MESSAGE
| DATE | 2017-08-06 |
| FROM | Ruben Safir
|
| SUBJECT | Subject: [Hangout - NYLXS] printer attacks
|
https://www.pcmag.com/news/355256/your-printer-can-steal-and-deface-your-documents
Its not good to have devices in your house that connect to the "cloud"
Your Printer Can Steal and Deface Your Documents
Because of weaknesses in decades-old protocols, printers can become a
spy and a vandal lurking in your home or office.
Max Eddy Icon
By Max Eddy
July 28, 2017 12:43PM EST
Black Hat
LAS VEGAS—Printers have been part of the modern home and office for
decades, despite numerous attempts to go "paperless." But at the Black
Hat conference here, Jens Müller of Ruhr University Bochum reminded
attendees that just because something is ubiquitous doesn't mean it
should be trusted.
Black Hat Bug ArtMüller first reminded the crowd how far printer
technology had come, displaying a photo of an old dot-matrix printer and
sleek, new laser printer. But despite the powerful capabilities of
today's printers, there "still tends to produce a paper jam," he said.
Add the ability to access the printer via USB, local network, or over
the internet, and you have the recipe for a devastating attack. In fact,
security researchers have warned for years that connected devices like
printers, routers, and even VoIP phones could be used as beachheads for
an attacker. The phone might not be very useful for an attacker, but
perhaps they could use it to pivot to your secure network.
Müller found enough within the humble printer to keep him busy without
trying to escalate an attack. The problem, he said, are the printing
protocols that translate the files on your computer into something the
printer can put to paper. One such protocol—aptly named the Printer Job
Language—was developed in the early 90s by HP, and it can make permanent
changes to the printer, not just the current print job. Another, called
PostScript, was developed by Adobe and was originally intended for
document exchange. It's been largely replaced by the PDF, but is still
heavily used in laser printers. These two languages make up the backbone
of Müller's attacks.
The key point about these printer languages is that the printers
executed code written in these languages that is contained within print
jobs. "There's no separation between administrative functionality and
documents being printed," he explained. "You have data and code over the
same channel, and that's always a bad idea."
The 4 Horsemen of the Printocalypse
Müller noted that the initial work on the weaknesses inside printer
protocols was done some 15 years ago, and is still an issue today. By
studying the standards that outline PostScript and PJL, Müller found
four classes of attack: Denial of service; protection bypass; print job
manipulation; and information disclosure.
The denial of service attack was the simplest. PostScript, Müller
reminded the crowd, is a programming language and an attacker can use
all the tools contained therein. By sending a print job that contained a
single line of PosctScript code, Müller set the printer into an infinite
loop, preventing others from using it. A more advanced attack, he said,
could use the same command to continually write to the printer's memory
until it became exhausted.
In a protection bypass attack, Müller considered a scenario whereby a
savvy administrator placed password protection on all vulnerable
services and devices, including network printers. On some HP printers,
Müller found that a single line of PJL code sent in a normal print job
could reset the device to factory settings. This would remove the
password assigned by the administrator and leave the device vulnerable.
To manipulate print jobs, Müller used the unusual facet of PostScript
where a change made with one print job could be made permanent and
affect all future print jobs. In this case, Müller used the overlay
command to place a Black Hat logo over any document that emerged from
the printer. He encouraged the crowd to get creative. For example, "you
could introduce misspellings in the print job for certain users you
don't like!"
Black Hat 2017
For an information disclosure attack, Müller found that it was possible
to induce a printer to store print jobs in its local memory for
retrieval by the attacker at a later date. He admitted that, in
practice, this was very difficult because it required the attacker to
find memory available in the printer in the first place. That said, it
took only a single command to induce the printer to save its print jobs,
and just one more to retrieve it.
Müller took this attack one step further by imagining a scenario in
which the target printer is behind a firewall that prevents an attacker
from receiving information back from a network printer. By using port
9100 on the printer, and some clever work to trick the network into
thinking a privileged HTTP server was running inside the firewall,
Müller found that it was indeed possible to retrieve print jobs.
Notably, printers aren't the only platforms that execute PostScript
code. Google Cloud Print, a service that lets you send print jobs from
your phone to network printers, executes PostScript code as it converts
files to PDFs for printing. Dropbox does the same thing with certain
files. In these cases, Müller embedded a command to receive information
about the file structure within these services and found that they were
indeed executed. However, both Dropbox and Google Cloud Print use
isolation techniques that prevent anything useful from being obtained by
this attack.
Black Hat 2017
The same problem, however, could exist wherever PostScript files are
processed. A site administrator might not think this affects them, but
if your site lets users upload a user picture, or creates thumbnails
from uploaded images, the potential for attack is there, Müller pointed out.
The Scope of the Problem
A cursory search of Shodan, a favorite search engine of hackers that
finds devices connected to the internet, returned some 34,800
printers—but that's much lower than the actual number, according to
Müller. The point is, though, there are a lot of printers connected to
the web.
And that doesn't include vulnerable printers that aren't connected to
the internet. "Is your department's copy room always locked?" he asked
the crowd. "Are your conference printers really never, never
unattended?" he asked, more emphatically, as a picture of Black Hat
registration area flashed on the screen, its dozen laser printers very
noticeably unattended.
As to how widespread the vulnerabilities are, Müller and his team picked
over 20 different printers from eight different manufacturers. Results
were mixed, with some attacks working on whole lines of printers and
others failing in odd places. The problem, he stressed, is that the
vulnerabilities are in the languages and those are widespread.
Related
Researchers Reveal Secrets of SHA-1 Hash Collision
Researchers Reveal Secrets of SHA-1 Hash Collision
"In the long-term actually we need to get rid of insecure printer
languages," said Müller, but that's a long-term solution, he conceded.
In the short term, he advised sandboxing network printers into a
separate VLAN that is only reachable through a hardened (and he
emphasized "hardened") print server. Printer vendors need to "consider
undoing some insecure decisions," and browser vendors could block port 9100.
And, of course, "always keep the copy room locked."
Up Arrow
--
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com
DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com
Being so tracked is for FARM ANIMALS and and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013
_______________________________________________
Hangout mailing list
Hangout-at-nylxs.com
http://www.nylxs.com/mailman/listinfo/hangout
|
|
