[Fwd: Printer Vulnerability: Tektronix PhaserLink Webserver gives Administrator Password]

[dwmatt () NOSC MIL (Dennis W. Mattison)]

Searched the archives to see if this one has already come out, but didn't
find it.

As more and more printer companies add insecure protocols and daemons to
their printers as features to make their machines more available to the end
users, they make their printers more available to exploits by hackers as
well.  Unfortunately, many of the bugs in these printers are available for
exploit since often these services come turned on by default and little
information is provided up front on how to turn them off.  We have contacted
Tektronix on numerous occasions about these vulnerabilities, and have
received a cold shoulder each time...maybe this will spark some movement now
that they know the exploit community has the keys (it is doubtful that the
exploit community didn't know this to start with.)

Tektronix has a particularly nasty bug which is quite amusing.  On their
Phaser 740 color printers (they may be on other printers, but I haven't had
the access I need to the other printers to find out,) Tektronix packages a
webserver, built into the printer, to allow an administrator to access and
change the configuration remotely.  By opening a standard web-browser and
pointing to the printer's URL, this webserver allows any user to access the
Status and Configuration of the printer.  Luckly, Tektronix is smart enough
to require an administrator password be entered in order to prevent just
anyone from changing the settings of the printer (well, it was a good idea,
but unfortunately as we'll soon see this administrator password is a joke.)
Tektronix does recommend that users enter an administrator password, and the
manual is quite specific on how this is accomplished (though the manual does
state that these passwords are sent unencrypted from the browser to the
printer.)  Unfortunately, using some hidden and undocumented URL's, the
administrator password is shown to anyone without any sort of authentication
and allows anyone to bypass this password to directly reconfigure the
printer, which kinda defeats the purpose entirely.

To grab the administrator password, just use the URL
http://printername/ncl_items.html?SUBJECT=2097.  Presto, the password
appears in plain text for all the world to see.  Of course, you can also
change the administrator password here to whatever you want, without needing
to provide any authentication information.  In a matter of fact, you can
change just about any configuration information in the printer without a
user id or password by using the URL http://printername/ncl_subjects.html
and choose one of the subjects listed.  So, if the administrator went
through all the trouble of shutting down the insecure services like telnet
and ftp or put in passwords for these services, there is nothing stopping
you from going in and changing these passwords and turning these services
back on.  All you need to do is swipe the administrator password, now you
have access to all the configuration options on the printer and can do what
you please.

I even like the fact that you can use the URL
http://printername/ncl_items.html?SUBJECT=1, and set the factory default
setting to On, then hit the "Lets change EVERYTHING" button and voila, a
brand new printer (and a really good Network DoS, since it kills off the IP
address and other important networking information.)

An exploit (for just about anything) is trivial...

SOLUTIONS:

1.  Block Port 80 access to this printer via a router or firewall.  This
will prevent access to this software from those outside the network. Also,
since very rarely will anyone print from outside the local network, setting
the default gateway be the same as the IP address will keep outside users
from exploiting this service.

2.  Disable the PhaserLink Webserver on the printer.  This can be
accomplished through the control panel, switching the HTTP Protocol to
Disabled (Under Printer Configuration | Network Settings | HTTP), but it can
also be accomplished via the URL http://printername/ncl_items?SUBJECT=2097,
then switch the setting "On" to off. (We are still testing the printer to
make sure that this setting permanently disables the functionality of this
HTTP server.)  However, doing so will prevent you from being able to
remotely administer this machine using the web browser.

There are other methods, but these two appear to be the best.

Dennis (aka Little Wolf)

--
Dennis W. Mattison
SPAWAR Network Security Team
SAIC - Center for Information Security Technology (CIST)
Ph: (619) 553-2343 Email: dwmatt () nosc mil, mattisond () saic com