XPS - Cross Printer Scripting Exploit

[wige]

As you may be aware, a vulnerability was reported last week that would allow a malicious or attacked web site to print to printers on a victim's network. The exploit specifically targets printers that can be accessed over the local area network of the victim computer. This can be replicated at a basic level by entering http://yourprintername:9100/ExploitExists into your browser, replacing "yourprintername" with the local DNS name of your printer. Wait about twenty seconds, and close the browser. Once the browser is closed, your printer will print.

This vulnerability exists in almost all network capable printers, as port 9100 is the common port used to accept network print jobs. All major web browsers (IE, Firefox, Opera) are vulnerable to this type of exploit. Beyond printers, this type of exploit, which turns your browser into a gateway between an Internet based attacker and your local network, has been used to change router settings, access files on networked computers, and exploit other network resources.

Because the attack uses channels that are needed for the computer to function, firewalls can not prevent this type of exploit. If you use a local software firewall, for example, you will no longer be able to print over the network and use of the printer will be eliminated. Packet sniffing is less than ideal because the traffic may appear to be a legitimate print job initiated from the browser (such as a user printing a receipt from a web page).

Also, because of the nature of this attack, it is possible for attack code to be embedded almost anywhere in a page. The code can be contained in image tags, and forms. As a result, filtering could fail to prevent the issue. Also, the attack can be performed without using JavaScript, so turning off scripts in your browser would have no effect.

As this is a newer type of vulnerability, the makers of various browsers are still investigating ways to deal with this exploit. My question to you here is, do you have any ideas or suggestions for countering this type of threat?

Link to the exploit and example code:
ha.ckers.org blog post about the issue
Whitepaper with proof of concept

[imvain2]

Just in case anyone reads this, its not an exploit if you have your printer hooked up to a computer and the printer is shared through the local network via the original computer.

It seems to be only an exploit for the printers that have BUILT in network support.

I know this maybe obvious to the IT people out there, so that short description was for those of us who aren't IT professionals.

[mono]

How does it know what's the DNS name of the printer on your internal LAN. I got this hack to work by typing the ip address of my networked
printer. How would a malicious script know that ahead of time?

[subsystems]

Ok that's it! I'm selling my computer business and going to work in the food services industry!
Well, on second thought, many companies are switching away from networked printers to desktop printers due to convince and low cost. But there are many situations where that is not practical.
Hope there is a fix soon in the Windows Update so I can justify ignoring this threat.

Just a note: I suspect this threat was created by those people that want to sell me ink and toner cartridges.

On a more serious note, shouldn't we as an industry be moving people towards being a paperless society. I email my customers invoices & statements in PDF format. If I need a permanent copy I burn them to DVD-RW. Oh, and while I am at it. What's up with the continued use of FAX machines!? WE HAVE THE TECHNOLOGY. Those things are embarrassingly out dated.

[wige]

Quote:

Originally Posted by mono

How does it know what's the DNS name of the printer on your internal LAN. I got this hack to work by typing the ip address of my networked
printer. How would a malicious script know that ahead of time?

Actually, it is possible for a web based applet to determine what (local) IP address the computer is using and scan the entire subnet looking for devices that respond to requests on a certain port. I've, uh... ahem... seen somebody else do it. You could also use a javascript that guesses what the local subnet of the computer would be and tries every address. This is even easier for routers - in default installations, there are maybe three common IP addresses for routers (192.168.0.1, 192.168.1.1, 10.0.0.1) and so many default usernames and passwords that you could easily create a simple script that would change the router's settings or cause the router to crash.

[imvain2]

I'm planning on taking an old computer and using that as the main print pc and hooking up a fax modem so it can send and receive faxes and save to the hd for those outdated clients of ours.

[mono]

You said , "Actually, it is possible for a web based applet to determine what (local) IP address the computer is using and scan the entire subnet looking for devices that respond to requests on a certain port. I've, uh... ahem... seen somebody else do it. "

Written in JAVA? or Flash? I thought Flash was safer than Javascript. Care to share that script privately? I'm a good guy --- passed all the prescreening and rigorous background checks to work at Symantec and worked there for a while -- I'd like a copy of that script for my private entomology collection.

