Exploiting Intelligent Peripherals
by Screamer Chaotix (screamer@hackermind.net)
At first look a printer is a rather dull device. It doesn't contain very much that's interesting to hackers, other than the fact that it can be used to print out some pretty hilarious banners to your target. But with that aside, no one really considers printers (or any peripheral for that matter) to be that big of a deal. Sadly, this causes them to be neglectful.
Intelligent peripherals are a fantastic thing, when used properly. An intelligent peripheral is any piece of equipment hooked up to a network that can be controlled over the Internet. By simply Telnet'ingto a specific IP address you can control the inner workings of the machine, and therein lies the problem.
Recently, while scanning the subnet of my university (tempting as it may be I won't divulge their name), I came across several machines which only allowed SSH access. Scanning a bit further, I saw that one of these same machines had foolishly left Telnet wide open (kind of defeats the point of SSH doesn't it?).
Now I'm not the type of person to sit at a keyboard all night, pounding away at the login prompt until something got me in... Oh no, I had more important things to do.
Nonetheless, the thought that someone had made the mistake of leaving Telnet open got my brain churning and my curiosity boiling. Was it possible they had messed up somewhere else? Checking the Nmap results, I found that they had.
Several IPs had Telnet wide open, and boy, oh boy, do I mean wide open. After connecting to the open port, I was amazed when I received this prompt:
What's this? No login prompt? Nothing asking for a username and password?
It was too good to be true! I did what any good explorer would do, and typed: ?
This is what appeared:
Please type "?" for HELP, or "/" for current settings To Change/Configure Parameters Enter: Parameter-name: value <Carriage Return> Parameter-name Type of value ip: IP-address in dotted notation subnet-mask: address in dotted notation default-gw: address in dotted notation syslog-svr: address in dotted notation idle-timeout: seconds in integers set-cmnty-name: alpha-numeric string (32 chars max) host-name: alpha-numeric string (upper case only, 32 chars max) dhcp-config: 0 to disable, 1 to enable novell: 0 to disable, 1 to enable dlc-llc: 0 to disable, 1 to enable ethertalk: 0 to disable, 1 to enable banner: 0 to disable, 1 to enable Type passwd to change the password. Type "?" for HELP, "/" for current settings or "quit" to save-and-exit. Or type "exit" to exit without saving configuration parameter entries >It was obvious to me this was no UNIX machine, and it sure wasn't a VAX/VMS.
The HP JetDirect sign rang a few bells though, Hewlett-Packard? Could it be that this was a printer? By typing / I received various bits of information, all showing me the current setup, including IP assignments, options for DHCP, even an option to set the admin password! Sure enough, it was a printer alright. And I had managed to walk right in.
Here I was, with complete control over the configuration. But what could be done? All sorts of thoughts went through my mind. With a few simple commands I could change the location of the printer to anywhere in the world... thereby receiving every print job that someone sent to that machine.
And in a university, who would notice if their paper went to the wrong machine? It's certainly not the type of thing the admin's go crazy about. But still, using my hacker ethics I didn't do this. After all, I was more curious about the idea of remote controllable printers than anything else. If any of you troublemakers out there are wondering about the possibilities, you shouldn't have to think very long.
The problem here is one that has been around since the 1980s and even earlier, people unaware of the fact that they have an open door to the world. All of you old timers remember the dial-ups that didn't require a password; well this is pretty much the same thing.
They lock up their UNIX and VAX/VMS like a fortress, and yet forget about the small details. Few people see a printer as a device to be concerned about.
But the fact is, intelligent peripherals do pose a threat. Without password protection on all your machines, any attacker could gain access... and may even boost up their privileges.
The HP JetDirect that I found is only half the story, some peripherals (those running on a UNIX platform) offer inetd and RPC daemons running by default, giving attackers even more to play with.
Some inetd daemons running on these machines include Telnet, FTP, and Finger (just to name a few). I'm sure we can all see the danger in that.
And I haven't even touched upon the dangers of connecting via FTP and actually printing a file, but we must save something for later...
The bottom line is this, if you're using intelligent peripherals be sure to secure it with a password.
If you're using the HP JetDirect, all you need to do is use the admin utility and set a password. It's as simple as typing passwd, and if you don't do it, who will?
Thanks to DamienAK and Unreal for their help, and a big shoutout to Dash Interrupt