Re: JetDirect password disclosure

From: Javier Fernandez-Sanguino (jfernandezat_private)
Date: Wed Mar 05 2003 - 02:03:20 PST

  • Next message: Nicolas Gregoire: "False negative in MS-SQL plugins"

    Now that we're at it. I've added an small enhancement for plugin 10172 
    which retrieves the information from the telnet server of an HP printer 
    (when no password is configured).
    
    Can anyone test it? It seems the regexp (if ( info >< "JetDirect" ) {) 
    doesn't work... go wonder.
    
    Regards
    
    Javi
    
    
    PS: I have just submitted it as Bug 215, just for the record.
    http://bugs.nessus.org/show_bug.cgi?id=215
    
    
    --- /usr/lib/nessus/plugins/passwordless_hp_printer.nasl	Mon Mar  3 13:30:07 2003
    +++ passwordless_hp_printer.nasl	Wed Mar  5 11:56:51 2003
    @@ -58,6 +58,7 @@
     # The script code starts here
     #
     
    +passwordless = 0;
     port = 23;
     if(get_port_state(port))
     {
    @@ -69,7 +70,7 @@
       	set_kb_item(name:"devices/hp_printer", value:TRUE);
       	buf = recv(socket:soc, length:1024);
     	buf = tolower(buf);
    -	if(!("password" >< buf))security_hole(port);
    +	if(!("password" >< buf))  passwordless = 1;
     	}
      else {
       	buf = recv(socket:soc, length:1024, timeout:2);
    @@ -77,9 +78,21 @@
     	if("JetDirect" >< buf)
     	{
     	 set_kb_item(name:"devices/hp_printer", value:TRUE);
    -	 if(!("password" >< buf))security_hole(port);
    +	 if(!("password" >< buf)) passwordless = 1;
      	}
           }
    +   if ( passwordless ) {
    +# Send '/' to retrieve the current settings
    +        request = string ("/\r\n");
    +	send(socket:soc, data:request);
    +	info = recv(socket:soc, length: 1024);
    +	if ( info >< "JetDirect" ) {
    +		report = string ("It was possible to obtain the remote printer configuration:", info);
    +	} else {
    +		report = string ("The printer did not answer as expected when sending it '/':", info);
    +        }
    +	security_hole(port, data:report);
    +  }
       close(soc);
      }
     }
    



    This archive was generated by hypermail 2b30 : Wed Mar 05 2003 - 02:04:53 PST