Difference between revisions of "Software packages"

From Hacking Printers
Jump to: navigation, search
Line 1: Line 1:
support to install additional software
+
In the recent years, printer vendors have started to introduce the '''possibility to install custom software on their devices'''. The format of such ‘printer apps’ is proprietary and SDKs are not available to the public. The feature of writing customized software which runs on printers was intended and is reserved for resellers and contractors, not for end-users. Hereby a printer fleet can be adapted to the special needs and business processes of a company; document solution providers can easily integrate printers into their management software. One popular example is ''NSi AutoStore'' <ref>''[http://www.notablesolutions.com/products/nsi-autostore/ NSi AutoStore]'', Nuance Communications, Inc.</ref> which can be installed on many MFPs and automatically uploads scanned or copied documents to predefined locations. Obviously, the feature to run custom code on a printer device is a potential security thread. Furthermore code signing of software packages is potentially harder than it is for firmware as software is not only written by the printer manufacturer but by a broader range of developers who need to be in possession of the secret key to sign their software. Therefore it is logical to include the secret key in SDKs which are protected by being exclusively available from developer platforms. This article is an effort to systematically gather information on vendor-specific software platforms/SDKs.
  
Furthermore we surveyed which platforms are provided by the major vendors to develop custom software for printers and built a proof-of-concept malware where access to an \acs{SDK} was available.
+
== Vendors ==
 +
In the following a rough outline on the software platforms provided by major printer vendors to extend functionality of their devices is given.
 +
 
 +
=== HP (Chai/OXP) ===
 +
 
 +
HP introduced their ‘Chai Appliance Platform’ platform in 1999 to run Java applications on LaserJet printers. While an SDK had been open to the public at first <ref>''[https://www.heise.de/newsticker/meldung/Java-API-fuer-HP-Drucker-54026.html Java API für HP-Drucker]'', heise online, 2001</ref>, access was later restricted to members of HP's developer network. Chai servlets which come as <code>.jar</code> files which originally needed to be certified and signed by HP before they would be accepted by a printer device. <ref name="phenoelit2002embedded">''Attacking Networked Embedded Devices'', Black Hat USA, FX and FtR of Phenoelit, 2002</ref> discovered a flaw in the deployment process: By installing ''EZloader'' – an alternative loader software provided by HP which had already been signed – they were able to upload and run their own, unsigned Java packages. As it seems, code signing was completely dropped by HP for later Chai versions: <ref name="mueller2016printers">''Exploiting Network Printers'', J. Müller, 2016, p. 59</ref> were able to write and execute a proof-of-concept printer malware which listens on port 9100 and uploads incoming documents to an FTP server before printing them. Their code is based on <ref>''Distribuição Balanceada de Jobs em uma Rede de Impressoras'', L. Waechter, 2005</ref> who extended the device to support load-balancing and included the required SDK files and proprietary Java libraries in their demonstration. With the libraries, arbitrary Java code can be complied and executed on older HP LaserJets by uploading the <code>.jar</code> files to a ‘hidden’ URL: <code>http://printer/hp/device/this.loader</code>. This attack can be carried out if no password has yet been set for the embedded web server. Otherwise, the password must first be retrieved from <code>/dev/rdsk_jdi_cfg0</code> with PostScript (see [[file system access]]) or bypassed by resetting the device to [[factory defaults]]. A web attacker can upload the <code>.jar</code> file using [https://en.wikipedia.org/wiki/Cross-site_request_forgery CSRF] if the victim is currently logged into the printer's embedded web server. For newer devices, HP uses the web services based ‘Open Extensibility Platform’ ([https://developers.hp.com/oxp/ OXP]) instead of Chai of which no SDK is publicly available.
 +
 
