Vulnerability
printing problems
Affected
Systems runninng HP printers with JetDirect card
Description
Klaus Steding-Jessen posted about following problem. It is
possible to bypass lpd and page accounting on a HP PostScript
printer attached to an ethernet card sending PostScript directly
to tcp ports 9099 and 9100 from any machine over the network.
This was tested on a HP Laserjet 4M and 5M Plus DirectJet,
connecting to port 9099 or 9100 tcp and printing PostScript
documents. All the HP printers which can be configured for
TCP/IP have this `feature'. Actually, if you look at the print
filters installed by the JetDirect software, you'll see that they
actually use those ports to deliver documents to. So, this is a
feature of the JetDirect card; it's not unique to any particular
printer. All JetDirect cards with TCP/IP support behave this way.
It is possible to telnet to the printer and change the printer IP
or disable logging. Protect the printer inside a firewall appears
to be the only safe way.
Find this kind of printer on a network is quite easy with a good
port scanner. It responds to ping and listens on tcp ports 23,
515, 9099 and 9100.
# nmap -P -s printer.foo.bar.org -p 23,515,9099,9100
Starting nmap V 1.25 by Fyodor (fyodor@dhp.com, www.dhp.com/~fyodor/nmap/
Hint: The -v option notifies you of open ports as they are found.
Host printer.foo.bar.org (xx.yy.ww.zz) appears to be up ... good.
Open ports on printer.foo.bar.org (xx.yy.ww.zz):
Port Number Protocol Service
23 tcp telnet
515 tcp printer
9099 tcp unknown
9100 tcp unknown
To print a PostScript document just send it to port 9099 or 9100.
Netcat will do:
$ nc printer.foo.bar.org 9099 < huge_document.ps
or
$ nc printer.foo.bar.org 9100 < huge_document.ps
Solution
It is possible to restrict the printer to accept connections from
fromn either a short list of IP addresses or a subnet range.
However, you must boot the printer via BOOTP in order to do this:
if you configure the printer's IP address directly from the front
panel, it won't work.
You need to have a version of bootpd that supports vendor
extensions running on a machine to act as a boot server for the
printer. (The bootpd that ships with SGI IRIX is an example of
one which doesn't support vendor extensions; you'll need to
download and install a newer bootpd if you run IRIX.) In the
bootptab file, you can configure the printer's IP address, subnet
mask, default gateway, _and_ you can supply a vendor-specific
option that specifies the name of a configuration file that the
printer should load. Once the printer receives the bootp response
and sets its IP address, it will attempt to TFTP the
configuration file from the bootp server host. The configuration
file contains settings for things such as 'contact information,'
'system location' and host access restrictions. All of this
information can be viewed via SNMP using the 'hpnpadmin' program
that comes with the JetAdmin software for UNIX. The config file
can also be used to set the printer's SNMP community name.
Hpnpadmin can also show you the printer's model number and
capabilities, it's current status, connection and printing
statistics, and what message is currently showing on the
printer's front panel display.
In any case: once you set the host access list, only machines with
those IP addresses specified in the list will be able to send data
to the printer. All others will get a 'connection refused' error.
All of the information concerning how to set up bootpd and the
config files (including examples) should be available with the
documentation for the UNIX JetAdmin software.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
