|
Vulnerability Tektronix PhaserLink Affected Tektronix PhaserLink Webserver Description Dennis W. Mattison found following. As more and more printer companies add insecure protocols and daemons to their printers as features to make their machines more available to the end users, they make their printers more available to exploits by hackers as well. Unfortunately, many of the bugs in these printers are available for exploit since often these services come turned on by default and little information is provided up front on how to turn them off. Tektronix has a particularly nasty bug which is quite amusing. On their Phaser 740 color printers (they may be on other printers, but tester had the access only to this one). Tektronix packages a webserver, built into the printer, to allow an administrator to access and change the configuration remotely. By opening a standard web-browser and pointing to the printer's URL, this webserver allows any user to access the Status and Configuration of the printer. Luckly, Tektronix is smart enough to require an administrator password be entered in order to prevent just anyone from changing the settings of the printer (well, it was a good idea, but unfortunately as we'll soon see this administrator password is a joke). Tektronix does recommend that users enter an administrator password, and the manual is quite specific on how this is accomplished (though the manual does state that these passwords are sent unencrypted from the browser to the printer). Unfortunately, using some hidden and undocumented URL's, the administrator password is shown to anyone without any sort of authentication and allows anyone to bypass this password to directly reconfigure the printer, which kinda defeats the purpose entirely. To grab the administrator password, just use the URL http://printername/ncl_items.html?SUBJECT=2097. Presto, the password appears in plain text for all the world to see. Of course, you can also change the administrator password here to whatever you want, without needing to provide any authentication information. In a matter of fact, you can change just about any configuration information in the printer without a user id or password by using the URL http://printername/ncl_subjects.html and choose one of the subjects listed. So, if the administrator went through all the trouble of shutting down the insecure services like telnet and ftp or put in passwords for these services, there is nothing stopping you from going in and changing these passwords and turning these services back on. All you need to do is swipe the administrator password, now you have access to all the configuration options on the printer and can do what you please. You may even like the fact that you can use the URL http://printername/ncl_items.html?SUBJECT=1 and set the factory default setting to On, then hit the "Lets change EVERYTHING" button and voila, a brand new printer (and a really good Network DoS, since it kills off the IP address and other important networking information). An exploit (for just about anything) is trivial... This all was confirmed for phaser 780, 840 and 360 (Phaser). Solution 1. Block Port 80 access to this printer via a router or firewall. This will prevent access to this software from those outside the network. Also, since very rarely will anyone print from outside the local network, setting the default gateway be the same as the IP address will keep outside users from exploiting this service. 2. Disable the PhaserLink Webserver on the printer. This can be accomplished through the control panel, switching the HTTP Protocol to Disabled (Under Printer Configuration | Network Settings | HTTP), but it can also be accomplished via the URL http://printername/ncl_items?SUBJECT=2097, then switch the setting "On" to off. (We are still testing the printer to make sure that this setting permanently disables the functionality of this HTTP server). However, doing so will prevent you from being able to remotely administer this machine using the web browser. There are other methods, but these two appear to be the best. According to Bernhard Schneck and Gerhard den Hollander, the 350 and 560 printers are not (confirmed on one of our printers here) vulnerable to this attack. Phaser 260 seems yo be clean.