 +
=== Canon (MEAP) ===
 +
 
 +
The ‘Multifunctional Embedded Application Platform’ ([http://www.developersupport.canon.com/faq/335#t335n18 MEAP]) is a Java-based software platform introduced by Canon in 2003 for their imageRunner series and extended to web services in 2010. Third party developers can obtain the MEAP [http://developersupport.canon.com/content/meap-sdk-0 SDK] for a fee of ''$5,000'' which is certainly out of scope for research purposes.
 +
 
 +
=== Xerox/Dell (EIP) ===
 +
 
 +
The ‘Extensible Interface Platform’ ([http://www.office.xerox.com/eip/enus.html EIP]) <ref>''[http://www.it-executive.nl/images/downloads/Extensible%20Interface.pdf From Peripheral To Platform: MFP Software Development Tools and Xerox's Extensible Interface Platform]'', B. Bissett, 2016</ref> was announced in 2006 by Xerox for various MFPs. The architecture – which is also supported by a few rebadged Dell devices – is based on web services technology. The [http://www.office.xerox.com/eip/enus.html SDK] is freely available for registered developers.
 +
 
 +
=== Brother (BSI) ===
 +
 
 +
The ‘Brother Solutions Interface’ ([https://www.brother-usa.com/lp/civ/bsi.aspx BSI]) is an XML-based web architecture launched in 2012 for scanners, copiers and printers. Access to the [https://www.brother-usa.com/lp/civ/home.aspx SDK] is available to licensed developers.
 +
 
 +
=== Lexmark (eSF) ===
 +
 
 +
The ‘Embedded Solution Framework’ ([http://www.lexmark-emea.com/usa/BSD_solution_catalouge.pdf eSF]) was launched in 2006 for Lexmark MFPs. The SDK to develop Java applications is reserved for ‘specially qualified partners’. According to <ref>''[http://media.lexmark.com/www/doc/en_US/Security_White_Paper_Final_Q12014.pdf Security Features of Lexmark Multi-Function and Single Function Printers]'', Lexmark International, 2013, p. 6</ref> ‘these applications must be digitally signed by Lexmark before being adopted’ using 2048-bit RSA signatures.
 +
 
 +
=== Samsung (XOA) ===
 +
 
 +
The ‘eXtensible Open Architecture’ ([http://samsungprintingsolutions.com/2015/02/can-samsungs-extensible-open-architecture-xoa/ XOA]) was introduced by Samsung in 2008 and comes in two flavours: the XOA-E Java virtual machine and the web services based XOA-Web. The [http://xoapartnerportal.com/ SDK] is only available to Samsung resellers.
 +
 
 +
=== Ricoh (ESA) ===
 +
 
 +
The ‘Embedded Software Architecture’ ([https://www.ricoh.com/esa/ ESA]) <ref>''[http://ricoh.com/esa/pdf/white_letter.pdf White Paper: Embedded Software Architecture SDK]'', Ricoh Company, Ltd., 2014</ref> was launched by Ricoh in 2004. The Java based [http://www.ricoh-developer.com/content/device-sdk-type-j-sdkj-overview SDK/J] is available to developers after a registration.
 +
 
 +
=== Kyocera/Utax (HyPAS) ===
 +
 
 +
The ‘Hybrid Platform for Advanced Solutions’ ([http://usa.kyoceradocumentsolutions.com/americas/jsp/Kyocera/hypas_overview.jsp HyPAS]) <ref>''[http://www.officeproductnews.net/sites/default/files/imce/KyoceraWhitepaper_0.pdf Kyocera's HyPAS Technology – A Whitepaper]'', Kyocera Corp., 2013</ref> has been released by Kyocera in 2008. Applications are based either on Java or on web services. The [https://www.kyoceradocumentsolutions.eu/index/document_solutions/HyPAS/hypas_developer_partner.html SDK] is only available for members of the ‘HyPAS Development Partner Programme’ and applications have to be approved by Kyocera.
 +
 
