Sven,
Unfortunately, if you do a scan of a few subnets, you're bound to find
quite a bit of open, unpassworded Jetdirect hosts. If you just scan for
port 23 and/or port 80, these Jetdirects pop up everywhere. Most of them
will not have a password set on them. You have this defined as #3 on your
"additional protection" list. It makes a very good point that most
administrations don't tend to pay attention to. This is a known issue, but
it still exists worldwide. The information provided will hopefully remind a
good number of people to go ahead and set the password now, before somebody
else does.
As you will see in the examples below, you can compromise an HP
Jetdirect via telnet quite easily. If the password is disabled (as it is on
most), you'll have instant administrative access. A similar interface can
be found on port 80 (WWW), but is java-driven almost entirely. Take a look
at the examples below to see how easily you can compromise via telnet.
Telnetting to port 23 will give you the following:
-------------------
HP JetDirect
Please type "?" for HELP, or "/" for current settings
>
-------------------
Typing "/" will give you the following:
===JetDirect Telnet Configuration===
Firmware Rev. : G.08.40
MAC Address : 00:X0:X0:cX:7X:Xf
Config By : USER SPECIFIED
IP Address : X.X.X.X
Subnet Mask : 255.255.255.0
Default Gateway : X.X.X.X
Syslog Server : Not Specified
Idle Timeout : 120 Seconds
Set Cmnty Name : Not Specified
Host Name : Not Specified
DHCP Config : Disabled
---> Passwd : Disabled
IPX/SPX : Enabled
DLC/LLC : Disabled
Ethertalk : Disabled
Banner page : Enabled
-------------------------
If you type "?" for help, you'll notice this line at the end.
Type passwd to change the password.
Type "passwd", and..
Enter Password[16 character max.; 0 to disable]: >
You now have complete control of the device, while locking out the "real"
administrator.
------------------
> Additional means of protection (does not address the SNMP vulnerability):
> 3. Define a telnet password (do not keep it empty)
#3 on the list you provided is extremely important. Remember to set a
password, or you're leaving the device open for public administration!
Thanks,
Mike Kristovich, Security Researcher
PivX Solutions, LLC
http://www.PivX.com
----- Original Message -----
From: "Sven Pechler" <helpdeskat_private>
To: <bugtraqat_private>
Sent: Monday, March 03, 2003 10:25 AM
Subject: New HP Jetdirect SNMP password vulnerability when using Web
JetAdmin
>
>
> Hello,
>
> During an analysis of some HP Jetdirect cards I discovered a security
> issue that could lead to full access to a networked printer.
>
> It looks like the vulnerability described in
> http://www.securityfocus.com/bid/5331, but the OID is different and you
> can only obtain one specific password.
> It is also different from the password vulnerability described in
> http://www.securityfocus.com/bid/3132
>
>
> It applies to the following situation:
>
> - Any operating system
>
> -HP Jetdirect cards JetDirect 300X, (J3263A), JetDirect EX Plus (J2591A),
> JetDirect 400N (J2552A, J2552B), JetDirect 600N (J3110A, J3111A, J3113A)
> and older.
>
> -The Jetdirect card is being managed from HP Web Jetadmin.
>
> -A Web Jetadmin "device password" had been set on the JetDirect card.
> (This password must be set from Web Jetadmin and has nothing to do with
> the Telnet password or the SNMP Set community name)
>
> In the above situation the Web Jetadmin device password is readable as
> plain ASCII tekst from the JetDirect card using SNMP.
>
>
> How to check your printers for this vulnerability:
>
> Use an SNMP toolkit to read the following OID from your printer:
> .iso.org.dod.internet.private.enterprises.hp.nm.system.net-peripheral.net-
> printer.generalDeviceStatus.gdPasswords
> (In numerical format: .1.3.6.1.4.1.11.2.3.9.1.1.13.0)
>
> An example on a Windows machine, using SNMPUTIL from the Windows Resource
> kit:
> C:\>snmputil get 131.155.120.118 public .1.3.6.1.4.1.11.2.3.9.1.1.13.0
> Variable = .iso.org.dod.internet.private.enterprises.11.2.3.9.1.1.13.0
> Value = String
> <0x41><0x42><0x43><0x44><0x55><0x56><0x3d><0x31><0x30><0x38><0
> x3b><0x00><0x00><0x00><0x00> ..etc...
>
> The resulting string reads in ASCII: ABCDEF=108;
> The Web Jetadmin device password is the word before the '=' sign, in this
> case: ABCDEF
>
>
> How to protect your printer:
>
> 1. Keep the Web Jetadmin device password EMPTY (don't do this on
> newer cards than the ones mentioned above)
> 2. Define a 'Set community name' instead
>
> Additional means of protection (does not address the SNMP vulnerability):
> 3. Define a telnet password (do not keep it empty)
> 4. Create an 'allow list' from the Telnet console to restrict access
> from defined IP-addresses
>
>
>
> Sven Pechler
> University of Technology Eindhoven
> Faculty of Technology Management
>
This archive was generated by hypermail 2b30 : Mon Mar 03 2003 - 14:14:49 PST