Security researcher Aaron Weaver claims visiting a random Web site could send unwanted print requests to your nearest office printer.
In a paper published in November (PDF), and cited on Wednesday in a blog by Jeremiah Grossman of White Hat Security, Weaver demonstrates the code necessary for sending a formatted page to a remote network printer, and, in an another example, to an intranet addressable fax machine. Since most network printers are behind the corporate firewall and therefore don't have security enabled, Weaver says that a simple iframe added to an Internet Web site could cause an internal network printer to start printing remotely.
The attack is derived from techniques employed within a project called hacking network printers by Adrian "Irongeek" Crenshaw. Weaver notes that most network printers listen on port 9100 and that you can telnet to port 9100, type text, and, once you disconnect, the text will print remotely. That's fine, but he ventures further that network printers also accept PostScript and Printer Control language (PCL) code as well, which creates more interesting printouts.
Weaver writes "within the last year there have been new discoveries on attacking the intranet from the Internet. This involves setting an image tag or script tag to an internally addressable IP address and then the browser will request the 'image' resource. Several attacks can be accomplished; port scanning, fingerprinting devices, and changing internal router settings."
Add to that list, printer spam. "The attack could be initiated by creating a hidden iframe, and then creating a form and submitting the contents to the printer. Since the connection will not close, a setTimeout could be used to cancel the request so that the printer would print the request."
As a demonstration, Weaver shows how to send an ASCII-drawn advertisement for frogs, and later, using PCL, a message in 20-point Courier: "Your printer is mine!"
One positive use for this would be for the IT or HR department to send a persistent banner reminding employees about the company's printer use policies. A negative use would be to remotely spam all the printers on the local intranet.
At the end of the short paper, Weaver offers some remediation. "First always have an administrator password set on your printer. Secondly look at restricting access to the printer so that it only accepts print jobs from a centralized print server."
Security researcher Roger Thompson has found a new way to link to malicious servers that doesn't involve iframes (inline frames). An attack in June used cross-site scripting to place malicious iframes on legitimate Web sites. Iframes are used by Web designers to open additional windows (often hosted on other sites) within a main Web page; iframes can also be used by criminal hackers to redirect browsers to malicious-code sites.
"The interesting thing about this is that rather than using an iframe for an automatic embed, as they usually do, they've added some sort of image background href, with a large size...8000 by 1000 pixels, with the effect that a click that slightly *misses* a control or link on the page, ends up going to the exploit site," Thompson wrote on his blog. In particular, he found this trick used on the Alicia Keys MySpace.com page.
"The fact that this site is media-rich, with lots of sound and videos means that the FakeCodec trick will be much more effective. The click-er is probably expecting to see a vid, or hear a song, and is quite likely to think he genuinely needs to install something extra."
Thompson notes that the HTML code links to a site in China that is not indexed on Google or Yahoo. When CNET News.com tried the URL mid-afternoon on Thursday, a message said the URL was down for maintenance.
Thompson has posted a YouTube video of the attack here.
The IFrame code that leads to drive-by exploits.
(Credit: Trend Micro)Over the weekend, thousands of legitimate English-language Italian Web sites fell victim to one line of code. Taking advantage of the trust the users have in the sites they visit, the malicious code silently redirects browsers via JavaScript to servers containing a variety of drive-by exploits. If the visiting computer is unpatched for a variety of operating system, browser, and specific application flaws, malicious code is downloaded. Once installed, the new software can then be used to steal personal information or enlist a compromised machine in attacks on other machines. According to security vendor Websense, the attack now affects over 10,000 Web sites worldwide, and that list continues to grow. According to Trend Micro, servers hosting some of the malicious code have been traced to Chicago, the San Francisco Bay Area, and Hong Kong.
Steps used by Mpack
(Credit: Trend Micro)Fortunately, there are a number of variables here. First, you must accidentally happen upon a vulnerable site, then your computer must have one of several browser vulnerabilities present for the attack to take root. According to Trend Micro, the component that serves up the browser vulnerabilities is browser aware, able to infect your specific browser of choice. Assuming it can, the attack then downloads various Trojans designed to steal personal information.
To prevent such an attack, Trend Micro urges everyone to be aware of sites requiring software installation; do not allow software installation unless you trust the site and the provider of the software. Keep your PC software fully patched and be sure your antivirus protection is updating properly. And, of course, be wary of any unexpected e-mail and e-mail attachments.
For more on this specific attack, antivirus vendor Panda has prepared a 28-page PDF that provides granular detail.
- prev
- 1
- next
