At Shmoocon 2011, Deral Heiland “PercX” and Pete Arzamendi “Bokojan” gave a presentation titled, Printer to PWND: Leveraging Multifunction Printers During Penetration Testing. I was watching via the live streaming. There were some audio issues on the live stream for the first couple of slides.
Basically, they’ve found two key things. Most enterprises aren’t updating their multifunction copiers even when they update all the Windows boxes and these copiers contain security issues.
The presenters found that on many copiers website security occurred on the front page website. If you knew the address of subsites or in some cases if you provided a double forward slash, no authentication is required. Of course when most copiers are using a default password, this isn’t especially significant. Even when companies do change the default password, some of these copiers are giving it away in the source code of the webpage.
So how is this useful? Sometimes copiers are configured with Active Directory credentials to allow copier users to perform LDAP lookups to Active Directory. Sometimes domain accounts are saved on the copier to implement “scan to share” functionality. The scanned job is saved to a network share using a domain account. Hopefully you haven’t used a privileged account for such a trivial task. If you have game over, the account username and password may not be well protected. If it is a limited rights account, it can still be used to access Active Directory and query for an accounts list.
The presenters went on to give several examples where they have used information gathered from multi-function copiers in penetration tests.
To make things more difficult for attacks:
1. Change the factory default passwords
2. Patch the systems, roll out updated firmware
3. Consider putting printers on isolated vlans. The payroll printer doesn’t need to be accessible by all.
4. Obviously don’t use privileged accounts on the copier.