The first time TRUE compromised a Windows domain using this printer misconfiguration our jaws dropped to the floor.
We had just escalated from zero access to Domain Administrator in under two minutes through the printer user interface. The keys to the kingdom were in our hands. It doesn't get much better than that for a penetration tester. And, it doesn't get much scarier than that for an organization.
Luckily, the vulnerable organization had hired us to perform a penetration test on their network. TRUE told them exactly how we were able to gain Domain Administrator access, and they were able to quickly reconfigure the printer to plug the hole.
Imagine if we had been the bad guy. How long (if ever) would it have taken the company to realize the attacker used a printer misconfiguration to escalate privileges?
Fast forward a month, and I find this same vulnerability in another penetration test for a different organization. Again, it escalated from zero to Domain Administrator with little effort, all thanks to a printer.
We wondered how many organizations are vulnerable to this very issue. Does your penetration test include printers? It should.
We are going to walk you step-by-step through the exact process used to compromise two different companies using a printer misconfiguration. Then, we will tell you exactly how to fix the vulnerability. By the end of this blog, we can pretty much guarantee that you will be checking your printer configurations.
During penetration tests, TRUE always review systems for default passwords. There's a reason why the PCI DSS has a dedicated requirement (requirement 2.1) for changing default passwords. Inevitably we find a handful of systems with default or easily guessed passwords configured. Most of the time IT admins are unaware these default accounts even exist.
Printers are by far the biggest offenders. Typically, printers are set up hastily, because why secure a printer anyway, right?
Well, I'll tell you why.
One of the more useful features in modern printers is the ability to scan a document at the printer and email it to someone from the printer. In order to facilitate this, many printers integrate with the LDAP server to retrieve a list of valid email addresses.
Then, instead of having to remember the recipient's email address and type it on a clunky touchscreen, the printer can auto-populate the recipient's email address as you begin to type.
Many printers have an LDAP Authentication or Configuration setting section where you can input credentials for the printer to connect to the LDAP server and retrieve valid email addresses.
In these two vulnerable organizations, the IT admins did not follow the principle of least privilege and configured the LDAP connection settings with a Domain Administrator account.
If you configure a password in the printer's web user interface, it will usually appear masked. Instead of the characters of the password, you will see a series of dots or stars where the password should be.
IT Admins see that the password is masked and think the password is secure. If the IT Admin can't see the password, then an attacker won't be able to, right?
Printers are not the most secure devices. Printer companies make money on the speed, quality, and reliability of the printer. They don't make money on how secure the user interface is. So you end up with features like LDAP integration that are often inadequately secured.
About half of the printers we come across mask passwords in the user interface, but reveal the password in the web source. TRUE uses a free Firefox extension called Web Developer. The Web Developer extension has a "Display Password" tool that visibly unmasks passwords. Below is a screenshot from a recent penetration test after we used Web Developer to display passwords.
TRUE blacked out the sensitive information, but you get the idea. Once we have a Domain Administrator's password it's pretty much game over. We have administrator access to all Windows systems on the domain.
The remediation instructions to these organizations are pretty clear.
- Configure non-default administrator passwords on all printers.
- Disable LDAP authentication if not needed. If needed, configure LDAP authentication with a least-privileged account (e.g. a non-privileged, dedicated Active Directory account).
*BONUS POINTS* There's also one more issue with the configuration in the screenshot above. Any idea what it is?
The LDAP Server Bind Method should be changed from "Simple" to "Simple over SSL." This will encrypt the credentials when they are sent to the LDAP server over the network.
A penetration test can help you identify your most critical, exploitable vulnerabilities. These companies are fortunate that these critical risks were found by us and not by the adversary.
It still amazes us how small misconfigurations can lead to large consequences.
Learn from these organizations' experiences and follow TRUE's three takeaways:
- Ensure your penetration testing scope includes more than just your workstations and servers. The scope should include printers, VoIP phones, switches, and other embedded devices. These devices are often the biggest security offenders and can leave your organization exposed.
- Ensure your penetration testing methodology includes testing all systems for default passwords.
- Use a professional penetration testing company. Even if you have a highly qualified internal resource with significant experience, a second set of eyes will likely identify additional risks.
Reach out to TRUE to discuss your next penetration test. Our penetration tests are of high quality and provide you with concise, prioritized remediation instructions. Your network will be more secure and you will sleep better at night.