuration.
> 
> Demo code:
> curl -s -F filename=@...ONE_OR_FIRMWARE_UPDATE  -X POST
> PRINTER_ADDRESS:631/upload/xerox.set -H Content-Type:
> multipart/form-data -F NextPage=/print/index.php?submitted=true -F
> job_type=print
> 
> 
> Solution - Fix & Patch:
> =======================
> - Disable update and clone features.
> 
> 
> References (Source):
> ====================
> [1]
> https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/xerox_phaser_67
> 00_white_paper.pdf [2] http://seclists.org/fulldisclosure/2016/Apr/91
> [3] http://h.foofus.net/~percX/Xerox_hack.pdf
> 
> 
> Credits & Authors:
> ==================
> Fraunhofer FKIE: Peter Weidenbach and Christopher Krah
> 
> 
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