In the Middle of Printers: (In)security of Pull Printing Solutions
•
1 j'aime•1,353 vues
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (20)
Similaire à In the Middle of Printers: (In)security of Pull Printing Solutions
Similaire à In the Middle of Printers: (In)security of Pull Printing Solutions (20)
Plus de Positive Hack Days
Plus de Positive Hack Days (20)
Dernier
Dernier (20)
In the Middle of Printers: (In)security of Pull Printing Solutions
- 1. In The Middle Of Printers (In)security of Pull Printing Solutions Jakub Kałużny PHDays IV, Moscow, 2014
- 2. 22 #whoami • IT Security Consultant at SecuRing • Consulting all phases of SDLC • Previously worked for ESA and online money transfers company • Bug bounty hunter
- 3. 33 Why hack pull printing? • Widely used • Confidential data • Getting popular
- 6. 66 Threat modelling – key risks sniffing print queues accountability users’ data
- 7. 77 Attack vectors Other users’ data Access to other print queues Sniffing, MITM Authorization bypass User/admin interface vulnerabilities
- 8. 88 Sniffing documents • No encryption • No challenge • Only documents encrypted • ECB mode for PostScript ? • Encryption layer over the traffic • Network level – IPsec, SSL • Proprietary protocol ? https://en.wikipedia.org/wiki/ECB_mode http://quickmeme.com
- 9. 99 What is needed ? http://www.memegen.com/meme/e4tvwy
- 10. 1010 Ex 1: Secure Pull Printing “is a modern printing solution that safeguards document confidentiality and unauthorized access to print, scan, copy and e-mail functions. Its user- authentication provides air-tight security on your shared MFPs that function as personal printers.”
- 11. 1111 Vendor ensures „Documents are delivered only into the right hands” „Information is kept confidential. No risk of being left unattended at the printer” „Document collection is safe anytime and anywhere — no “print and sprint”.” „Integration with other enterprise applications and workflows is kept secure through single sign-on”
- 12. 1212 Ex 1: Proprietary protocol First look on communication: • TCP, 2 ports • No cleartext, no SSL • Seems to follow some scheme…
- 13. 1313 Ex1: Deeper sight on traffic S E R V E R P R I N T E R constant 263B 96B, “X” B, 128B always different 64 B many identical 16B blocks HELLO HELLO, CERTIFICATE SESSION KEY PostScript, ECB mode
- 14. 1414 PoC script for MITM
- 15. 1515 Ex 1: Reverse-engineered • Hardcoded RSA certificate in printer embedded software • No trust store • AES-128 ECB used for traffic encryption • Same protocol in admin interface
- 16. 1616 Ex 1: Consequences sniffing print queues accountability users’ data
- 17. 1717 “Many of the devices does not have the CPU power that allows a fast login response and at the same time establish a high security level” For example changing ECB to CBC mode encryption will be more CPU intensive and introducing that may cause slower performance of the devices, which the customers are very reluctant to see implemented.” Ex 1: Vendor gets notified “(…) system has been deployed at many high security customers and has passed internal audits.”
- 18. 1818 Ex 2: Responsible vendor “With its roots in education and the full understanding that college kids “like to hack”, our development processes continually focus on security.” “Secure print release (…) can integrate card-swipe user authentication at devices (…) ensuring jobs are only printed when the collecting user is present.”
