Vulnerability

    HP DeskJet 970

Affected

    HP DeskJet 970 driver

Description

    Dmitry Manakhov found  following.  He  discovered a feature  in HP
    DeskJet  970  printer  driver  which  may  interfere  with company
    security policy.

    Imagine You use use several HP DeskJet 970 printers, all  printers
    are  connected  to  the  "ExtenNet"  network  print  servers  from
    Extended Systems.   Printers are created  and shared on  dedicated
    Windows NT server.   Windows NT server  communicates with  network
    print servers  by using  Microsoft TCP/IP  printing LPR  protocol.
    People connect  to the  shared printers  on Windows  NT server  to
    print.

    When  user  sends  a  job  to  the  NT print server DeskJet driver
    creates temporary file inside "driveletter:\WINNT" folder.   Those
    files  are  created  under  the  security  content of a person who
    sends  print   job.    Files  have   the  following   name   mask:
    "Hpdjxxxx.pdl" and  "Hpdjxxxx.idx" (where  "xxxx" is  a print  job
    sequence  number).   Dmitry  had  "read  only" permission for this
    folder for his users and  they were not able to  print. (Obviously
    they could not create temporary file and this is how he discovered
    this feature).  You have to assign "Change" permission to  "Domain
    Users" for this  folder.  Dmitry  called HP Technical  Support and
    basically he had been  told that this is  the way how this  driver
    is  supposed  to  work  and  there  is  no  workaround  to reroute
    temporary files  to another  folder.   This is  not a huge exploit
    but  this  information  might  be  usefull  be for those who has a
    strict environment and doesn't  allow people to have  anything but
    Read permission on servers system directories

    Dmitry was able reproduce it with the drivers version 2.2 and  2.3
    (2.3 is the latest software driver HP has on its web site).

Solution

    Nothing yet.