lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <6283966.kqJLWGbFNW@riseup.net> Date: Sat, 07 Oct 2017 19:17:10 -0400 From: kvnjs <kvnjs@...eup.net> To: fulldisclosure@...lists.org Cc: Peter Weidenbach <peter.weidenbach@...e.fraunhofer.de> Subject: Re: [FD] Authentication Bypass in Xerox Printers – It is not a bug! It is a legacy feature ;-) I can't provide an authoritative list of similarly affected printers, but I can confirm that every printer firmware image I've actually bothered to inspect (BROTHER, for example) is simply a PS document. (Or, in their case, "BR-Script3", if there's really a difference...) I've used the "print to upgrade" trick as far back as the HP LaserJet V, if memory serves. I recall doing it on other Xerox printers in 2009, Samsung ("Dell") printers around 2010, on through my personal Brother laser (produced ca. 2010, I think). It's frequently available, if un-advertised, through any port that's valid to print to, whether that's lpr, ftp, raw / JetDirect, or whatever. Best results with raw / JD on 9100/tcp. I mention this because I don't personally have a large stable of printers to test and report on. However, my results over most of the past two decades indicate that most print engines across the industry will accept firmware via PS, PCL, or similar unless measures are taken at the management level to prevent firmware images reaching the print engine--this is frequently impossible, since virtually no production printers up through major workgroup units have a concept of a "hostile" print job or "hostile content", and the vast majority of office printers have no authentication required to submit print jobs implemented unless someone has taken considerable pains to ensure the only route to the printer is via a Windows print share or similar. Anyone with wider access to printers can probably have a field day with this problem. My personal EPSON unit uses their own proprietary language ( https:// en.wikipedia.org/wiki/ESC/P ), which I believe is referenced in the Linux drivers as the ESC/P2 variant, and is *technically* not vulnerable to this problem, insofar as the attack might need to be adapted slightly to avoid the more common PS/PCL and/or PJL vectors. Despite having a very fast and capable management module and print interface, the printer doesn't appear to understand PostScript, PCL, or even PJL. I haven't inspected their firmware images to see if they're simply ESC/P2 command lists and a binary blob--but I would assume so. BROTHER printers in particular--or at least the ones I took the time to examine--include a hardcoded, non-varying "admin" password embedded at the beginning of the document (that is, firmware "image") that is required to switch the printer from general jobs acceptance to "firmware download mode". It must be included with all firmware images to succeed in upgrading, so of course Brother include it with every official firmware image. The embedded admin password cannot be removed or disabled short of rewriting firmware, and presumably it can be accessed via any valid-appearing print job with any type of content unless pains are taken to install some form of specialized "PostScript firewall" (also PCL firewall, possibly XPS firewall, etc.) in between all the enabled I/O interfaces and the rest of the world. I reported all this to BROTHER years ago, persisted long enough to finally talk to someone on their development team, and I was told, essentially, that they would "look into" this. I didn't expect any further response at that point, and I did not get one. My point is that this specific vulnerability (possibly including hardcoded backdoor credentials) probably applies to tens of thousands of models--or more--across most or all of the printing industry. It's just a matter of getting access to the printers to prove it. I encourage more researchers to engage in finding and exposing these flaws and shaming the industry into starting to fix the total-trust, zero-security model they've used for management and print interfaces for decades. On Friday, September 1, 2017 10:07:26 AM EDT Peter Weidenbach wrote: > Document Title: > =============== > Authentication Bypass in Xerox Printers – It is not a bug! It is a > legacy feature ;-) > > Description: > ============ > Xerox enforces authentication before updating a firmware or install a > configuration file (clone file) in recent firmware versions. That seems > quite reasonable. Nevertheless you can still simply “print” them via > port 631 without authentication. > > Xerox says: “The issue that you discovered is a legacy feature intended > for the convenience of our customers. […] Xerox has begun adding a > separate disable for the specific issue you discovered to our most > recent products.” > > However, what could possibly go wrong? > Even if it is not possible to execute arbitrary code in clone files > [1,2,3] any more, clone files include an iptables configuration file. > Possible threats are: > - Denial of Service: Close all network ports > - Steal Information: Forward all Print jobs to somewhere else > > Affected Product(s): > ==================== > Confirmed: > Xerox Phaser 6700: > - 081.140.107.11800 > - 081.140.106.21800 > > Not confirmed: > (They share the same DLM clone/update technique) > - Xerox ColorQube 8700 > - Xerox ColorQube 8900 > - Xerox Phaser 7800 > - Xerox WorkCentre 3655 > - Xerox WorkCentre 58XX > - Xerox WorkCentre 59XX > - Xerox WorkCentre 6655 > - Xerox WorkCentre 722X > - Xerox WorkCentre 75XX > - Xerox WorkCentre 78XX > - Xerox WorkCentre 797X > > Vulnerability Disclosure Timeline: > ================================== > 2017-06-29: Notification and information exchange with Xerox. > 2017-07-25: Xerox confirmed the issue > 2017-08-28: Xerox claims the issue to be a legacy feature > 2017-09-01: Public Disclosure. > > PoC: > ==== > Pre-Requirements: > Clone files or Firmware updates must be enabled in printer’s configuration. > > Demo code: > curl -s -F filename=@...ONE_OR_FIRMWARE_UPDATE -X POST > PRINTER_ADDRESS:631/upload/xerox.set -H Content-Type: > multipart/form-data -F NextPage=/print/index.php?submitted=true -F > job_type=print > > > Solution - Fix & Patch: > ======================= > - Disable update and clone features. > > > References (Source): > ==================== > [1] > https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/xerox_phaser_67 > 00_white_paper.pdf [2] http://seclists.org/fulldisclosure/2016/Apr/91 > [3] http://h.foofus.net/~percX/Xerox_hack.pdf > > > Credits & Authors: > ================== > Fraunhofer FKIE: Peter Weidenbach and Christopher Krah > > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists