Re: Printer exploit?

From: sarnoldat_private
Date: Wed Jun 27 2001 - 10:51:53 PDT

Next message: sarnoldat_private: "results of informal poll: school/hacking"

Previous message: Galitz: "Re: massive lpr exploit attempt"
In reply to: Brendan Murphy: "Printer exploit?"
Next in thread: Thomas Corriher: "Re: Printer exploit?"
Next in thread: Richard.Grantat_private: "RE: Printer exploit?"
Reply: Thomas Corriher: "Re: Printer exploit?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jun 26, 2001 at 02:32:05PM -0600, Brendan Murphy wrote:
>   More than a few of our networked HP Laserjet printers have been
> sporadically printing out entire trays of paper that have a '1', 'u', 'i'
[...]
> Some facts, just in case:
> 	- Printers are using JetDirect cards over TCP/IP
> 	- Some users connected through print server, others directly.
> 	- Printers are NOT the same model

The second note is the source of your problem. By allowing users to
connect directly to the printer, you lose all possibilities of
convserving your resources.

It has been many years since I have had to work with HP JetDirect Cards
(Oh, how I hope they have improved :) but the thing to look for in their
setup utilities is a way to restrict connections to only a few IP
addresses -- the print servers on your NT/Unix machines that have
logging and much better access controls (tcpd aka tcp wrappers, or an NT
equivelent which I hope exists).

Of course, if the JetDirect cards don't have the ability to set a list
of IP addresses that are allowed to submit print jobs, you are in a bit
more troubling spot. My first thought is to set different RFC1918
addresses on the printer, and put two IPs on your print servers -- one
that the existing tcp/ip subnet knows how to speak to, one that can only
speak with the printers. This ought to keep idiots from doing it again,
though it will never deter a determined attacker.

Another possibility is to look into using OpenBSD as an ethernet bridge
thingy: bridge(4) brconfig(8)
http://www.obfuscation.org/ipf/ipf-howto.html#TOC_49

Sadly, this technique will require one OpenBSD box per printer. (It
might be able to work with other IPF-running unices, I don't know.)

Good luck.

----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Next message: sarnoldat_private: "results of informal poll: school/hacking"
Previous message: Galitz: "Re: massive lpr exploit attempt"
In reply to: Brendan Murphy: "Printer exploit?"
Next in thread: Thomas Corriher: "Re: Printer exploit?"
Next in thread: Richard.Grantat_private: "RE: Printer exploit?"
Reply: Thomas Corriher: "Re: Printer exploit?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 27 2001 - 18:26:08 PDT