TUCoPS :: Network Appliances :: prt5351.htm

Xerox DocuTech copiers can be hacked into
21th May 2002 [SBWID-5351]
COMMAND

	Xerox DocuTech copiers can be hacked into

SYSTEMS AFFECTED

	Xerox DocuTech 6110 or 6115

PROBLEM

	J Edgar Hoover [zorch@totally.righteous.net] fowarded :
	

	This paper is about Xerox DocuTech 6110 or 6115. These puppies  are  not
	old-fashioned optical copiers but  basically  two  units,  a  high-speed
	scanner and a high speed laser printer.
	

	The laser printer  is  controlled  by  a  dual-processor  Sun  Uitra  60
	running Solaris 8. The Scanner is controlled by  an  Intel  box  running
	Windows NT.
	

	The scanner sends jobs via ftp to the printer. Jobs can also be sent  to
	the printer via lpd through a windows print driver or other means.
	

	So, they install it, first thing we do is ask what the root password  is
	for the Solaris box.
	

	\"Oh, no problem, it\'s \"service!\" -- it\'s the same for all of our machines.\"

	

	WTF?  First thing I say is \"We will want to change that.\"
	

	\"No, you can\'t. It will probably break things.\"
	

	Well, this puppy is WIDE OPEN like  you  wouldn\'t  believe.  Everything
	imaginable is running and  listening,  including  such  arcane  services
	like sprayd. Then I do a \"rpcinfo -p\" and see a  shitload  of  unknown
	RPC services running. But best yet,
	

	showmount -e reveals numerous directories exported to the entire world, world writable! 

	

	The NT box Administrator account password is \"administ\" 

	and is wide open, so anyone can  connect  to  C$.  Copies  of  all  jobs
	scanned are saved in case they are needed to be rerun later,  so  anyone
	wanting to grab that document doesn\'t have to wait for it to appear  in
	the spool dir of the Solaris box, just grab it from the scanner  box  at
	your leisure.
	

	Go to the server\'s http port and there\'s a complete web page which  is
	very helpful for allowing you to submit jobs over the web  and  directly
	into the \"print now\" queue  so  an  operator  doesn\'t  even  have  to
	approve it before it prints out. Imagine the fun  you  can  have.  Also,
	there\'s a very helpful job history so you can see who has been  copying
	what, all anonymous, no authentication required.
	

	So, we lock the  box  down  tight,  installing  ssh,  disabling  telnet,
	finger, echo, chargen,  and  other  shit  you  wouldn\'t  believe.  Also
	installed security updates from Microsoft on the NT box. Xerox comes  in
	today and has a fit and starts to reinstall everything from scratch.
	

	And scanning for these puppies would be easy as pie. Just  do  a  finger
	against a block of addresses for xrxusr account and if it  replies,  you
	got yourself one...

SOLUTION

	Xerox replied with a document mirrored at
	

	http://totally.righteous.net/jedgar/overview_of_security.pdf

	

	which doesn\'t address  many  of  the  problems,  and  states  that  the
	ultimate responsibility for security lies with the customer.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH