MESSAGE
DATE | 2017-08-06 |
FROM | Ruben Safir
|
SUBJECT | Subject: [Hangout - NYLXS] printer attacks
|
From hangout-bounces-at-nylxs.com Sun Aug 6 23:02:51 2017 Return-Path: X-Original-To: archive-at-nylxs.com Delivered-To: archive-at-nylxs.com Received: from www.mrbrklyn.com (www.mrbrklyn.com [96.57.23.82]) by mrbrklyn.com (Postfix) with ESMTP id 8A58B163F55; Sun, 6 Aug 2017 23:02:44 -0400 (EDT) X-Original-To: hangout-at-nylxs.com Delivered-To: hangout-at-nylxs.com Received: from [10.0.0.62] (flatbush.mrbrklyn.com [10.0.0.62]) by mrbrklyn.com (Postfix) with ESMTP id C6455160876; Sun, 6 Aug 2017 23:02:39 -0400 (EDT) To: Hangout From: Ruben Safir Message-ID: <0de93fbf-157a-0220-11e4-689a06f25664-at-mrbrklyn.com> Date: Sun, 6 Aug 2017 23:02:39 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 Content-Language: en-US Subject: [Hangout - NYLXS] printer attacks X-BeenThere: hangout-at-nylxs.com X-Mailman-Version: 2.1.17 Precedence: list List-Id: NYLXS Tech Talk and Politics List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Errors-To: hangout-bounces-at-nylxs.com Sender: "Hangout"
https://www.pcmag.com/news/355256/your-printer-can-steal-and-deface-your-do= cuments
Its not good to have devices in your house that connect to the "cloud"
Your Printer Can Steal and Deface Your Documents Because of weaknesses in decades-old protocols, printers can become a spy and a vandal lurking in your home or office.
Max Eddy Icon By Max Eddy July 28, 2017 12:43PM EST
Black Hat
LAS VEGAS=E2=80=94Printers have been part of the modern home and office for decades, despite numerous attempts to go "paperless." But at the Black Hat conference here, Jens M=C3=BCller of Ruhr University Bochum reminded attendees that just because something is ubiquitous doesn't mean it should be trusted.
Black Hat Bug ArtM=C3=BCller first reminded the crowd how far printer technology had come, displaying a photo of an old dot-matrix printer and sleek, new laser printer. But despite the powerful capabilities of today's printers, there "still tends to produce a paper jam," he said.
Add the ability to access the printer via USB, local network, or over the internet, and you have the recipe for a devastating attack. In fact, security researchers have warned for years that connected devices like printers, routers, and even VoIP phones could be used as beachheads for an attacker. The phone might not be very useful for an attacker, but perhaps they could use it to pivot to your secure network.
M=C3=BCller found enough within the humble printer to keep him busy without trying to escalate an attack. The problem, he said, are the printing protocols that translate the files on your computer into something the printer can put to paper. One such protocol=E2=80=94aptly named the Printer= Job Language=E2=80=94was developed in the early 90s by HP, and it can make perm= anent changes to the printer, not just the current print job. Another, called PostScript, was developed by Adobe and was originally intended for document exchange. It's been largely replaced by the PDF, but is still heavily used in laser printers. These two languages make up the backbone of M=C3=BCller's attacks.
The key point about these printer languages is that the printers executed code written in these languages that is contained within print jobs. "There's no separation between administrative functionality and documents being printed," he explained. "You have data and code over the same channel, and that's always a bad idea." The 4 Horsemen of the Printocalypse
M=C3=BCller noted that the initial work on the weaknesses inside printer protocols was done some 15 years ago, and is still an issue today. By studying the standards that outline PostScript and PJL, M=C3=BCller found four classes of attack: Denial of service; protection bypass; print job manipulation; and information disclosure.
The denial of service attack was the simplest. PostScript, M=C3=BCller reminded the crowd, is a programming language and an attacker can use all the tools contained therein. By sending a print job that contained a single line of PosctScript code, M=C3=BCller set the printer into an infini= te loop, preventing others from using it. A more advanced attack, he said, could use the same command to continually write to the printer's memory until it became exhausted.
In a protection bypass attack, M=C3=BCller considered a scenario whereby a savvy administrator placed password protection on all vulnerable services and devices, including network printers. On some HP printers, M=C3=BCller found that a single line of PJL code sent in a normal print job could reset the device to factory settings. This would remove the password assigned by the administrator and leave the device vulnerable.
To manipulate print jobs, M=C3=BCller used the unusual facet of PostScript where a change made with one print job could be made permanent and affect all future print jobs. In this case, M=C3=BCller used the overlay command to place a Black Hat logo over any document that emerged from the printer. He encouraged the crowd to get creative. For example, "you could introduce misspellings in the print job for certain users you don't like!"
Black Hat 2017
For an information disclosure attack, M=C3=BCller found that it was possible to induce a printer to store print jobs in its local memory for retrieval by the attacker at a later date. He admitted that, in practice, this was very difficult because it required the attacker to find memory available in the printer in the first place. That said, it took only a single command to induce the printer to save its print jobs, and just one more to retrieve it.
M=C3=BCller took this attack one step further by imagining a scenario in which the target printer is behind a firewall that prevents an attacker from receiving information back from a network printer. By using port 9100 on the printer, and some clever work to trick the network into thinking a privileged HTTP server was running inside the firewall, M=C3=BCller found that it was indeed possible to retrieve print jobs.
Notably, printers aren't the only platforms that execute PostScript code. Google Cloud Print, a service that lets you send print jobs from your phone to network printers, executes PostScript code as it converts files to PDFs for printing. Dropbox does the same thing with certain files. In these cases, M=C3=BCller embedded a command to receive information about the file structure within these services and found that they were indeed executed. However, both Dropbox and Google Cloud Print use isolation techniques that prevent anything useful from being obtained by this attack.
Black Hat 2017
The same problem, however, could exist wherever PostScript files are processed. A site administrator might not think this affects them, but if your site lets users upload a user picture, or creates thumbnails from uploaded images, the potential for attack is there, M=C3=BCller pointe= d out. The Scope of the Problem
A cursory search of Shodan, a favorite search engine of hackers that finds devices connected to the internet, returned some 34,800 printers=E2=80=94but that's much lower than the actual number, according to M=C3=BCller. The point is, though, there are a lot of printers connected to the web.
And that doesn't include vulnerable printers that aren't connected to the internet. "Is your department's copy room always locked?" he asked the crowd. "Are your conference printers really never, never unattended?" he asked, more emphatically, as a picture of Black Hat registration area flashed on the screen, its dozen laser printers very noticeably unattended.
As to how widespread the vulnerabilities are, M=C3=BCller and his team pick= ed over 20 different printers from eight different manufacturers. Results were mixed, with some attacks working on whole lines of printers and others failing in odd places. The problem, he stressed, is that the vulnerabilities are in the languages and those are widespread. Related
Researchers Reveal Secrets of SHA-1 Hash Collision Researchers Reveal Secrets of SHA-1 Hash Collision
"In the long-term actually we need to get rid of insecure printer languages," said M=C3=BCller, but that's a long-term solution, he conceded.
In the short term, he advised sandboxing network printers into a separate VLAN that is only reachable through a hardened (and he emphasized "hardened") print server. Printer vendors need to "consider undoing some insecure decisions," and browser vendors could block port 9100.
And, of course, "always keep the copy room locked." Up Arrow
-- =
So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com
DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com
Being so tracked is for FARM ANIMALS and and extermination camps, but incompatible with living as a free human being. -RI Safir 2013 _______________________________________________ Hangout mailing list Hangout-at-nylxs.com http://www.nylxs.com/mailman/listinfo/hangout
|
|