Summary - New Tektronix (Xerox) printers have covered up a security through
obscurity flaw discovered in November, 1999 with more security through
obscurity. The unauthenticated and unfiltered administrator configuration
page on the PhaserLink webserver is now located at the URL
 http://printername/_ncl_subjects.shtml. Furthermore, Tektronix has added
the item "Userid:" to the printer config page, supposidly to add more
granularity (or obscurity) to the configuration process. However, this may
allow unfiltered and unauthenticated users to discover the administrators
valid userid and password. And more, the printer's webserver cannot b
turned off using the html interface.

Background - On November 16, 1999, I posted a backdoor in the PhaserLink
Webserver for Tektronix Printers. The backdoor allowed an attacker
unfiltered and unauthenticated access to the configuration of the printer.
Many of the Tektronix printers available at the time had this backdoor.
A few days later, another bugtraq poster (I'm sorry, cannot find the name
in the archive,) discovered that this vulnerability also allowed an
unfiltered and unauthenticated user to ultimately physically deny service
on the printer by forcing it into Emergency Power Off mode, which meant the
printer would turn itself off without properly voiding the ink or crayon
reservoir. If the reservoir cooled, the ink or crayons would coagulate, and
the printer would be physically damaged. My post, and subsequent discussions
on Bugtraq received the attention of may concerned administrators, who
contacted me about the vulnerability and the fixes for the vulnerability.
It also attracted the attention of a Tektronix bigwig which, after two weeks
of silence from Tektronix after posting the bug (three weeks after
contacting them about the bug,) sent me several threats (legal threats about
releasing secret information.) After several meetings and emails flew around,
it was mutually decided that this was a bad way of doing business, and that
Tektronix would inform us of any other backdoors as well as work with us to
fix them. In exchange, I'd not post any further advisories (although I did
not agree with this, but due to their apparent effort to fix the problem, I
have kept my mouth shut.)

Unfortunately, they have not kept up their end of the bargain, and instead
have made things more insecure as well as using more security through
obscurity to hide the problem exposed in the first vulnerability report. In
a matter of fact, the last communications we received from them on this issue
was in the beginning of 2000. I think it is time to shake them up again
because they obviously didn't learn anything the last time.

Vulnerability - Tektronix apparently fixed the problem, but not in a secure
fashion. I recently had the opportunity to play with several new 850
printers. The new printers appear to have fixed the problem, at least in
a majority of the half-dozen machines I have played with. Typing in the
backdoor URL produced an Error 404 message. However, all of the webservers
responded to the URL http:/printername/_ncl_subjects.shtml. It appears that
Tektronix covered up the URL after I posted the vulnerability report by
changing the URL slightly. This was actually discovered during the testing
of the printer. We noticed that most of the pages on the server now end with
the extension .shtml. However, typing in the filename ncl_subjects.shtml also
produced an Error 404. I accidently typed _ncl_subjects.shtml at one point
during the testing, and the page popped up. So Tektronix has "secured" the
webpage by adding a "_" and an "s". This is litterally the first time I have
caught a backdoor by dumb luck, but it only took about 20 minutes of playing.
The first URL was given to us by Tektronix Technical Support. But it
definately proves that one of the three reasons that security through
obscurity fails because of pure dumb-luck.

The new URL allows the same sort of access that the previous URL backdoor
allowed. Configuration pages themselves live at the URL's
 http://printername/_ncl_items.shtml&SUBJECT;=*, where "*" is the number
corresponding to the particular configuration page. Again, Tektronix has
included the ability to remotely (and unauthenticated) physically deny service
to the printer by setting the "Shutdown" option on the
URL http://printername/_ncl_items.shtml&SUBJECT;=1 to "Emergency Power Off,"
but I have yet to find someone willing to allow me to test this. Obviously
setting "Factory Default" to true is a much less destructive Denial of Service
as it resets the printer, but doesn't damage anything.

Tektronix has added a whole new (and very bad) wrinkle to the HTTP config page.
As previously discovered, the HTTP Config page on 740 machines allowed users to
view the administrator password without any sort of authentication or
filtering. This means that any one on the planet can access this information
and use it to reconfigure other parts of the machine using the
URL http://printername/ncl_items.html&SUBJECT;=2097. Tektronix now has both a
userid and a password field available in plain-text by typing the
URL http://printername/_ncl_items.shtml&SUBJECT;=2097. This has the effect of
essentially allowing an ignorant user (and believe me, any user which has a
printer outside of a firewall is an ignorant one,) to broadcast their
standard userid and password to the world. This allows an attacker to
discover a potentially legitimate password on other computer systems, and
the rest, as they say, is history.

Furthermore, Tektronix has taken away one of the two fixes we proposed in the
last advisory. One of our suggestions for network administrators to fix the
problem was to use the "On" switch on the ncl_items.html&SUBJECT=2097 webpage
to turn off the webserver on the printer, which apparently turned off this
backdoor quite effectively. However, while the new printers still have this
switch, the functionality of the switch has been broken or turned off, so this
option is no longer available to network administrators. The only way to
protect the printer from attack is to put it behind a firewall.

I'm still playing, there may be more...

Vendor Contact Status - vendor was contacted nearly 2 weeks ago, using the
standard email addresses as well as some of the email addresses I had from
before, and any email address I could garnish from the website. Almost all
of the emails bounced. Those that didn't bounce were autoresponders, and I
have not received any communication beck from the company. I expect they will
again contact me 2 weeks after this email hits the list, and will again
threaten me with the standard threats and complain that I didn't contact the
right people back at their company ahead of time (somehow they expect I have
awsome ESP skillz that can be useful in detecting the right people to send
the email to, since I obviously have the skillz to find hidden URLs by
mistyping my requests.)

One thing that Tektronix spouted over and over again was that any hardship
over security through obscurity was a local hardship. Nobody else ever
complained about it. Feel free to tell them what you think, if you have a
Tektronix printer, make your voice against security through obscurity heard,
so it doesn't look like I'm the only one who has a problem with it.

Shameless Plug - I will hopefully be speaking at this year's Toorcon in San
Diego on printer insecurities. Please consult www.toorcon.com for more
information.

Contact Info - Send me email at ltlw0lfhome.com for more information, I am
out of town for two weeks, but will get back to you asap.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]