OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ltlw0lf (ltlw0lfNOSPAM.HOME.COM)
Date: Wed Apr 25 2001 - 13:59:16 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Summary - New Tektronix (Xerox) printers have covered up a security through
    obscurity flaw discovered in November, 1999 with more security through
    obscurity. The unauthenticated and unfiltered administrator configuration
    page on the PhaserLink webserver is now located at the URL
     http://printername/_ncl_subjects.shtml. Furthermore, Tektronix has added
    the item "Userid:" to the printer config page, supposidly to add more
    granularity (or obscurity) to the configuration process. However, this may
    allow unfiltered and unauthenticated users to discover the administrators
    valid userid and password. And more, the printer's webserver cannot b
    turned off using the html interface.

    Background - On November 16, 1999, I posted a backdoor in the PhaserLink
    Webserver for Tektronix Printers. The backdoor allowed an attacker
    unfiltered and unauthenticated access to the configuration of the printer.
    Many of the Tektronix printers available at the time had this backdoor.
    A few days later, another bugtraq poster (I'm sorry, cannot find the name
    in the archive,) discovered that this vulnerability also allowed an
    unfiltered and unauthenticated user to ultimately physically deny service
    on the printer by forcing it into Emergency Power Off mode, which meant the
    printer would turn itself off without properly voiding the ink or crayon
    reservoir. If the reservoir cooled, the ink or crayons would coagulate, and
    the printer would be physically damaged. My post, and subsequent discussions
    on Bugtraq received the attention of may concerned administrators, who
    contacted me about the vulnerability and the fixes for the vulnerability.
    It also attracted the attention of a Tektronix bigwig which, after two weeks
    of silence from Tektronix after posting the bug (three weeks after
    contacting them about the bug,) sent me several threats (legal threats about
    releasing secret information.) After several meetings and emails flew around,
    it was mutually decided that this was a bad way of doing business, and that
    Tektronix would inform us of any other backdoors as well as work with us to
    fix them. In exchange, I'd not post any further advisories (although I did
    not agree with this, but due to their apparent effort to fix the problem, I
    have kept my mouth shut.)

    Unfortunately, they have not kept up their end of the bargain, and instead
    have made things more insecure as well as using more security through
    obscurity to hide the problem exposed in the first vulnerability report. In
    a matter of fact, the last communications we received from them on this issue
    was in the beginning of 2000. I think it is time to shake them up again
    because they obviously didn't learn anything the last time.

    Vulnerability - Tektronix apparently fixed the problem, but not in a secure
    fashion. I recently had the opportunity to play with several new 850
    printers. The new printers appear to have fixed the problem, at least in
    a majority of the half-dozen machines I have played with. Typing in the
    backdoor URL produced an Error 404 message. However, all of the webservers
    responded to the URL http:/printername/_ncl_subjects.shtml. It appears that
    Tektronix covered up the URL after I posted the vulnerability report by
    changing the URL slightly. This was actually discovered during the testing
    of the printer. We noticed that most of the pages on the server now end with
    the extension .shtml. However, typing in the filename ncl_subjects.shtml also
    produced an Error 404. I accidently typed _ncl_subjects.shtml at one point
    during the testing, and the page popped up. So Tektronix has "secured" the
    webpage by adding a "_" and an "s". This is litterally the first time I have
    caught a backdoor by dumb luck, but it only took about 20 minutes of playing.
    The first URL was given to us by Tektronix Technical Support. But it
    definately proves that one of the three reasons that security through
    obscurity fails because of pure dumb-luck.

    The new URL allows the same sort of access that the previous URL backdoor
    allowed. Configuration pages themselves live at the URL's
     http://printername/_ncl_items.shtml&SUBJECT=*, where "*" is the number
    corresponding to the particular configuration page. Again, Tektronix has
    included the ability to remotely (and unauthenticated) physically deny service
    to the printer by setting the "Shutdown" option on the
    URL http://printername/_ncl_items.shtml&SUBJECT=1 to "Emergency Power Off,"
    but I have yet to find someone willing to allow me to test this. Obviously
    setting "Factory Default" to true is a much less destructive Denial of Service
    as it resets the printer, but doesn't damage anything.

    Tektronix has added a whole new (and very bad) wrinkle to the HTTP config page.
    As previously discovered, the HTTP Config page on 740 machines allowed users to
    view the administrator password without any sort of authentication or
    filtering. This means that any one on the planet can access this information
    and use it to reconfigure other parts of the machine using the
    URL http://printername/ncl_items.html&SUBJECT=2097. Tektronix now has both a
    userid and a password field available in plain-text by typing the
    URL http://printername/_ncl_items.shtml&SUBJECT=2097. This has the effect of
    essentially allowing an ignorant user (and believe me, any user which has a
    printer outside of a firewall is an ignorant one,) to broadcast their
    standard userid and password to the world. This allows an attacker to
    discover a potentially legitimate password on other computer systems, and
    the rest, as they say, is history.

    Furthermore, Tektronix has taken away one of the two fixes we proposed in the
    last advisory. One of our suggestions for network administrators to fix the
    problem was to use the "On" switch on the ncl_items.html&SUBJECT=2097 webpage
    to turn off the webserver on the printer, which apparently turned off this
    backdoor quite effectively. However, while the new printers still have this
    switch, the functionality of the switch has been broken or turned off, so this
    option is no longer available to network administrators. The only way to
    protect the printer from attack is to put it behind a firewall.

    I'm still playing, there may be more...

    Vendor Contact Status - vendor was contacted nearly 2 weeks ago, using the
    standard email addresses as well as some of the email addresses I had from
    before, and any email address I could garnish from the website. Almost all
    of the emails bounced. Those that didn't bounce were autoresponders, and I
    have not received any communication beck from the company. I expect they will
    again contact me 2 weeks after this email hits the list, and will again
    threaten me with the standard threats and complain that I didn't contact the
    right people back at their company ahead of time (somehow they expect I have
    awsome ESP skillz that can be useful in detecting the right people to send
    the email to, since I obviously have the skillz to find hidden URLs by
    mistyping my requests.)

    One thing that Tektronix spouted over and over again was that any hardship
    over security through obscurity was a local hardship. Nobody else ever
    complained about it. Feel free to tell them what you think, if you have a
    Tektronix printer, make your voice against security through obscurity heard,
    so it doesn't look like I'm the only one who has a problem with it.

    Shameless Plug - I will hopefully be speaking at this year's Toorcon in San
    Diego on printer insecurities. Please consult www.toorcon.com for more
    information.

    Contact Info - Send me email at ltlw0lfhome.com for more information, I am
    out of town for two weeks, but will get back to you asap.