I'm waiting for the great network printer security apocalypse. A bunch of these things are in a great position to turn around and launch attacks on the "chewy on the inside" networks of so many companies. Maybe this has already happened.
My printer has a dumb little print server running an embedded flavor of Linux and a publicly known hard-coded (!) root password. While mine is going to the slag heap sooner or later for that and several other fundamental problems, you can guess that many many more of them are out there just waiting to be taken for a ride.
These dumb little boxes may be underpowered, but once you get inside and set them up to forward packets for you, their raw CPU speed becomes less of an issue. You can run all of the fun attacks from a "real" machine and just let it bounce you to the inside world.
My very first criminal act of hacking as a teenager was gaining access to a printer somewhere in Spain, by which I had limited access to the rest of the network but I was too dumb to understand what to do.
So yeah, printers at least were a big gaping hole in the late 90s and early 00s.
Many, perhaps most network-connected printers, NAS units, and other devices (e.g., home-automation hardware) simply assume that the local network they connect to will be securely protected from external attack, so they're not configured to withstand even the simplest of attacks.
This is exactly the opposite of what many security experts recommend: ideally all devices should be secure regardless of whether the network they're on is secure or not. With more and more devices offering remote-Internet-access functionality every day, this principle of security is becoming ever more fundamental.
Bruce Schneier's personal WiFi network at home is fully open, because -- in his own words: "If I configure my computer to be secure regardless of the network it's on, then it simply doesn't matter. And if my computer isn't secure on a public network, securing my own network isn't going to reduce my risk very much."[1]
Like rachelbythebay, I'm also waiting for the great network printer security apocalypse.[2]
UPDATE: Just for the heck of it, I ran a fairly fast scan (nmap -T4 -A -v -PE [IP address]) on an HP all-in-one printer accessible over my LAN, and there were a LOT of open ports -- see pasted results below. I then pointed my browser to port 9100 on the printer, which instantly printed the HTTP headers without complaint. The printer's configuration page reports that it is "secured" by an administrative password.
PORT STATE SERVICE VERSION
80/tcp open http HP PhotoSmart/Deskjet printer http config (Virata embedded httpd 6_0_1)
139/tcp open netbios-ssn?
6839/tcp open tcpwrapped
7435/tcp open tcpwrapped
8089/tcp open tcpwrapped
9100/tcp open jetdirect?
9101/tcp open jetdirect?
9102/tcp open jetdirect?
9110/tcp open unknown
9220/tcp open hp-gsg HP Generic Scan Gateway 1.0
9290/tcp open hp-gsg IEEE 1284.4 scan peripheral gateway
9500/tcp open unknown
--allports (Don't exclude any ports from version detection) .
By default, Nmap version detection skips TCP port 9100 because some
printers simply print anything sent to that port, leading to dozens
of pages of HTTP GET requests, binary SSL session requests, etc.
This behavior can be changed by modifying or removing the Exclude
directive in nmap-service-probes, or you can specify --allports to
scan all ports regardless of any Exclude directive.
PS I think the "-A" and "-T4" is redendant. I think aggressive mode sets the timing to 4 among other things.
Unfortunately, trying to secure your hardware is a lesson in frustration and ruins the whole experience.
This is because every device acts confused, hangs or produces cryptic errors when facing denied access; restricted resources prevent you from understanding why the access was denied and how to open it; changes in network topology lead to problems that only stumbled over much later; and it's extremelly hostile on guests who spend half a hour trying to configure.
A friend of mine over here recently discovered that a certain printer manufacturer (very big one) had a complete SNMP service that runs on all the printers - they aren't protected and you can run any command on it. You can even tell the printer to download, load, and reboot with custom firmware. Amongst many other yucky things.
Especially with the development of IPv6, internal routing becomes transparent and the appearance of protection offered by NAT is gone. Possibly these printers all have been assigned a public-reachable IPv6 addresses.
it's worth noting, I think, that Schneier is pretty out of touch when it comes to the whole "open wireless" thing, because he leaves himself open to a bunch of local-only attacks. he's correct that your computer should be able to withstand being on the 'open' internet, since it is every time you take it to work or a coffee shop or something, but, don't be an idiot, just turn WPA2 on at your house.
many access points (I think) now provide a feature where they can run multiple SSIDs. so if you're savvy, you can turn on a guest-only open wifi for when you have visitors, and turn it off when they leave. kind of like a guest key for your spare room!
> "[...] we're all forwarding port 9100 or 631 to our printer to allow ourselves to print from outside the network, which sets up an HTTP server at that address open to the internet. All it takes is for somebody to put the appropriate GET request in [...]"
> "Both of our printers have public IP addresses"
It looks like the printer are publicly accessible, and some automated tool (nmap?) is just scanning them for vulnerabilities, open ports, or similar. Not too surprising really.
The printed page even says NMap on it. nmapol=tlitcp is Transport Layer Interface and TCP. I'm not positive, but NMap OL could be NMap openvas-library, which is a vulnerability scanner. Sounds to me like someone scanning with NMap over TLI and TCP and it's hitting these printers.
Don't expose your printers to the web without a strict firewall or VPN/reverse proxy!
When nmap scans port 9100 it doesn't send anything (at least as of nmap 6.00 using -sV). It is probably a higher level vulnerability scanner, possibly metasploit, using nmap to discover open ports and then probe deeper on its own.
Agreed, I've seen this before as well. I doubt it really has anything to do with Apple and likely the HP printer server software instead - being directly related to an nmap scan.
After playing around with it. I think that what is causing this to happen is that the JetDirect port on the printer (usually 9100) is getting written to by a port scanner. This will cause a printer using JetDirect to print out whatever gets sent to it on that port. Try it yourself if you have a printer that implements it. For me it was a Brother HD-5370DW.
1. telnet <printer> 9100
2. Type a hello world message.
3. Close the connection
4. The printer will print out whatever you typed. At least it did for me.
The strings contain "sqli" which some of the posters inferred to mean they were experiencing a SQL injection. I doubt this is actually the case. I will say, though, that I have a Brother printer like the one described where I work and have seen similar odd strings on papers that come out of it. At least one time, it's just printed gibberish. I think the common denominator is that these printers are openly shared on a network with a public IP (at least mine is...it's at a big University with public IPs fore everybody). I don't know if this is related or not, though.
Spoke with a a security guy years ago who got called to a company after they'd been accused of running a warez server. After a bit of digging around he finally found the server on a printer that was running some ancient un-patched version Solaris.
Don't trust your printer! There were a lot of demos of printer hacks at 28c3 and basically I think I might not print anything ever again. A lot of these things have their firmware implemented in postscript. Updating the firmware consists of printing a special document. It's pretty mental tbh. Your jaw will be scraping along the floor at some of the holes these things have.
I've got a HP printer pretty similar to the one mentioned in the thread. In the course of trying to set it up, I by chance pointed my browser to the printer's network printing port. Interestingly enough it printed out all my browser headers. It seems like these printers just spit out anything that hits that port.
I once found a public printer which I don't think was supposed to be public. There wasn't any way to contact the owner since it appeared to be in a different country based on IP address.
...so I set it up as a printer and printed a bunch of lolcats to it.. A few days later it wasn't accessible any more =)
<snip>
I'm going to guess that the common theme here is that we're all forwarding port 9100 or 631 to our printer to allow ourselves to print from outside the network, which sets up an HTTP server at that address open to the internet.
</snip>
Seriously?! Ignoring the fact that I can't remember when I last print something, who needs to print to their house from the internet? Can't they just print it when they get home?
Semi off topic anecdote: when I was at Lockheed the head of HR came to me with a Manila envelope and said "I need to know who printed this and when! And I need to know now!"
I took the envelope and looked at it... It was a bunch of prints of gay porn and gay porn websites.
After a few minutes of digging, it was revealed to be one of the directors in the company had printed them late the night before. Checking the badge system he wasn't in the building. Checked VPN logs and he was logged in at the time.
He was mistakenly on VPN from his house and printed stuff that went to his default printer which happened to be the one in the office.
He was previously thought to be a married straight guy.
- They have expensive software on a computer in one place that does not have a printer, and a printer at home without the software
- A couple that works from home likes to collaborate while one of them is one the road, with one printing stuff directly to home after meeting with clients
- They like to print stuff from work while things are on their mind (itineraries, boarding passes, etc.) so that they don't have to think about logistics once they're home with family
- etc.
Beware the sentence that starts with "Can't they just..."
I've actually found it useful in the past to be able to print stuff when I'm not in the office - not useful enough that I really care about the feature, just that since it's there it saves a small step in the alternative of emailing then having them open and print it.
For what it's worth. This issue (or an issue very similar to this issue) has been discussed on the nmap seclist.
From the email:
"....However, I've noticed a problem now that I've put this into production. When it scans a network printer, the printer spews out garbage, I have a couple wads of paper on my desk with one or two lines of garbage at the top of each page."
They're getting portscanned. I'm surprised this isn't common knowledge.