You said, "You could also use a javascript that guesses what the local subnet of the computer would be and tries every address. "

Yeah I thought of that one. That's why I don't use the default 192.168.0.* on my local net. It would take a javascript long enough so you'd feel it to scan the entire class B, but not so long to scan the default class C with the fixed third octet of 0.

"This is even easier for routers - in default installations, there are maybe three common IP addresses for routers (192.168.0.1, 192.168.1.1, 10.0.0.1) and so many default usernames and passwords that you could easily create a simple script that would change the router's settings or cause the router to crash."

or rewrite certain well-known bank ip addresses to evil hacker webservers and phish the crap out of everyone. But you've moved off the printer hack and on to a more general hack, I think. I'm not following how exploiting port 9100 allows you to change the router. It seems to me like the root cause is having a vulnerable router in the first place which allows the hacker to both hack the router and exploit 9100.

Where I come from, the local custom is to assign 254 to the router, but it's just a custom, not a requirement. Anyone who runs a router on the open internet with the default uid/pass and configs is a clueless noob.
People your router is your point of ingress into your soft mushy underbally internal network. That's the door you want to lock.

WHEN ARE WE (in USA) GOING TO GO IPv6? Korea has it. and I think China too.

[wige]

Quote:

Originally Posted by mono

You said , "Actually, it is possible for a web based applet to determine what (local) IP address the computer is using and scan the entire subnet looking for devices that respond to requests on a certain port. I've, uh... ahem... seen somebody else do it. "

Written in JAVA? or Flash? I thought Flash was safer than Javascript. Care to share that script privately? I'm a good guy --- passed all the prescreening and rigorous background checks to work at Symantec and worked there for a while -- I'd like a copy of that script for my private entomology collection.

The software the, um, person wrote was done in Java, and worked quite well until one of the managers made me, um, that person, add in a dialog box for the user to confirm the operation. Apparently, successfully using an exploit when talking to a defense contractor is a "bad thing." The applet violated a permissions setting in the JVM to talk to the local network, which has since been patched. Other engineers adapted the program to VBScript and I have seen some versions that use ActiveX. I am not able to share any part of the code, because in addition to the browser exploit, it also exploits internal code in the target system that is considered proprietary, to force the device to alter certain settings. It was actually designed as a diagnostic tool, for people who had a device and set it to DHCP without entering a hostname.

Quote:

Originally Posted by mono

You said, "You could also use a javascript that guesses what the local subnet of the computer would be and tries every address. "

Yeah I thought of that one. That's why I don't use the default 192.168.0.* on my local net. It would take a javascript long enough so you'd feel it to scan the entire class B, but not so long to scan the default class C with the fixed third octet of 0.

"This is even easier for routers - in default installations, there are maybe three common IP addresses for routers (192.168.0.1, 192.168.1.1, 10.0.0.1) and so many default usernames and passwords that you could easily create a simple script that would change the router's settings or cause the router to crash."

or rewrite certain well-known bank ip addresses to evil hacker webservers and phish the crap out of everyone. But you've moved off the printer hack and on to a more general hack, I think. I'm not following how exploiting port 9100 allows you to change the router. It seems to me like the root cause is having a vulnerable router in the first place which allows the hacker to both hack the router and exploit 9100.

Where I come from, the local custom is to assign 254 to the router, but it's just a custom, not a requirement. Anyone who runs a router on the open internet with the default uid/pass and configs is a clueless noob.
People your router is your point of ingress into your soft mushy underbally internal network. That's the door you want to lock.

WHEN ARE WE (in USA) GOING TO GO IPv6? Korea has it. and I think China too.

Yes, I did move on to a much more general topic with the router comments. I just wanted to give an example of how this idea can be expanded on to allow an attacker to exploit almost any network device given the right conditions. Even the strictest router would be unable to prevent the attack because the code is embedded in a requested web page.

Also, because a print operation does not require a response from the printer, all you need to do is open a connection to the IP/port, send the data, and close the connection. A Javascript could do this using AJAX for an entire Class B in maybe 10 seconds. Two asynchronous connections lasting 1-2 ms each would be all that would be required. Of course, hopefully an IDS would detect the burst of traffic, but that is not something most IDS systems look for yet.

[deepsand]

While this particular vector may be nut newly discovered, the vulnerability of any network attached device, including printers and copiers, has been long recognized. Multi-function copiers which contain their own HDs are of particular concern.