Date: Sat, 4 Oct 1997 18:02:01 -0300
From: Klaus Steding-Jessen <jessen@AHAND.UNICAMP.BR>
To: BUGTRAQ@NETSPACE.ORG
Subject: HP Laserjet 4M Plus DirectJet Problem

        I don't  know if this is a  well known HP printer problem, but
I've found no references of it on the bugtraq archives.

        It is possible  to  bypass lpd and  page  accounting on a   HP
PostScript printer  attached  to an  ethernet card sending  PostScript
directly to tcp ports 9099 and 9100 from any machine over the network.

        I've tested on a HP Laserjet 4M  Plus DirectJet, connecting to
port 9099 or 9100 tcp and printing PostScript documents.

        There is no way to tell the printer to accept connections only
from a  range  of valid IPs.  Also,  it  is possible to  telnet to the
printer  and change  the printer IP  or disable  logging.  Protect the
printer inside a firewall appears to be the only safe way.

        Find this kind of printer  on a network is  quite easy with  a
good port scanner.  It  responds to ping and listens  on tcp ports 23,
515, 9099 and 9100.

# nmap -P -s printer.foo.bar.org -p 23,515,9099,9100

Starting nmap V 1.25 by Fyodor (fyodor@dhp.com, www.dhp.com/~fyodor/nmap/
Hint: The -v option notifies you of open ports as they are found.

Host printer.foo.bar.org (xx.yy.ww.zz) appears to be up ... good.
Open ports on printer.foo.bar.org (xx.yy.ww.zz):
Port Number  Protocol  Service
23           tcp        telnet
515          tcp        printer
9099         tcp        unknown
9100         tcp        unknown


        To print a  PostScript document just  send it to  port 9099 or
9100.  Netcat will do:

$ nc printer.foo.bar.org 9099 < huge_document.ps
        or
$ nc printer.foo.bar.org 9100 < huge_document.ps

        Anyone can confirm this with other printers?  I think HP 5M is
also vulnerable, but I've not tested.

Klaus.