|
Vulnerability printing problems Affected Systems runninng HP printers with JetDirect card Description Klaus Steding-Jessen posted about following problem. It is possible to bypass lpd and page accounting on a HP PostScript printer attached to an ethernet card sending PostScript directly to tcp ports 9099 and 9100 from any machine over the network. This was tested on a HP Laserjet 4M and 5M Plus DirectJet, connecting to port 9099 or 9100 tcp and printing PostScript documents. All the HP printers which can be configured for TCP/IP have this `feature'. Actually, if you look at the print filters installed by the JetDirect software, you'll see that they actually use those ports to deliver documents to. So, this is a feature of the JetDirect card; it's not unique to any particular printer. All JetDirect cards with TCP/IP support behave this way. It is possible to telnet to the printer and change the printer IP or disable logging. Protect the printer inside a firewall appears to be the only safe way. Find this kind of printer on a network is quite easy with a good port scanner. It responds to ping and listens on tcp ports 23, 515, 9099 and 9100. # nmap -P -s printer.foo.bar.org -p 23,515,9099,9100 Starting nmap V 1.25 by Fyodor (fyodor@dhp.com, www.dhp.com/~fyodor/nmap/ Hint: The -v option notifies you of open ports as they are found. Host printer.foo.bar.org (xx.yy.ww.zz) appears to be up ... good. Open ports on printer.foo.bar.org (xx.yy.ww.zz): Port Number Protocol Service 23 tcp telnet 515 tcp printer 9099 tcp unknown 9100 tcp unknown To print a PostScript document just send it to port 9099 or 9100. Netcat will do: $ nc printer.foo.bar.org 9099 < huge_document.ps or $ nc printer.foo.bar.org 9100 < huge_document.ps Solution It is possible to restrict the printer to accept connections from fromn either a short list of IP addresses or a subnet range. However, you must boot the printer via BOOTP in order to do this: if you configure the printer's IP address directly from the front panel, it won't work. You need to have a version of bootpd that supports vendor extensions running on a machine to act as a boot server for the printer. (The bootpd that ships with SGI IRIX is an example of one which doesn't support vendor extensions; you'll need to download and install a newer bootpd if you run IRIX.) In the bootptab file, you can configure the printer's IP address, subnet mask, default gateway, _and_ you can supply a vendor-specific option that specifies the name of a configuration file that the printer should load. Once the printer receives the bootp response and sets its IP address, it will attempt to TFTP the configuration file from the bootp server host. The configuration file contains settings for things such as 'contact information,' 'system location' and host access restrictions. All of this information can be viewed via SNMP using the 'hpnpadmin' program that comes with the JetAdmin software for UNIX. The config file can also be used to set the printer's SNMP community name. Hpnpadmin can also show you the printer's model number and capabilities, it's current status, connection and printing statistics, and what message is currently showing on the printer's front panel display. In any case: once you set the host access list, only machines with those IP addresses specified in the list will be able to send data to the printer. All others will get a 'connection refused' error. All of the information concerning how to set up bootpd and the config files (including examples) should be available with the documentation for the UNIX JetAdmin software.