This is a cryptographically signed message in MIME format. --------------msD2610E30DD3B1406D473C5CE Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Apparently the 740, 780, and 840 printers are vulnerable. According to Bernhard Schneck and Gerhard den Hollander, the 350 and 560 printers are not (confirmed on one of our printers here) vulnerable to this attack. However, this leaves me to wonder of there isn't some other undocumented feature in these printers which is exploitable. For those who asked, I actually didn't come up with this alone, I just put all the pieces together to figure out how it could be exploited. Like the 3Com backdoor, and Microsoft's various remote administration tools, this bug is something that Tektronix probably threw into their printers to help customer support personnel working on printer problems remotely configure their client's printers. The bug is not the undocumented URLs themselves, but the fact that these URLs allow a remote and unauthorized user to change printer configurations without any sort of authentication or control. Tektronix requires a password be provided on their configuration pages in order to make any changes, however, using these URLs the changes can be made without needing a password. The hint on the URL to recover a lost administrator password was first given to one of our customers by the Tektronix folks, he forwarded it to us and from there, we ran with it, discovering all the hidden treasures. It is probably safe to assume that the other printers have a similar hidden URL, maybe a social engineering call to one of the Tektronix support personnel could get it (they might be a little less sympathetic now that this is out though.) Ronan Waide wrote: > On November 16, dwmattat_private said: > > Tektronix has a particularly nasty bug which is quite amusing. On their > > Phaser 740 color printers (they may be on other printers, but I > > haven't had > > Confirmed for phaser 780. > -- > waiderat_private / Small Planet Ltd. / +353-1-8303455 / +353-1-8300888 (Fax) > "Multithreadedness, like object-orientedness, is a matter of perception. > If it seems multithreaded, it is. All else is an implementation detail." > - Jamie Zawinski -- Dennis W. Mattison SPAWAR Network Security Team SAIC - Center for Information Security Technology (CIST) Ph: (619) 553-2343 Email: dwmattat_private, mattisondat_private --------------msD2610E30DD3B1406D473C5CE Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIJXwYJKoZIhvcNAQcCoIIJUDCCCUwCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC B5IwggObMIIDBKADAgECAgISLTANBgkqhkiG9w0BAQUFADBcMQswCQYDVQQGEwJVUzEYMBYG A1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxDDAKBgNVBAsTA1BLSTEXMBUG A1UEAxMOTWVkIEVtYWlsIENBLTEwHhcNOTkwOTE2MTYyOTMzWhcNMDEwOTE2MTYyOTMzWjCB nzELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9E MQwwCgYDVQQLEwNQS0kxEzARBgNVBAsTCkNPTlRSQUNUT1IxJTAjBgNVBAMTHE1hdHRpc29u