In the Middle of Printers: (In)security of Pull Printing Solutions
1. In The Middle Of Printers
(In)security of Pull Printing Solutions
Jakub Kałużny
PHDays IV, Moscow, 2014
2. 22
#whoami
• IT Security Consultant at SecuRing
• Consulting all phases of SDLC
• Previously worked for ESA and online
money transfers company
• Bug bounty hunter
3. 33
Why hack pull printing?
• Widely used
• Confidential data
• Getting popular
10. 1010
Ex 1: Secure Pull Printing
“is a modern printing solution that
safeguards document confidentiality
and unauthorized access to print, scan,
copy and e-mail functions. Its user-
authentication provides air-tight
security on your shared MFPs that
function as personal printers.”
11. 1111
Vendor ensures
„Documents are delivered only into the right hands”
„Information is kept confidential. No risk of being
left unattended at the printer”
„Document collection is safe anytime and
anywhere — no “print and sprint”.”
„Integration with other enterprise applications and
workflows is kept secure through single sign-on”
12. 1212
Ex 1: Proprietary protocol
First look on communication:
• TCP, 2 ports
• No cleartext, no SSL
• Seems to follow some scheme…
13. 1313
Ex1: Deeper sight on traffic
S
E
R
V
E
R
P
R
I
N
T
E
R
constant 263B
96B, “X” B, 128B
always different 64 B
many identical 16B blocks
HELLO
HELLO, CERTIFICATE
SESSION KEY
PostScript, ECB mode
15. 1515
Ex 1: Reverse-engineered
• Hardcoded RSA certificate in printer
embedded software
• No trust store
• AES-128 ECB used for traffic
encryption
• Same protocol in admin interface
17. 1717
“Many of the devices does not have the
CPU power that allows a fast login
response and at the same time
establish a high security level”
For example changing ECB to CBC
mode encryption will be more CPU
intensive and introducing that may
cause slower performance of the
devices, which the customers are very
reluctant to see implemented.”
Ex 1: Vendor gets notified
“(…) system has been deployed at
many high security customers and has
passed internal audits.”
18. 1818
Ex 2: Responsible vendor
“With its roots in education and the full
understanding that college kids “like
to hack”, our development processes
continually focus on security.”
“Secure print release (…) can
integrate card-swipe user authentication
at devices (…) ensuring jobs are only
printed when the collecting user is
present.”
19. 1919
Ex 2: Another binary protocol
S
E
R
V
E
R
P
R
I
N
T
E
R
HELLO
USER: user1
token
HASH(password + token)
Password ok
Release my print queue
OK
Just copied 100 pages
20. 2020
Charge user “guest-xyz” for copying 100 pages
Ex 2: Detailed communication
Release my print queue
Just copied 100 pages
User permissions
beginDeviceTransaction
(…) guest-xyz
Release print queue for user “guest-xyz”
S
E
R
V
E
R
P
R
I
N
T
E
R
22. 2222
Ex 2: Vendor gets notified
• Gave access to KB and support
service
• And all versions of software
• Responded in few hours and patched
in few days
• Was happy to be pentested
23. 2323
Ex 3: Secure Print Solutions
“The Secure Print technology offers:
High Security - Jobs only print when
released by the user”
24. 2424
Ex 3: Architecture design
• Network level protection
• IP whitelist
• Stateless HTTP service, no session
token, no cookie
25. 2525
Ex 3: Authentication request
S
E
R
V
E
R
P
R
I
N
T
E
R
POST /AuthenticateLogin2 HTTP/1.1
(...)
param1=username¶m2=password
27. 2727
Ex 3: Tampering accountability
S
E
R
V
E
R
P
R
I
N
T
E
R
POST /LogJob HTTP/1.1
(…)
data=<job><job-id>1073741847</job-
id><name>_Print_____1073741847</name><type>103</type><
type-string>Print</type-string><page-cnt>0</page-
cnt><color-page-cnt>0</color-page-
cnt><color>0</color><duplex>0</duplex><page-
size>0</page-size><page-size-
string>Unknown_Size</page-size-
string><media>Unknown</media><dest>UNKNOWN</dest>
<user-name>USER1</user-name><email-
address>unknown@unknown.com</email-address></job>
Just printed a job, note it and charge
29. 2929
Ex 3: Vendor gets notified
Received, and will look it over with engineers.
I'll come back to you shortly.
Discussed with engineers, and the reason why
communication was non-SSL, was to support
older Lexmark devices which cannot do SSL.
30. 3030
Other vulnerabilities
• Logs and printed files on a default web
server
• Brute-force attack in admin/user
interfaces, no logs
• XSS and CSRF in web interfaces
• Predictable session identifiers
• DoS attack vulnerability
32. 3232
Research problems
Why do vendors fear pentests?
• no direct profit
• risk of finding criticals
• implies a lot of patching
33. 3333
Cheat sheet - developers
Encryption between server and
printer/user:
• Avoid writing your own crypto
• Avoid writing your own proto
• Authenticate both side
34. 3434
Cheat sheet - developers
Behind the proprietary protocol:
• Access control
• Separate interfaces
• MITM protection is not enough
35. 3535
Cheat sheet - testers
Look for vulnerabilities in:
• Encryption and authentication
• Access control in proprietary
protocols
• Infrastructure design
36. 3636
Cheat sheet - owners
While deploying a pull printing solution:
• Get it pentested
• Network layer security - IPsec, VLANs
• Verify vendor claims
http://gigaimg.com/images/68175143262443344759.gif
37. 3737
What’s next ?
• CVEs disclosure
• A follow-up paper
• Ready to fight new proprietary
protocols
Flow diagram; User not directly with the printer, he only authenticate and release print queues
A lot of funcionality, Different access roles, many threat agents, attack vectors and as it turned out – many vulnerabilities
An owner would not like to have
Their documents sniffed
Subordinate employee printing chairman’s contracts
Employees printing books at others’ expense, tampering acc
Users data stolen
In case of sniffing – printer is the client
MFP got everything – hard disk, usb port, embedded software, VNC server
Quantity analysis
ECB is faster, but Only when using parallel
Either printers have multi-thread procesor, or they lack computation power.
Widely used on universitites
We started with basic tests: SQLi in param2, omitting param2, empty param2…