[ale] Print Server Owned?

Alex Carver agcarver+ale at acarver.net
Thu Oct 24 21:22:23 EDT 2013


On 10/24/2013 18:07, Stephen R. Blevins wrote:
> Anyone ever hear of a print server being "owned."  I do *not* have that
> problem but I am seeking ways to prevent it from happening, if it is
> indeed possible.
> 
> I have an HP 7310 All-In-One printer, that has an Ethernet connection,
> suggesting that it can be connected directly to my home LAN and will
> serve all systems on that LAN.  The printer is currently USB-connected
> to a Linux Ubuntu 10.4 system (I'll be upgrading to the next Mint LTS
> release when it comes out).  We have a Netgear N750 Wireless Dual Band
> Gigabit ADSL Modem Router Model DGND4000 Premium Edition, which I don't
> believe has a firewall of its own.
> 
> I am  hesitant to directly connect the printer to the LAN, but I am open
> to suggestions.
> 
> Questions, or clarifications?  Feel free to ask.

Something like this has been discussed in various forms for some time.
Some of it was focused more on the advanced, large office devices
(mopiers and large lasers) that have on-board web interfaces, file
storage, and the like.  I would have to dig up some references that I've
had to various articles but it involved forcing the device to accept a
remote firmware update that contains a rogue payload turning the machine
into a bot.

The launch point of the attack on the device in some cases tended to be
another compromised desktop machine somewhere on the same network
segment.  Apparently if the machine were exposed to the public at large
that is an entirely different vector but most of the discussions
centered around compromising one desktop which then sought out all the
available printers and attempted to break into them.

Most likely what I would start with is a solid firewall with an outbound
rule to keep the printer from sending data out to the WAN.  If it were
to be compromised by some other vector such as another machine (since
the firewall should be blocking inbound packets entirely), the outbound
rule would prevent the printer from contacting a command-and-control
server to obtain any instructions.  So while it is compromised, it can't
do anything. (I had this happen to a machine that had a root exploit in
exim.  The inbound and outbound firewall rules (on a separate firewall
machine) prevented it from contacting the CAC so the attempt failed
because they couldn't get to the backdoor daemon.)


More information about the Ale mailing list