Tektronix PhaserLink Webserver gives out the administrator password
21 Nov. 1999
Summary
Tektronix has a particularly nasty bug in their Phaser color printers. Tektronix packages a web server, built into the printer, to allow an administrator to access and change the configuration remotely. By opening a standard web-browser and pointing to the printer's URL, this web server allows any user to access the Status and Configuration of the printer. Tektronix was smart enough to require an administrator password in order to prevent just anyone from changing the settings of the printer, but although Tektronix recommend that users enter an administrator password, and the manual is quite specific on how this is accomplished, using a hidden and undocumented URL, the administrator password is shown to anyone without any sort of authentication and allows anyone to bypass this password to directly reconfigure the printer.
Vulnerable systems:
Phaser Color printer 740
Phaser Color printer 780
Phaser Color printer 840
Immune systems:
Phaser Color printer 350
Phaser Color printer 560
By pointing the web browser to the following URL:
http://printername/ncl_items.html?SUBJECT=2097
Anyone can get his hands on the administrator password that was provided to the printer, and of course change it without needing to provide the previous password.
Solution:
1. Block access to Port 80 to the printer via a router or firewall rule. This will prevent access to this software from outside the network. Also, since it's safe to assume no one will print from outside the local network, setting the default gateway be the same as the IP address will keep outside users from exploiting this service.
2. Disable the PhaserLink web server on the printer. This can be accomplished through the control panel, switching the HTTP Protocol to Disabled (Under Printer Configuration | Network Settings | HTTP), but it can also be accomplished by going to the URL http://printername/ncl_items?SUBJECT=2097 and switching the setting "On" to "Off". However, doing so will prevent you from being able to remotely administer this machine using the web browser.
