Thread: XPS - Cross Printer Scripting Exploit
View Single Post
  #1 (permalink)  
Old 01-23-2008, 12:26 PM
wige's Avatar
wige wige is offline
Moderator
WebProWorld Moderator
  
Join Date: Jun 2006
Location: United States
Posts: 2,648
wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9
Default XPS - Cross Printer Scripting Exploit
As you may be aware, a vulnerability was reported last week that would allow a malicious or attacked web site to print to printers on a victim's network. The exploit specifically targets printers that can be accessed over the local area network of the victim computer. This can be replicated at a basic level by entering http://yourprintername:9100/ExploitExists into your browser, replacing "yourprintername" with the local DNS name of your printer. Wait about twenty seconds, and close the browser. Once the browser is closed, your printer will print.

This vulnerability exists in almost all network capable printers, as port 9100 is the common port used to accept network print jobs. All major web browsers (IE, Firefox, Opera) are vulnerable to this type of exploit. Beyond printers, this type of exploit, which turns your browser into a gateway between an Internet based attacker and your local network, has been used to change router settings, access files on networked computers, and exploit other network resources.

Because the attack uses channels that are needed for the computer to function, firewalls can not prevent this type of exploit. If you use a local software firewall, for example, you will no longer be able to print over the network and use of the printer will be eliminated. Packet sniffing is less than ideal because the traffic may appear to be a legitimate print job initiated from the browser (such as a user printing a receipt from a web page).

Also, because of the nature of this attack, it is possible for attack code to be embedded almost anywhere in a page. The code can be contained in image tags, and forms. As a result, filtering could fail to prevent the issue. Also, the attack can be performed without using JavaScript, so turning off scripts in your browser would have no effect.

As this is a newer type of vulnerability, the makers of various browsers are still investigating ways to deal with this exploit. My question to you here is, do you have any ideas or suggestions for countering this type of threat?

Link to the exploit and example code:
ha.ckers.org blog post about the issue
Whitepaper with proof of concept
__________________
The best way to learn anything, is to question everything.
Reply With Quote