If you throw ascii at a jetdirect printer, it will generally just print it out for you. I've used this to debug printers before, as well as to goof around with my coworkers a bit.
This reminds me when I was in college- I used to have VNC running on a public IP without any authentication (on purpose). Randomly, bots would connect, take over control of the screen, and print a bunch of test characters out in Notepad before disconnecting.
I don't know if they just hit it by luck or if they were actively looking for/testing/saving open VNC servers.
Pretty typical behavior when running vulnerability scanning against a printer target.
Many printers will simply print whatever data comes into certain ports. Have seen similar behavior many times when running web scanning against a printer accidentally instead of a webserver.
I get that this just looks like a scan but it's strange that half a dozen people reported it at the same time (so the problem is likely more widespread). How long would it take to send these packets to all public ips in the world (real question, I have no sense of the scale of ip addresses)? I guess it could be that the ips are known to be running printers by a previous scan. Maybe the printers contact home and the HP accidentally sent them a bad message?
It seems to me that someone was scanning their network for specific services- probably, some DBMS. Printer received the initial communications packet(s) and happily printed whatever was received.
Could this be related with Trojan.Milicenso or Trojan.Eorezo? This is the latest (although its from June/July) threat I know of that prints random stuff
[+] [-] rachelbythebay|13 years ago|reply
My printer has a dumb little print server running an embedded flavor of Linux and a publicly known hard-coded (!) root password. While mine is going to the slag heap sooner or later for that and several other fundamental problems, you can guess that many many more of them are out there just waiting to be taken for a ride.
These dumb little boxes may be underpowered, but once you get inside and set them up to forward packets for you, their raw CPU speed becomes less of an issue. You can run all of the fun attacks from a "real" machine and just let it bounce you to the inside world.
Hypothetically speaking, of course.
[+] [-] mjhall|13 years ago|reply
[0]: http://events.ccc.de/congress/2011/Fahrplan/events/4871.en.h...
[1]: http://events.ccc.de/congress/2011/Fahrplan/events/4780.en.h...
[+] [-] INTPenis|13 years ago|reply
So yeah, printers at least were a big gaping hole in the late 90s and early 00s.
[+] [-] cs702|13 years ago|reply
This is exactly the opposite of what many security experts recommend: ideally all devices should be secure regardless of whether the network they're on is secure or not. With more and more devices offering remote-Internet-access functionality every day, this principle of security is becoming ever more fundamental.
Bruce Schneier's personal WiFi network at home is fully open, because -- in his own words: "If I configure my computer to be secure regardless of the network it's on, then it simply doesn't matter. And if my computer isn't secure on a public network, securing my own network isn't going to reduce my risk very much."[1]
Like rachelbythebay, I'm also waiting for the great network printer security apocalypse.[2]
--
[1] http://www.schneier.com/blog/archives/2008/01/my_open_wirele...
[2] http://news.ycombinator.com/item?id=4412522
--
UPDATE: Just for the heck of it, I ran a fairly fast scan (nmap -T4 -A -v -PE [IP address]) on an HP all-in-one printer accessible over my LAN, and there were a LOT of open ports -- see pasted results below. I then pointed my browser to port 9100 on the printer, which instantly printed the HTTP headers without complaint. The printer's configuration page reports that it is "secured" by an administrative password.
[+] [-] dfc|13 years ago|reply
[+] [-] guard-of-terra|13 years ago|reply
This is because every device acts confused, hangs or produces cryptic errors when facing denied access; restricted resources prevent you from understanding why the access was denied and how to open it; changes in network topology lead to problems that only stumbled over much later; and it's extremelly hostile on guests who spend half a hour trying to configure.
It's untractable.
Most of user crypto has same set of problems btw.
[+] [-] Ixiaus|13 years ago|reply
This sounds somewhat similar.
[+] [-] zhoutong|13 years ago|reply
[+] [-] munin|13 years ago|reply
many access points (I think) now provide a feature where they can run multiple SSIDs. so if you're savvy, you can turn on a guest-only open wifi for when you have visitors, and turn it off when they leave. kind of like a guest key for your spare room!
[+] [-] ArbitraryLimits|13 years ago|reply
[+] [-] stordoff|13 years ago|reply
> "Both of our printers have public IP addresses"
It looks like the printer are publicly accessible, and some automated tool (nmap?) is just scanning them for vulnerabilities, open ports, or similar. Not too surprising really.
[+] [-] freehunter|13 years ago|reply
Don't expose your printers to the web without a strict firewall or VPN/reverse proxy!
