TUCoPS :: General Information :: ciacj019.txt

Intelligent Peripherals Security Risk



                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___

                             INFORMATION BULLETIN

                 Intelligent Peripherals Create Security Risk 

December 8, 1998 17:00 GMT                                        Number J-019
PROBLEM:       Improper installation of intelligent peripherals may cause the 
               machines to be compromised. 
PLATFORM:      All intelligent peripherals connected to the Internet requiring 
               an IP address that have the capability of storing images in 
               memory and/or onto an internal hard drive. Some of these 
               systems have the capability of running inet daemons such as 
               ftp, telnet, and others. 
DAMAGE:        By exploiting the non-passworded accounts, remote users may 
               gain access to the system and jeopardize sensitive information. 
SOLUTION:      Follow the manufacture's installation instructions and password 
               all default accounts. CIAC recommends that all unneeded daemons 
               be turned off. 
VULNERABILITY  Risk is high. CIAC has received reports of intelligent 
ASSESSMENT:    peripherals such as printers, being compromised by intruders 
               and print jobs being redirected to other machines. Sensitive 
               information was potentially compromised. 

               ATTENTION: Please pass this information to all administrators 
               who use printers, copiers, faxes, and scanners connected to a 

CIAC is aware of security risks associated with intelligent peripherals.  
Although these devices do not 'look like' computers, they actually have the 
internal components of one. In fact, some printers utilize a SPARC CPU board 
that runs the Solaris UNIX operating system.   Xerox has a sophisticated 
device that allows users to copy, fax, scan, and print documents.  This device 
utilizes a network UNIX hard disk that conforms to the UNIX standard for file 
directories and hence it has the capability of storing images in memory.  For 
this device, Xerox recommends that the user network information be secure.  
This information includes network IDís, network passwords, network file 
locations, user network names, and user passwords.  

In most cases, the more complex the functionality the device features, the 
higher the security risks.  However, with proper installation and 
configuration the risks are reduced.  Throughout the past year CIAC has 
received reports of peripherals, mostly printers that were compromised.  The 
following examples, regardless of the device type and manufacture, indicate 
the importance of properly installing these devices to the network.

Codonics NP-1600 Printer

In March, CIAC was notified of a Codonics NP-1600 printer being compromised.  
The printer utilizes a SPARC CPU board and runs the Solaris UNIX operating 
system.  This implies that the printer may have user accounts, as well as 
daemons running, that may be used to compromise the device.  The printer is 
released from the manufacture with default accounts without passwords (null 
accounts).  However, the manufacture gives instructions and guidance on how to 
install and configure the printers, as well as warning individuals to password 
the root account.  The printer has inet and rpc daemons running by default.  
Some of these daemons are needed; however, CIAC recommends that all unneeded 
daemons be turned off.  After receiving this information, CIAC scanned a 
Codonics printer to gather all the information about the services allowed.  
According to the system administrator, the printer was configured per the 
instructions issued by the manufacture.  The results of the scan found the 
printer to be vulnerable only to Denial of Service (DOS) attacks. 

Listed below are the daemons running by default on a Codonics NP-1600 printer.

inet daemons:
  port	type and status
  7	(echo) is running.
  9 	(discard) is running.
  13 	(daytime) is running.
  19 	(chargen) is running.
  21 	(ftp) is running.
  23 	(telnet) is running.
  37 	(time) is running.
  79 	(finger) is running.
  111 	(sunrpc) is running.
  512	(exec) is running.
  513 	(login) is running.
  514 	(shell) is running.
  515 	(printer) is running.
  540 	(uucp) is running.
  741 	(UNKNOWN) is running.

rpc daemons:
    program	vers	proto	port
    100000	4	tcp	111  portmapper
    100000	3	tcp	111  portmapper
    100000	2	tcp	111  portmapper
    100000	4	udp	111  portmapper
    100000	3	udp	111  portmapper
    100000	2	udp	111  portmapper
    100087	10	udp	32772
    100011	1	udp	32773  rquotad
    100002	2	udp	32774  rusersd
    100002	3	udp	32774  rusersd
    100012	1	udp	32775  sprayd
    100008	1	udp	32776  walld
    100001	2	udp	32777  rstatd
    100001	3	udp	32777  rstatd
    100001	4	udp	32777  rstatd
    100068	2	udp	32778
    100068	3	udp	32778
    100068	4	udp	32778
    100083	1	tcp	32771
    200	1	udp	740
    200	1	tcp	741

HP Jet Direct Printer

In September, CIAC received information of a HP Jet Direct printer being 
hijacked by a foreign hacker.  All print jobs sent to the printer were 
actually sent to the print server in the foreign country.  An intruder can 
redirect all print jobs by becoming the print server using the mscan tool 
against an unprotected printer.  There are two passwords that need to be set 
to protect the printer.  To prevent this type of activity, use the HP Jet 
Admin Utility to password protect the device.  If your printer appears to be 
operational but is not printing, view the status of the printer using the HP 
Jet Admin Utility.  To check the status of the printer, do the following:

  1) Select 'Device'
  2) Select 'Properties'
  3) Select 'Diagnostics' tab
  4) Click on 'TCP/IP'
  5) Click on 'General'

At this level, the 'Server Address' is visible.  The IP address display should 
be from the machine you are connecting from.  Check to ensure itís the correct 
machine address. If not, you may kill the active connection and enable the 
queue using HP Jet Admin Utility.  This will return control of the printer to 
your local network and the print jobs already queued should print.

Scanning returns Interesting Results

While scanning a subnet recently, the scanner was unable to identify some of 
the machines associated with a series of IP addresses.  However the scanner 
did list the services allow by each machine. Upon farther investigation, CIAC 
determined these IP addresses were assigned to printers.  The following ports 
and services were allowed by one of the printers:
	23	telnet
	80	httpd
	515	printer
	161 	snmp server
An individual could use the telnet protocol to login and since the password 
capability was disabled thus allowing free access to the printer and its 
telnet configuration setup.  Below is a sample of a JetDirect printer telnet 
configuration setup:
        Firmware Rev.:  G.07.03
        MAC Address:    XX:XX:XX:XX:XX:XX  (remove to preserve the identity)
        Config By:      USER SPECIFIED

        IP Address:     XXX.XXX.XXX.XX  (remove to preserve the identity)
        Subnet Mask:
        Default Gateway: XXX.XXX.XXX.XXX  (remove to preserve the identity)
        Syslog Server:  Not Specified
        Idle Timeout:   120 Seconds
        Set Cmnty Name: Not Specified
        Host Name:      Not Specified

        DHCP Config:    Disabled
        Passwd:         Disabled
        IPX/SPX:        Enabled
        DLC/LLC:        Enabled
        Ethertalk:      Enabled
        Banner page:    Enabled

CIAC highly recommends that printers with this type of capability enable 
password protection and turn-off all unneeded services.  In most cases ftp, 
telnet, and httpd are rarely needed for printers.

Today, printers and copiers are more complex and with this complexity comes 
security risks.  Non-passworded default accounts are a major security risk 
regardless of the operating system and the platforms used.  Allowing access to 
an unprotected device may lead to other devices being compromised.  To tighten 
down your systems, make sure all accounts have passwords and that all unneeded 
daemons are turned off.  Follow the installation instructions provided by the 
manufacture.  If the instructions are not clear, call the manufacture and ask 
for assistance.  Remember hijacking print jobs may jeopardize confidentiality.  

To check for non-password accounts use Security Profile Inspector for Networks 
(SPI-NET) or Computer Oracle and Password System (COPS).

To download:




CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 925-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
                        (or http://ciac.llnl.gov -- they're the same machine)
   Anonymous FTP:       ftp.ciac.org
                        (or ciac.llnl.gov -- they're the same machine)
   Modem access:        +1 (925) 423-4753 (28.8K baud)
                        +1 (925) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
3. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:

E-mail to       ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov:
        subscribe list-name 
  e.g., subscribe ciac-bulletin 

You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email.  This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.

If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

J-009: Cisco IOS Command History Release at Login Prompt
J-010: SGI Buffer Overflow Vulnerabilities ( xterm(1), Xaw library)
J-011: Microsoft IE 4.01 Untrusted Scripted Paste (Cuartango Vul.)
J-012: SGI IRIX routed(1M) Vulnerability
J-013: SGI IRIX autofsd Vulnerability
J-014: IBM AIX automountd Vulnerability
J-015: HP SharedX Denial-of-Service Vulnerability
J-016: Cisco IOS DFS Access List Leakage Vulnerabilities
J-017: HP-UX vacation Security Vulnerability
J-018: HTML Viruses

Version: 4.0 Business Edition


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH