Network Hacking via the Multifunction Printer

If you haven't taken the time to access the administration Web page for your printer and change its default passwords, do so now. Unfortunately, that will only slow down a very persistent criminal, according to researcher Deral Heiland. Heiland presented his findings last Friday at DefCon 19 in Las Vegas.

For example, Heiland demonstrated that even if you did change the default Toshiba multifunction printer password from 123456 to something much more unique, a criminal can add an extra backslash to the administration page URL and still gain administrator access to the device. Similarly if you copy and paste the URL from the HP Officejet printer login page and then add "page=", this will bypass any new passwords that have been added to those printers. Admin access to a multifunction printer could enable you to access sensitive documents that have been scanned or printed recently.

From the Whipped Cream Difficulties blog:

"This was a fun little talk, covering multi-function printers and the vulnerabilities they introduce into networks. Basically, people get sloppy with these devices and fail to do things like change default passwords; also, many of these devices have bugs in the embedded firmware. The presenter, Deral Heiland, demonstrated some interesting attack vectors: “malformed” URLs which allow you to bypass authentication on certain devices, “information leakage” attacks which allow you to get useful information (like passwords) out of the web admin pages, “forced browsing” attacks which allow you to grab device address books (which may also contain passwords), and “passback attacks” which trick the device into communicating with an attacker (for example, using LDAP configuration script testing). All of this culminated in the release of Praeda, an automated toolkit for attacking multi-function devices."

The tool, Praeda, available for download here allows system administrators to pen test for these vulnerabilities. Heiland includes modules for different makes of printers so you can specifically look for these vulnerabilities in the printers you have on your network.

Whitepaper: Mocana MAP App Level VPN