Results 1 to 7 of 7

Thread: Printer Directory Penetration

  1. #1
    Just burned his ISO
    Join Date
    Jun 2007
    Posts
    4

    Default Printer Directory Penetration

    All,

    I am currently working for a client that would like some convincing as to why they need to harden their printers. Currently the printers have their administration cp's wide open and do not require authentication for any changes. For me that would be enough for them to want to have a policy written and followed for rolling out new printers....and I hope it is.

    I was told today that it would be a huge "wow factor" if we could show them that we can gain access to the file directory structure. Penetrating the device is not difficult as all the usual port are open (80, 21, 9100, 551) I was hoping to complete a directory traversal from the FTP directory, or exploit the JetDirect port.

    The printers in question are Xerox Workcentre 4500 & 8550DT.

    Any suggestions are appreciated.

    Thanks JB

  2. #2
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by JohnnyBravo View Post
    All,

    I am currently working for a client that would like some convincing as to why they need to harden their printers. Currently the printers have their administration cp's wide open and do not require authentication for any changes. For me that would be enough for them to want to have a policy written and followed for rolling out new printers....and I hope it is.

    I was told today that it would be a huge "wow factor" if we could show them that we can gain access to the file directory structure. Penetrating the device is not difficult as all the usual port are open (80, 21, 9100, 551) I was hoping to complete a directory traversal from the FTP directory, or exploit the JetDirect port.

    The printers in question are Xerox Workcentre 4500 & 8550DT.

    Any suggestions are appreciated.

    Thanks JB
    If I recall properly, the WorkCentre in their default installation as done by the idiot Xerox techs stores a copy of all documents that are printed on the internal drive. This of course, is an issue, as any HR docs, payroll docs and such are stored out there without any permissions.

    Printers are of course easily crashed via DoS methods, so you'd want to suggest some sort of supporting infrastructure to contain such things.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  3. #3
    Member PeppersGhost's Avatar
    Join Date
    Jan 2008
    Posts
    204

    Default

    Point out to them that the Brazilians (some of the most prolific hackers in the world) list unsecured print services as the #1 system entry point. Period.
    <EeePc 1000HA BT4/W7 USB boot Alfa500 GPS BlueTooth>

  4. #4
    Just burned his ISO
    Join Date
    Jun 2007
    Posts
    4

    Default

    I have been able to find directory paths via source views from their web based control panel. We are also trying to show that someone can penetrate the device and grab the information from the files being printed. According to the information page I found there is like 7000 documents stored on the printers harddrive.

    I found an article on worms that attach themselves to printers and reinfect the networks after they clean it. We plan to use that as well. So we have enough info of it happening...just haven't been able to do it ourselves. We did use an SNMP walk tool and pulled most of the information off....but not the directory & its structure.

    Anyone else have any suggestions??

    Thanks
    JB

  5. #5
    Member PeppersGhost's Avatar
    Join Date
    Jan 2008
    Posts
    204

    Default

    Just guessing, does it save the files to the local 127.0.0.1 called repository? And does it have the option to add repository locations? If so add one more and it should start sending a copy there as well when someone scans. Also it does have email correct? Or try adding tftp to it. Just go nuts.
    <EeePc 1000HA BT4/W7 USB boot Alfa500 GPS BlueTooth>

  6. #6
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    I think the WorkCentre's run both an internal http and ftp server, plus their management software is freely available off their website. Meaning, anyone can download it and attach to the printers. I haven't seen one yet (other than the one I setup a couple years ago) that had anything other than the default passwords set on them.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  7. #7
    Just burned his ISO
    Join Date
    Jun 2007
    Posts
    4

    Default

    Quote Originally Posted by streaker69 View Post
    I think the WorkCentre's run both an internal http and ftp server, plus their management software is freely available off their website. Meaning, anyone can download it and attach to the printers. I haven't seen one yet (other than the one I setup a couple years ago) that had anything other than the default passwords set on them.
    I will try the management software. The HTTP server is an embedded Allegro version (4.31 I think...) And FTP is on and accessible...I forget off the top of my head the FTP server. I have full access to the printer and can make any chages I want via their managment protocl not being hardened with *any* passwords. It's just the directory structure I am trying to ascertain. I will check out their management software.

    I have also noticed that the 8550 allows me to add files, but I have not tried to execute anything...or if I even can...

    Supposedly they are going to get us set up in the lab so we can have full run....so we don't kill the production server.

    THanks,
    JB

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •