Chris Kubecka

@SecEvangelism

Riding the Printer Pwnie

Discovering hackable printers with ease on the internet

Printers, a perfect attack pivot on your network

Happy hacker joy with wide open printers on the internet

Currently, I’m finishing up a book on how to use Censys.io to its maximum potential. Censys is a search engine sort of like Google but not really. It’s more like Shodan, where it indexes devices and networks across the internet. A project from the University of Michigan, it’s meant for computer scientists, whatever that means. Censys will banner grab, try to name services and ports running on a system or website. A Censys Python library is maintained to interact with the API. 
 
Censys will return: 
 A summary page of the IP address 
 Google maps 
 Ports open 
 Certificate information 
 Checks for the Heartbleed vulnerability 
 Banner grabs 
 Performs a StartTLS initiation 
 Weekly ZenMap scans of “FTP, SSH, Telnet, SMTP, DNS, HTTP, Siemens, S7, POP3, IMAP, HTTPS, SMTPS, MODBUS, IMPAS, POP3S, UPnP, Niagara Fox, CWMP, DNP3 and BACnet”

While researching the book, these lovely gems of printers began appearing in the search results. Censys.io is quite in-depth and also can apply Tags to devices or systems it finds. This nifty method can discover Brother or Dell re-branded Brother printers with the default web services enabled and the password never configured. A default insecure setup with no password. The internet always delivers. The world’s most valuable commodity, printer ink, is at risk.

It’s important to note, utilising Censys.io isn’t the only method of finding these beauties. Vulnerable systems can be discovered quite easily using Dorking with Censys, Shodan, Google, Startpage, DuckDuckGo and other search engine scanning or indexing. Once the printers are found, the password can then be changed by an attacker over the internet or on a network, granting full control to an attacker. The printers can further be utilised as a pivot point to attack deeper into an exposed network by leveraging in-built Brother administrative tools. Brother was kind enough to build in some excellent tools for diagnostics.

Primarily, the vulnerable systems were found using the web-based interface of Censys. However, using the Censys Python library and API connection or one of my custom PowerShell tools connected to ZMap components. Additionally, tools such as Recon NG, Metasploit with Censys and Nmap scripts can connect to the Censys.io API key to more ninjafy other pen testing tools. Most of the printers host web pages on port 80, HTTP but some are on port 443, HTTPS. I used both ports in my searches and scanning.

Censys Dorking

If a password has never been set, several different models have a warning in the HTML body. Use Censys looking only in the HTML body, not the HTML title like in Google Dorking.

80.http.get.body

%22Please%26%2332%3Bconfigure%26%2332%3Bthe%26%2332%3Bpassword%22

Using the report function with another Censys field, the 80.http.get.title. The models of the printers are returned in a Host Report.

80.http.get.title.raw

Over three thousand printers with model :)

Connecting and controlling printers via the administrative tool

Brother has a fantastic little Admin application, updated in 2017. It can discover any Brother printer on the list you provide. Once the tool finds a compatible Brother printer, no password or login is required to connect. A local test printer is first one. The two others discovered via the Censys dork. Put in the IP address, range, it scans, and whatever it finds it connects to. The things one can do if they were evil. This tool gives a fantastic level of access, making it a dual use piece of software. Allowing it to be used for good and evil 😈

Even tells you the status, sweet

Compatible Brother tool models

Loads of ‘em

Send a remote PRN file to any Brother printer with no authentication

A PRN file is a printer driver file. In 2000 & 2006 HP had egg on their face when printer driver files on their website were infected. When the virus was installed:

“ attempts to reboot the PC. On Windows NT machines, it attempts to change system settings”

Although not the same type of attack as back in the day. You can do lots of naughty things with drivers. Windows 64 systems require signed drivers. However, there are ways to circumvent this. I love PowerShell, for offensive purposes. There are PowerShell scripts that can help bypass this requirement.

No login, just attach with the admin tool, then you can send a PRN format file. This should apply to any of the compatible printers. After testing a file on my printer, it went haywire, then shut down. It took numerous power cycles and a full reset of the printer to get it back. I was sweating to fix it before my partner got home. I’m not allowed to hack hardware in the house anymore, not even the Roomba :-(

You can make your own PRN file

ZAP path transversal

Once you have an IP address, and you’re allowed to test the printer. You can use OWASP’s ZAP tool and scan the printer’s web services. A basic scan revealed a login URL path transversal vulnerability. So much can be found with ZAP, too much for one post. A Dork can also be crafted and used to detect the printers on the internet. Using parameters looking for “/general/status.html” in the URL, then refined or with additional parameters.

Parameter = loginurl happy hacker joy joy

XSS and unsanitized field fun

The printer web interfaces don’t appear to have been security tested that well. My printer isn’t the newest ink guzzler on the block. However, taking into account the other exploitable and vulnerable components; it’s doubtful looking at the printer web interfaces were tested at all for security purposes.

Input
Accepts field submission
You can call me Mr. <script>alert(1)</script> ;-)

Remote File Inclusion

The login field in the Brother form on several web pages isn’t adequately sanitised or filtered against dangerous user input. By modifying the field, external web pages, and files; as well as, other malicious activity can be carried out. This vulnerability also bypasses any login permissions.

Post replay with modification of form element because it accepts a URL. I could probably have it open up naughty files and other things. I used both ZAP and Fiddler 4 as a proxy to test and prove. The user agent string doesn’t matter.

Vulnerable request(1.2.3.4 fake IP)

POST http://1.2.3.4/general/status.html HTTP/1.1

Host: 12.3.4

User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://1.2.3.4/general/contact.html

Content-Type: application/x-www-form-urlencoded

Content-Length: 45

DNT: 1

Connection: keep-alive

Upgrade-Insecure-Requests: 1

Ncb=ZAP&loginurl=https%3A%2F%2Fwww.reddit.com

HTTP/1.1 200 OK

What you receive back is <title>Reddit</> or Google or whatever you want to partially open via the printer web interface.

Yummy

Conclusion

Hope one of these isn't exposing something important, like a hospital network…..

Utilising printers as attack tools isn’t theoretical and makes for an interesting and potentially juicy target. Printers are connected to your network, they have information about your network, sometimes in-built administrative tools which can be dual used and can be used as a stealthier attack pivot to get deeper into a network. Printers and multi-function scanners are usually over looked for security testing, patching, risk assessment or included in security policies. There is no printer anti-virus, or next-generation printer intrusion protection systems and typically have limited to no usable logs for security purposes. There is a reason Censys.io has written the ability to tag detected printer devices.

Back in 2017, I began trying to report these issues to Brother to no avail. Sadly, Brother didn’t respond, and there’s no bug bounty program. Off to a CERT as a vulnerability report. Printers aren’t super sexy, but they can provide a lovely pivot point for attackers with imagination. An attacker only needs to get lucky once. You have to be lucky every time. Don’t make it easy, secure your printer with a password, limit exposure to the outside world. Please, for the love of God, don’t trust that scheming plastic ink killer.

Leave a clap (or 50+) and a please feel free to comment.

More by Chris Kubecka

Topics of interest

More Related Stories