[+] [-] bcl|13 years ago|reply
[+] [-] oelmekki|13 years ago|reply
[+] [-] jvdh|13 years ago|reply
[+] [-] windexh8er|13 years ago|reply
[+] [-] cantankerous|13 years ago|reply
1. telnet <printer> 9100
2. Type a hello world message.
3. Close the connection
4. The printer will print out whatever you typed. At least it did for me.
[+] [-] b_emery|13 years ago|reply
GET http://www.baidu.com/ HTTP/1.1
Host: www.baidu.com
Accept: /
Pragma: no-cache
User-Agent:
[+] [-] da_n|13 years ago|reply
[+] [-] cantankerous|13 years ago|reply
[+] [-] CWuestefeld|13 years ago|reply
I'm certain you're correct. I've seen many SQL injection attacks, and not one of them has ever labelled itself as such.
[+] [-] ch0wn|13 years ago|reply
[+] [-] alexchamberlain|13 years ago|reply
[+] [-] lamebrain|13 years ago|reply
[deleted]
[+] [-] dagw|13 years ago|reply
[+] [-] JonnieCache|13 years ago|reply
Print Me If You Dare: http://www.youtube.com/watch?v=njVv7J2azY8
Hacking MFPs: http://www.youtube.com/watch?v=PqL5P46m_zQ
EDIT: Beaten by 4 hours. Oh well.
[+] [-] lftl|13 years ago|reply
[+] [-] igrekel|13 years ago|reply
[+] [-] sixothree|13 years ago|reply
[+] [-] ioquatix|13 years ago|reply
...so I set it up as a printer and printed a bunch of lolcats to it.. A few days later it wasn't accessible any more =)
[+] [-] Achshar|13 years ago|reply
[+] [-] alanbyrne|13 years ago|reply
Seriously?! Ignoring the fact that I can't remember when I last print something, who needs to print to their house from the internet? Can't they just print it when they get home?
[+] [-] samstave|13 years ago|reply
I took the envelope and looked at it... It was a bunch of prints of gay porn and gay porn websites.
After a few minutes of digging, it was revealed to be one of the directors in the company had printed them late the night before. Checking the badge system he wasn't in the building. Checked VPN logs and he was logged in at the time.
He was mistakenly on VPN from his house and printed stuff that went to his default printer which happened to be the one in the office.
He was previously thought to be a married straight guy.
[+] [-] robbiemitchell|13 years ago|reply
- They have expensive software on a computer in one place that does not have a printer, and a printer at home without the software - A couple that works from home likes to collaborate while one of them is one the road, with one printing stuff directly to home after meeting with clients - They like to print stuff from work while things are on their mind (itineraries, boarding passes, etc.) so that they don't have to think about logistics once they're home with family - etc.
Beware the sentence that starts with "Can't they just..."
[+] [-] corin_|13 years ago|reply
[+] [-] cantankerous|13 years ago|reply
From the email:
"....However, I've noticed a problem now that I've put this into production. When it scans a network printer, the printer spews out garbage, I have a couple wads of paper on my desk with one or two lines of garbage at the top of each page."
http://seclists.org/nmap-dev/2006/q3/406
[+] [-] blhack|13 years ago|reply
If you throw ascii at a jetdirect printer, it will generally just print it out for you. I've used this to debug printers before, as well as to goof around with my coworkers a bit.
[+] [-] stevencorona|13 years ago|reply
I don't know if they just hit it by luck or if they were actively looking for/testing/saving open VNC servers.
[+] [-] freehunter|13 years ago|reply
[+] [-] jonknee|13 years ago|reply
[+] [-] drone|13 years ago|reply
Many printers will simply print whatever data comes into certain ports. Have seen similar behavior many times when running web scanning against a printer accidentally instead of a webserver.
[+] [-] aidos|13 years ago|reply
[+] [-] ethank|13 years ago|reply
The printer panopticon. Oh art school.
[+] [-] dfranke|13 years ago|reply
[+] [-] eternalban|13 years ago|reply
Oh "BBrother" what an ironic comment this is .. /takes off paranoid hat
[+] [-] fest|13 years ago|reply
[+] [-] borplk|13 years ago|reply
Most probably it comes from someone running penetration testing tools against the printer on the network
[+] [-] jpcosta|13 years ago|reply
http://www.symantec.com/connect/blogs/trojanmilicenso-paper-... http://www.symantec.com/docs/TECH190982 http://isc.sans.edu/diary.html?storyid=13519
[+] [-] PaulHoule|13 years ago|reply
[+] [-] ahi|13 years ago|reply