- 19. 1919 Ex 2: Another binary protocol S E R V E R P R I N T E R HELLO USER: user1 token HASH(password + token) Password ok Release my print queue OK Just copied 100 pages
- 20. 2020 Charge user “guest-xyz” for copying 100 pages Ex 2: Detailed communication Release my print queue Just copied 100 pages User permissions beginDeviceTransaction (…) guest-xyz Release print queue for user “guest-xyz” S E R V E R P R I N T E R
- 21. 2121 Ex 2: Consequences sniffing print queues accountability users’ data
- 22. 2222 Ex 2: Vendor gets notified • Gave access to KB and support service • And all versions of software • Responded in few hours and patched in few days • Was happy to be pentested
- 23. 2323 Ex 3: Secure Print Solutions “The Secure Print technology offers: High Security - Jobs only print when released by the user”
- 24. 2424 Ex 3: Architecture design • Network level protection • IP whitelist • Stateless HTTP service, no session token, no cookie
- 25. 2525 Ex 3: Authentication request S E R V E R P R I N T E R POST /AuthenticateLogin2 HTTP/1.1 (...) param1=username¶m2=password
- 26. 2626 Ex 3: Hacking without any tools
- 27. 2727 Ex 3: Tampering accountability S E R V E R P R I N T E R POST /LogJob HTTP/1.1 (…) data=<job><job-id>1073741847</job- id><name>_Print_____1073741847</name><type>103</type>< type-string>Print</type-string><page-cnt>0</page- cnt><color-page-cnt>0</color-page- cnt><color>0</color><duplex>0</duplex><page- size>0</page-size><page-size- string>Unknown_Size</page-size- string><media>Unknown</media><dest>UNKNOWN</dest> <user-name>USER1</user-name><email- address>unknown@unknown.com</email-address></job> Just printed a job, note it and charge
- 28. 2828 Ex 3: Consequences sniffing print queues accountability users’ data
- 29. 2929 Ex 3: Vendor gets notified Received, and will look it over with engineers. I'll come back to you shortly. Discussed with engineers, and the reason why communication was non-SSL, was to support older Lexmark devices which cannot do SSL.
- 30. 3030 Other vulnerabilities • Logs and printed files on a default web server • Brute-force attack in admin/user interfaces, no logs • XSS and CSRF in web interfaces • Predictable session identifiers • DoS attack vulnerability
- 31. 3131 Get the software Pentests Report Get the software Pentests Report vulnerabilities Research process What we thought How does it really look like
- 32. 3232 Research problems Why do vendors fear pentests? • no direct profit • risk of finding criticals • implies a lot of patching
- 33. 3333 Cheat sheet - developers Encryption between server and printer/user: • Avoid writing your own crypto • Avoid writing your own proto • Authenticate both side
- 34. 3434 Cheat sheet - developers Behind the proprietary protocol: • Access control • Separate interfaces • MITM protection is not enough
- 35. 3535 Cheat sheet - testers Look for vulnerabilities in: • Encryption and authentication • Access control in proprietary protocols • Infrastructure design
- 36. 3636 Cheat sheet - owners While deploying a pull printing solution: • Get it pentested • Network layer security - IPsec, VLANs • Verify vendor claims http://gigaimg.com/images/68175143262443344759.gif
- 37. 3737 What’s next ? • CVEs disclosure • A follow-up paper • Ready to fight new proprietary protocols
- 38. 3838 Q&A http://www.securing.pl e-mail: info@securing.pl tel. +48 (12) 4252575 Jakub Kałużny jakub.kaluzny@securing.pl
Notes de l'éditeur
- Threat modelling, penetration tests, vulnerability assessment, opinions Web, mobile applications, network, infrastructure, devices (ATMs, Cash Deposit Machines), printers
- Banks, financial institutions, big corporations Documents, contracts, payrolls Money saving, security
- Flow diagram; User not directly with the printer, he only authenticate and release print queues
- A lot of funcionality, Different access roles, many threat agents, attack vectors and as it turned out – many vulnerabilities
- An owner would not like to have Their documents sniffed Subordinate employee printing chairman’s contracts Employees printing books at others’ expense, tampering acc Users data stolen
- In case of sniffing – printer is the client
- MFP got everything – hard disk, usb port, embedded software, VNC server
- Quantity analysis
- ECB is faster, but Only when using parallel Either printers have multi-thread procesor, or they lack computation power.
- Widely used on universitites
- We started with basic tests: SQLi in param2, omitting param2, empty param2…