Press "Enter" to skip to content

From a Printer to Full Control

In securing a network, printers and related Internet of Things (IoT) devices are often overlooked, despite its commodity in offices and homes. Printers are seldom locked down and are often available for anyone to use. While great from a convenience standpoint, it opens the opportunity for an attacker to exercise and abuse this latitude and establish a route of escalation in the network, often bypassing existing security measures in the process. 

Printers – from an attacker’s standpoint 

Through the eyes of an adversary, printers are among the easiest devices to access in the reconnaissance phase. Not only are they overwhelmingly unprotected, but they store a plethora of personal information that could be used maliciously. 

Default credentials 

Default credentials are an initial way to access the administrative dashboard of a printer right out of the box. However, many do not require users to change the administrative password, and some may not even require authentication to gain full access of the device. As a result, most printers found on networks have predictable, known passwords, or no password at all, which provides a near-frictionless path to loads of sensitive information. 

Address book 

The first to mention is called the address book. This is simply a database of user information held locally on the printer, either for authentication or for information about what users are doing. Address books can contain email addresses, first and last names, phone numbers, and FAX information. In less common scenarios, printers can store passwords, and even have permissions to write to external file shares. 

Documents in flight 

Depending on the printer, resources such as the print queue, print history, or documents being printed or scanned can be viewed with relative ease. As a result, information from letters and photos can be viewed all the way up to confidential or sensitive documents, such as passport information, driver’s license information, tax forms, social security cards, and other personally identifiable information (PII).  

Insufficient updates 

Printers are often viewed as a “set and forget” device. Meaning, once they’re plugged in and on the network, no further configuration is needed (mostly). In the long term, this poses a major problem as printers that require manual updates can sit for months, sometimes even years without receiving the newest security patches. This opens the opportunity for attackers to utilize old or outdated exploits for known, unpatched vulnerabilities.

Outdated / excessive protocols 

For the ease of compatibility, some printers come with multiple settings enabled by default that pose security risks. From coming out of the box with Anonymous FTP access enabled, Telnet enabled, AirPrint enabled, and more, an attacker can pull down stored information, reconfigure settings on the printer, or even perform a simple denial of service by printing excessively, causing low-level financial damage. 

A real-world example: CVE-2022-1026 

What is CVE-2022-1026? 

CVE-2022-1026 is an address book exposure exploit discovered by Rapid7 researcher Aaron Herndon. By abusing vulnerable versions of Net View, a remote management software for administering Kyocera printers, it was discovered that the function to export the address book does not require authentication, allowing an unauthorized user to extract everything in plaintext. 

According to Rapid7, the team who developed the exploit, the two printers they tested to be vulnerable are the ECOSYS M2640idw and the TASKalfa 406ci, both of which are extremely common in household and business environments. It should be noted, however, that this more broadly impacts Kyocera multifunction printers that support Net View, so the affected models are likely much higher. 

On Rapid7’s disclosure post, the proof-of-concept code is publicly accessible for anyone to download and use. 

Exploit demonstration 

The following demonstration is only intended for educational use. Before continuing with the example, it must be emphasized that this is a form of cyber-attack, and engaging upon an unauthorized network or device is illegal. If you were to follow along, only proceed with full certainty you have permission. 

After downloading the PoC code, running the exploit is as simple as saving it as a python file and passing one argument, being the IP address of the victim printer.  

CVE-2022-1026 PoC command

After waiting around a minute, the vulnerable machine should populate the address book and dump it as raw XML data.

Populating address book
XML dump (redacted for privacy)

To make it more readable, we can write the XML address book data into a file. Following this we can use a neat tool called yq to output the XML data in an organized way akin to JSON.  

using yq to view the XML data

Looking at the address book data, we can see information such as usernames, email addresses, user IDs, fax information, ftp information, and SMB information, with plaintext passwords depending on if that field is populated per user. 

beginning of XML dump

Here’s an example of one user in the address book containing information for various services:  

User in address book with stored SMB information, etc.

During a real engagement, the team was gathering information about users on a network and discovered the following path via a printer:

  • Administrative access through default credentials 
  • Access to printer address book 
  • Valid emails, first and last names, etc. 
  • Noticed printer was storing user SMB credentials 
  • Used CVE-2022-1026 to dump the address book in plaintext 
  • Found Domain Administrator credentials in the dump
  • Established full control of every domain-connected device, bypassing the existing – and notably strong – security in the network

Printers are computers too! 

Just like any traditional workstation, server, or other device on a network, consistent patching and hardening are crucial to a strong and secure infrastructure. No two networks are the same and implementing the right security practices will vary. With that in mind, here are some broad guidelines to help harden your printers: 

  • Keep firmware updated 
  • Change default administrative credentials 
  • Enforce user passwords to use the printer 
  • Disable address book / print history if not required 
  • Disable outdated and unused protocols (FTP, Telnet, AirPrint, etc.) 
  • Consider placing printers on their own VLAN  

For the devices affected by CVE-2022-1026 specifically, Kyocera released an official statement highlighting the intention to update the affected firmware. With this statement released in April of 2022, ensure affected multifunction printers are running the newest firmware. If an update is required, Kyocera has a tool called Firmware Upgrade Tool, with a manual on how to use the tool if needed. 

References

Leave a Reply

Your email address will not be published. Required fields are marked *