Most devices nowadays, like printers, scanners and VoIP systems, have embedded web servers for easy administration. Unfortunately, many of these devices are mostly unprotected due to lapses in configuration. Some servers are not configured properly (can be accessed using the default user name and password), or are left with no means of protection. What’s worse is that the lapses lead to the embedded web servers being available to the general public, potentially leading to information disclosure.
This is basically what Michael Sutton showed at Black Hat USA 2011 briefings. His talk about embedded web servers (EWS) and the hidden threats that they pose revealed a number of devices with EWS that are publicly accessible in the Internet.
For example, HP scanners with webscan (a feature to remotely scan a document) feature can give access to documents that are left in the scanner. A remote user can also adjust settings to make the scanner send scanned documents automatically to a designated address or request a copy of recently scanned documents through the web interface. Printers were also revealed allowing ftp access with no password protection, making it very easy for a malicious user to store malware files in the printer. Lastly, Michael also found some VoIP systems that are left open, and showed how easy it is to get a recording of a phone conversation.
Devices Accessible Through the Web
You would think that these devices would not be publicly available or that there wouldn’t be many if there were such devices. Well, that’s what I thought so, too. But a simple web header scan through shodan (shodanhq.com) during Michael’s presentation revealed hundreds of potentially exposed embedded web servers that are available to the general public.
This is dangerous since most people don’t even know that there is a web server running in the device, and are therefore left unaware of the security hole in their network. Furthermore, in his white paper, Sutton said that a normal vulnerability scan would not be sufficient to see these risks, since most web vulnerability scanner are focused on web application servers and not EWS. EWS will usually be identified, but lumped in together with other web servers. So a normal security audit which focuses on XSS or SQL injection would not be effective since basic tests like checking for password or exposed dangerous functionality in the EWS are not done.
As a precaution, it is recommended to check the network for possible devices with EWS and make sure to not expose them to the Internet. It is also recommended to disable certain potentially dangerous and unneeded features. Lastly, make sure to change the default password for the servers. Default passwords are as good as having no password at all.
Leave a reply