 +
=== Konica Minolta (bEST) ===
 +
 
 +
The ‘bizhub Extended Solution Technology’ ([https://best.kmbs.us/ bEST]) <ref>''[http://www.biz.konicaminolta.com/technologies/best/pdf/bEST_Whitepaper.pdf Konica Minolta's bizhub Extended Solution Technology (bEST) Software Development Platform for MFPs]'', B. Bissett, 2009</ref> which is based on web services was introduced by Konica Minolta in 2009. Access to the [https://best.kmbs.us/pages/levels.php SDK] requires ‘platinum membership level’ in the developer program for a fee of ''$4,000'' which is out of scope for independent researchers.
 +
 
 +
=== Toshiba (e-BRIDGE) ===
 +
 
 +
The ‘e-BRIDGE Open Platform’ ([http://www.estudio.com.sg/solutions_ebridge.aspx e-BRIDGE]) was released by Toshiba in 2008 to customize their high-end MFPs based on web services technology. An SDK is not available to the general public.
 +
 
 +
=== Sharp (OSA) ===
 +
 
 +
The ‘Open Systems Architecture’ ([http://siica.sharpusa.com/Document-Systems/Sharp-OSA OSA]) <ref>''[http://www.kelo-kopiertechnik.de/uploads/prospekte/loesungen/Prospekt OSA.pdf Sharp OSA – Informationen für Sharp Fachhändler]'', Sharp K.K., 2009</ref> was announced by Sharp in 2004. The [http://sharp-partners.com/us/PartnerPrograms/DeveloperProgram/tabid/722/Default.aspx SDK] used to develop web services is fee-based and applications need to be validated by Sharp before they can be installed on an MFP.
 +
 
 +
=== Oki (sXP) ===
 +
 
 +
The ‘smart eXtendable Platform’ ([http://www.oki.com/en/press/2014/09/z14053e.html sXP]) <ref>''[http://www.oki.com/en/otr/2016/n227/pdf/otr-227-R05.pdf Office Solution with Multifunction Printer]'', N. Toshiyuki and T. Ito, Oki Electric Industry Co., Ltd., 2016</ref> which is based on web services was launched by Oki Data in 2013 for their MFP devices. Oki does not publish any information regarding an official developer program or publicly available SDK.
 +
 
 +
== Results ==
 +
 
 +
On older HP laser printers, arbitrary Java bytecode can be executed as demonstrated by <ref name="phenoelit2002embedded"/> and <ref name="mueller2016printers"/>. Security is based on the password of the embedded web server which can be easily readout with PostScript or bypassed by restoring factory defaults. It is hard to make a reasoned statement on the security of other software platforms because of lacking access to the SDK and/or proper technical documentation. A comparison of platforms, applied technologies and – where known – software package deployment procedures is given below:
 +
 
 +
{| class="wikitable" style="text-align:center"
 +
|-
 +
! Vendor          !! Platform    !! Embedded Java  !! Web services  !! Deployment
 +
|-
 +
| HP              || Chai/OXP    || ✔              || ✔            || web server
 +
|-
 +
| Xerox/Dell      || EIP        ||                || ✔            || ?
 +
|-
 +
| Canon          || MEAP        || ✔              || ✔            || ?
 +
|-
 +
| Brother        || BSI        ||                || ✔            || ?
 +
|-
 +
| Lexmark        || eSF        || ✔              ||              || ?
 +
|-
 +
| Samsung        || XOA        || ✔              || ✔            || web server
 +
|-
 +
| Ricoh          || ESA        || ✔              ||              || ?
 +
|-
 +
| Kyocera/Utax    || HyPAS      || ✔              || ✔            || USB drive
 +
|-
 +
| Konica Minolta  || bEST        ||                || ✔            || ?
 +
|-
 +
| Toshiba        || e-Bridge    ||                || ✔            || ?
 +
|-
 +
| Sharp          || OSA        ||                || ✔            || ?
 +
|-
 +
| Oki            || sXP        ||                || ✔            || ?
 +
|-
 +
|}
 +
 
 +
'''How to test for this attack?'''
 +
 
 +
Obtain an SDK and write your own application or find a ‘printer app’ which already does what you want (for example, automatically upload scanned documents to FTP).
 +
 
 +
'''Who can perform this attack?'''
 +
 
 +
Dependend on how software packages are deployed.
 +
 
 +
 
 +
----

Revision as of 13:08, 23 January 2017

In the recent years, printer vendors have started to introduce the possibility to install custom software on their devices. The format of such ‘printer apps’ is proprietary and SDKs are not available to the public. The feature of writing customized software which runs on printers was intended and is reserved for resellers and contractors, not for end-users. Hereby a printer fleet can be adapted to the special needs and business processes of a company; document solution providers can easily integrate printers into their management software. One popular example is NSi AutoStore [1] which can be installed on many MFPs and automatically uploads scanned or copied documents to predefined locations. Obviously, the feature to run custom code on a printer device is a potential security thread. Furthermore code signing of software packages is potentially harder than it is for firmware as software is not only written by the printer manufacturer but by a broader range of developers who need to be in possession of the secret key to sign their software. Therefore it is logical to include the secret key in SDKs which are protected by being exclusively available from developer platforms. This article is an effort to systematically gather information on vendor-specific software platforms/SDKs.

Vendors

In the following a rough outline on the software platforms provided by major printer vendors to extend functionality of their devices is given.

HP (Chai/OXP)

HP introduced their ‘Chai Appliance Platform’ platform in 1999 to run Java applications on LaserJet printers. While an SDK had been open to the public at first [2], access was later restricted to members of HP's developer network. Chai servlets which come as .jar files which originally needed to be certified and signed by HP before they would be accepted by a printer device. [3] discovered a flaw in the deployment process: By installing EZloader – an alternative loader software provided by HP which had already been signed – they were able to upload and run their own, unsigned Java packages. As it seems, code signing was completely dropped by HP for later Chai versions: [4] were able to write and execute a proof-of-concept printer malware which listens on port 9100 and uploads incoming documents to an FTP server before printing them. Their code is based on [5] who extended the device to support load-balancing and included the required SDK files and proprietary Java libraries in their demonstration. With the libraries, arbitrary Java code can be complied and executed on older HP LaserJets by uploading the .jar files to a ‘hidden’ URL: http://printer/hp/device/this.loader. This attack can be carried out if no password has yet been set for the embedded web server. Otherwise, the password must first be retrieved from /dev/rdsk_jdi_cfg0 with PostScript (see file system access) or bypassed by resetting the device to factory defaults. A web attacker can upload the .jar file using CSRF if the victim is currently logged into the printer's embedded web server. For newer devices, HP uses the web services based ‘Open Extensibility Platform’ (OXP) instead of Chai of which no SDK is publicly available.

Canon (MEAP)

The ‘Multifunctional Embedded Application Platform’ (MEAP) is a Java-based software platform introduced by Canon in 2003 for their imageRunner series and extended to web services in 2010. Third party developers can obtain the MEAP SDK for a fee of $5,000 which is certainly out of scope for research purposes.

Xerox/Dell (EIP)

The ‘Extensible Interface Platform’ (EIP) [6] was announced in 2006 by Xerox for various MFPs. The architecture – which is also supported by a few rebadged Dell devices – is based on web services technology. The SDK is freely available for registered developers.

Brother (BSI)

The ‘Brother Solutions Interface’ (BSI) is an XML-based web architecture launched in 2012 for scanners, copiers and printers. Access to the SDK is available to licensed developers.

Lexmark (eSF)

The ‘Embedded Solution Framework’ (eSF) was launched in 2006 for Lexmark MFPs. The SDK to develop Java applications is reserved for ‘specially qualified partners’. According to [7] ‘these applications must be digitally signed by Lexmark before being adopted’ using 2048-bit RSA signatures.

Samsung (XOA)

The ‘eXtensible Open Architecture’ (XOA) was introduced by Samsung in 2008 and comes in two flavours: the XOA-E Java virtual machine and the web services based XOA-Web. The SDK is only available to Samsung resellers.

Ricoh (ESA)

The ‘Embedded Software Architecture’ (ESA) [8] was launched by Ricoh in 2004. The Java based SDK/J is available to developers after a registration.

Kyocera/Utax (HyPAS)

The ‘Hybrid Platform for Advanced Solutions’ (HyPAS) [9] has been released by Kyocera in 2008. Applications are based either on Java or on web services. The SDK is only available for members of the ‘HyPAS Development Partner Programme’ and applications have to be approved by Kyocera.

Konica Minolta (bEST)

The ‘bizhub Extended Solution Technology’ (bEST) [10] which is based on web services was introduced by Konica Minolta in 2009. Access to the SDK requires ‘platinum membership level’ in the developer program for a fee of $4,000 which is out of scope for independent researchers.

Toshiba (e-BRIDGE)

The ‘e-BRIDGE Open Platform’ (e-BRIDGE) was released by Toshiba in 2008 to customize their high-end MFPs based on web services technology. An SDK is not available to the general public.

Sharp (OSA)

The ‘Open Systems Architecture’ (OSA) [11] was announced by Sharp in 2004. The SDK used to develop web services is fee-based and applications need to be validated by Sharp before they can be installed on an MFP.

Oki (sXP)

The ‘smart eXtendable Platform’ (sXP) [12] which is based on web services was launched by Oki Data in 2013 for their MFP devices. Oki does not publish any information regarding an official developer program or publicly available SDK.

Results

On older HP laser printers, arbitrary Java bytecode can be executed as demonstrated by [3] and [4]. Security is based on the password of the embedded web server which can be easily readout with PostScript or bypassed by restoring factory defaults. It is hard to make a reasoned statement on the security of other software platforms because of lacking access to the SDK and/or proper technical documentation. A comparison of platforms, applied technologies and – where known – software package deployment procedures is given below:

Vendor Platform Embedded Java Web services Deployment
HP Chai/OXP web server
Xerox/Dell EIP  ?
Canon MEAP  ?
Brother BSI  ?
Lexmark eSF  ?
Samsung XOA web server
Ricoh ESA  ?
Kyocera/Utax HyPAS USB drive
Konica Minolta bEST  ?
Toshiba e-Bridge  ?
Sharp OSA  ?
Oki sXP  ?

How to test for this attack?

Obtain an SDK and write your own application or find a ‘printer app’ which already does what you want (for example, automatically upload scanned documents to FTP).

Who can perform this attack?

Dependend on how software packages are deployed.



  1. NSi AutoStore, Nuance Communications, Inc.
  2. Java API für HP-Drucker, heise online, 2001
  3. 3.0 3.1 Attacking Networked Embedded Devices, Black Hat USA, FX and FtR of Phenoelit, 2002
  4. 4.0 4.1 Exploiting Network Printers, J. Müller, 2016, p. 59
  5. Distribuição Balanceada de Jobs em uma Rede de Impressoras, L. Waechter, 2005
  6. From Peripheral To Platform: MFP Software Development Tools and Xerox's Extensible Interface Platform, B. Bissett, 2016
  7. Security Features of Lexmark Multi-Function and Single Function Printers, Lexmark International, 2013, p. 6
  8. White Paper: Embedded Software Architecture SDK, Ricoh Company, Ltd., 2014
  9. Kyocera's HyPAS Technology – A Whitepaper, Kyocera Corp., 2013
  10. Konica Minolta's bizhub Extended Solution Technology (bEST) Software Development Platform for MFPs, B. Bissett, 2009
  11. OSA.pdf Sharp OSA – Informationen für Sharp Fachhändler, Sharp K.K., 2009
  12. Office Solution with Multifunction Printer, N. Toshiyuki and T. Ito, Oki Electric Industry Co., Ltd., 2016