LkRlbm5pcy5XLjAyMDAwNTkwNjAxHjAcBgkqhkiG9w0BCQEWD2R3bWF0dEBub3NjLm1pbDCB nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvIQh9THlLPyevbfrIiaIRiy+1CfbXpo6GNDA mVnLacnKz6CiVFrg0xi/5tzCLy6SWsqhzVHHmVSjSTA2daIxr8b8R9uCNpudqzJlvEFFB6xZ BVw70eUpR/wysKie5c5YBU6Ie2B3ckXq3P5x8vWDN7hy8+O/qisy1UQ8L8vuBTUCAwEAAaOC ASYwggEiMBYGA1UdIAQPMA0wCwYJYIZIAWUCAQsDMB8GA1UdIwQYMBaAFPIju1ImGhS6CXJ9 cNJe5ng8aBX8MB0GA1UdDgQWBBRo4W6DRwQ38Vmny64uzD9P7/xdvTAOBgNVHQ8BAf8EBAMC BaAwDAYDVR0TAQH/BAIwADCBqQYDVR0fBIGhMIGeMIGboIGYoIGVhoGSbGRhcDovL2RzLTEu Y2hhbWIuZGlzYS5taWw6MzkwL2NuJTNkTWVkJTIwRW1haWwlMjBDQSUyZDElMmNvdSUzZFBL SSUyY291JTNkRG9EJTJjbyUzZFUuUy4lMjBHb3Zlcm5tZW50JTJjYyUzZFVTP2NlcnRpZmlj YXRlUmV2b2NhdGlvbkxpc3QlM2JiaW5hcnkwDQYJKoZIhvcNAQEFBQADgYEAJyWRPz1KOlUj MVEUaIuv1Hatd4AZpK2ozdR9PdAwEAKK5TIk/lJ0Dj+R0WeqEOjiuSbgAp6CMV5RQL3H8ODN gtP5WpWY38lNpq80JhcsT1rilzg3QyhxAsNBw0fzn/OrKWEueTm/KJUsG+343AIvgqHt4qDu 1VNSeg4pWcYYfREwggPvMIIDWKADAgECAgEjMA0GCSqGSIb3DQEBBQUAMGExCzAJBgNVBAYT AlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UECxMD UEtJMRwwGgYDVQQDExNEb0QgUEtJIE1lZCBSb290IENBMB4XDTk4MDgwNjE5NTQ1NFoXDTAz MDgwNjE5NTQ1NFowXDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEM MAoGA1UECxMDRG9EMQwwCgYDVQQLEwNQS0kxFzAVBgNVBAMTDk1lZCBFbWFpbCBDQS0xMIGf MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqTd9bbYLOvC2mMX/fpiD+4MKcPiO7bCNi+6w6 jGXsyVzEysRDUkOhOR77XJyU6PD/gRV1BgQC+tqLyVKku0u13m8hxAGLP4EXk5S2Egl6Azue BlVPQcFIpSAoeK3Q69pyE/9WFGCf2VDWM/57IFcHmaBzUM7aWyybNw+VHo+1JwIDAQABo4IB ujCCAbYwFgYDVR0gBA8wDTALBglghkgBZQIBCwMwHwYDVR0jBBgwFoAUxVnSzvGYlVBmqG3e MkvWYTXiRrMwDAYDVR0kBAUwA4ABADAdBgNVHQ4EFgQU8iO7UiYaFLoJcn1w0l7meDxoFfww DgYDVR0PAQH/BAQDAgGGMH4GA1UdEgR3MHWGc2xkYXA6Ly9kcy0xLmNoYW1iLmRpc2EubWls L2NuJTNkRG9EJTIwUEtJJTIwTWVkJTIwUm9vdCUyMENBJTJjb3UlM2RQS0klMiBjb3UlM2RE b0QlMmNvJTNkVS5TLiUyMEdvdmVybm1lbnQlMmNjJTNkVVMwDwYDVR0TAQH/BAUwAwEB/zCB rAYDVR0fBIGkMIGhMIGeoIGboIGYhoGVbGRhcDovL2RzLTEuY2hhbWIuZGlzYS5taWwvY24l M2REb0QlMjBQS0klMjBNZWQlMjBSb290JTIwQ0ElMmNvdSUzZFBLSSUyY291JTNkRG9EJTJj byUzZFUuUy4lMjBHb3Zlcm5tZW50JTJjYyUzZFVTP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxp c3QlM2JiaW5hcnkwDQYJKoZIhvcNAQEFBQADgYEAlQOnyvY3wBzBFqvQmaAJqUUpucy55ErA ncWtLBJcNP3Q56vAk4/O4gf/0KUe+x8DovQAe5KIn3JMQUoxc98SxV2xj+/tPvUgxPV9d59N l2lJEGq7eufOnhwE7NNFEDJNub6V2EIpH3VMmDsPqvFJzmqTTzxzrZISXr3vJR7SdFcxggGV MIIBkQIBATBiMFwxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAK BgNVBAsTA0RvRDEMMAoGA1UECxMDUEtJMRcwFQYDVQQDEw5NZWQgRW1haWwgQ0EtMQICEi0w CQYFKw4DAhoFAKCBijAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEP Fw05OTExMTgxNzI4MDNaMCMGCSqGSIb3DQEJBDEWBBTDCjj3XA/xucPba1HadmNvnn0O/jAr BgkqhkiG9w0BCQ8xHjAcMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBgkqhkiG9w0B AQEFAASBgG/FM28vzanQAPl1Taq9Mo7NuO1RxYJkrmO7ePu12nIDtUCFnVAWtjVOzgTXOOQz dCZi17yOLKH1dOxasLjZWMxw7nqV8AhBLgz5+RfQnxVnSrFNF1Zt019kSAOCH9Z5k0XzRef+ /6jMUh2ddDXvlRKW7UFi/BZUe1Zx7g2Nw/RE --------------msD2610E30DD3B1406D473C5CE--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:13:21 PDT