Intelligent Peripherals Create Security Risk
Privacy and Legal Notice
INFORMATION BULLETIN
J-019: Intelligent Peripherals Create Security Risk
December 8, 1998 17:00 GMT
PROBLEM: Improper installation of intelligent peripherals may cause the
machines to be compromised.
PLATFORM: All intelligent peripherals connected to the Internet requiring
an IP address that have the capability of storing images in
memory and/or onto an internal hard drive. Some of these
systems have the capability of running inet daemons such as
ftp, telnet, and others.
DAMAGE: By exploiting the non-passworded accounts, remote users may
gain access to the system and jeopardize sensitive information.
SOLUTION: Follow the manufacture's installation instructions and password
all default accounts. CIAC recommends that all unneeded daemons
be turned off.
VULNERABILITY Risk is high. CIAC has received reports of intelligent
ASSESSMENT: peripherals such as printers, being compromised by intruders
and print jobs being redirected to other machines. Sensitive
information was potentially compromised.
ATTENTION: Please pass this information to all administrators
who use printers, copiers, faxes, and scanners connected to a
network.
CIAC is aware of security risks associated with intelligent peripherals.
Although these devices do not 'look like' computers, they actually have the
internal components of one. In fact, some printers utilize a SPARC CPU board
that runs the Solaris UNIX operating system. Xerox has a sophisticated
device that allows users to copy, fax, scan, and print documents. This device
utilizes a network UNIX hard disk that conforms to the UNIX standard for file
directories and hence it has the capability of storing images in memory. For
this device, Xerox recommends that the user network information be secure.
This information includes network ID’s, network passwords, network file
locations, user network names, and user passwords.
In most cases, the more complex the functionality the device features, the
higher the security risks. However, with proper installation and
configuration the risks are reduced. Throughout the past year CIAC has
received reports of peripherals, mostly printers that were compromised. The
following examples, regardless of the device type and manufacture, indicate
the importance of properly installing these devices to the network.
Codonics NP-1600 Printer
In March, CIAC was notified of a Codonics NP-1600 printer being compromised.
The printer utilizes a SPARC CPU board and runs the Solaris UNIX operating
system. This implies that the printer may have user accounts, as well as
daemons running, that may be used to compromise the device. The printer is
released from the manufacture with default accounts without passwords (null
accounts). However, the manufacture gives instructions and guidance on how to
install and configure the printers, as well as warning individuals to password
the root account. The printer has inet and rpc daemons running by default.
Some of these daemons are needed; however, CIAC recommends that all unneeded
daemons be turned off. After receiving this information, CIAC scanned a
Codonics printer to gather all the information about the services allowed.
According to the system administrator, the printer was configured per the
instructions issued by the manufacture. The results of the scan found the
printer to be vulnerable only to Denial of Service (DOS) attacks.
Listed below are the daemons running by default on a Codonics NP-1600 printer.
inet daemons:
port type and status
7 (echo) is running.
9 (discard) is running.
13 (daytime) is running.
19 (chargen) is running.
21 (ftp) is running.
23 (telnet) is running.
37 (time) is running.
79 (finger) is running.
111 (sunrpc) is running.
512 (exec) is running.
513 (login) is running.
514 (shell) is running.
515 (printer) is running.
540 (uucp) is running.
741 (UNKNOWN) is running.
rpc daemons:
program vers proto port
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100087 10 udp 32772
100011 1 udp 32773 rquotad
100002 2 udp 32774 rusersd
100002 3 udp 32774 rusersd
100012 1 udp 32775 sprayd
100008 1 udp 32776 walld
100001 2 udp 32777 rstatd
100001 3 udp 32777 rstatd
100001 4 udp 32777 rstatd
100068 2 udp 32778
100068 3 udp 32778
100068 4 udp 32778
100083 1 tcp 32771
200 1 udp 740
200 1 tcp 741
HP Jet Direct Printer
In September, CIAC received information of a HP Jet Direct printer being
hijacked by a foreign hacker. All print jobs sent to the printer were
actually sent to the print server in the foreign country. An intruder can
redirect all print jobs by becoming the print server using the mscan tool
against an unprotected printer. There are two passwords that need to be set
to protect the printer. To prevent this type of activity, use the HP Jet
Admin Utility to password protect the device. If your printer appears to be
operational but is not printing, view the status of the printer using the HP
Jet Admin Utility. To check the status of the printer, do the following:
1) Select 'Device'
2) Select 'Properties'
3) Select 'Diagnostics' tab
4) Click on 'TCP/IP'
5) Click on 'General'
At this level, the 'Server Address' is visible. The IP address display should
be from the machine you are connecting from. Check to ensure it’s the correct
machine address. If not, you may kill the active connection and enable the
queue using HP Jet Admin Utility. This will return control of the printer to
your local network and the print jobs already queued should print.
Scanning returns Interesting Results
While scanning a subnet recently, the scanner was unable to identify some of
the machines associated with a series of IP addresses. However the scanner
did list the services allow by each machine. Upon farther investigation, CIAC
determined these IP addresses were assigned to printers. The following ports
and services were allowed by one of the printers:
23 telnet
80 httpd
515 printer
161 snmp server
An individual could use the telnet protocol to login and since the password
capability was disabled thus allowing free access to the printer and its
telnet configuration setup. Below is a sample of a JetDirect printer telnet
configuration setup:
Firmware Rev.: G.07.03
MAC Address: XX:XX:XX:XX:XX:XX (remove to preserve the identity)
Config By: USER SPECIFIED
IP Address: XXX.XXX.XXX.XX (remove to preserve the identity)
Subnet Mask: 255.255.255.0
Default Gateway: XXX.XXX.XXX.XXX (remove to preserve the identity)
Syslog Server: Not Specified
Idle Timeout: 120 Seconds
Set Cmnty Name: Not Specified
Host Name: Not Specified
DHCP Config: Disabled
Passwd: Disabled
IPX/SPX: Enabled
DLC/LLC: Enabled
Ethertalk: Enabled
Banner page: Enabled
CIAC highly recommends that printers with this type of capability enable
password protection and turn-off all unneeded services. In most cases ftp,
telnet, and httpd are rarely needed for printers.
Conclusion
Today, printers and copiers are more complex and with this complexity comes
security risks. Non-passworded default accounts are a major security risk
regardless of the operating system and the platforms used. Allowing access to
an unprotected device may lead to other devices being compromised. To tighten
down your systems, make sure all accounts have passwords and that all unneeded
daemons are turned off. Follow the installation instructions provided by the
manufacture. If the instructions are not clear, call the manufacture and ask
for assistance. Remember hijacking print jobs may jeopardize confidentiality.
To check for non-password accounts use Security Profile Inspector for Networks
(SPI-NET) or Computer Oracle and Password System (COPS).
To download:
SPI-NET
http://ciac.llnl.gov/cstc/spi/spinet.html
COPS
ftp://coast.cs.purdue.edu/pub/tools/unix/cops-perl.tar.gz
DOE-CIRC can be contacted at:
Voice: +1 866-941-2472 (7 x 24)
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov/