Well, I guess the cat's out of the bag now so I'll chime in. It's not just the DocuTech that has the butt-flap open on its Dr. Dentons.... the DocuTech line is from one group at Xerox, and the DocuPrint is from another. The holes are not quite the same in the two, but in both cases they use standard passwords as well as totally wide-open services. I have personally confirmed this on the DocuTech Print65 and the DocuPrint 4890. I no longer have legitimate access to those boxes, however, as my situation has changed; my information is roughly six months old. Anyways, you can do stuff by submitting documents to be "printed" - the control sequences Xerox uses aren't limited to controlling individual print jobs. So, if the system security guys manage to crank down the screws on the Sun box, you can bollix up all printing by sending a specially crafted document from a spoofed address, then the Xerox techs will get called for maintenance, and when they can't get into the system they just reformat the drives and reinstall everything wide open. And they never patch anything, either, it's Sun straight off the CD with every hole and bug intact. J Edgar, you just made an army of crackers very unhappy, this has probably been exploitable for at least a year now. Spoilsport. A nice trusted Sun box on a corporate internal network has 1001 uses. On 17 May 2002, at 14:50, J Edgar Hoover wrote: > > Begin forwarded (and edited) message > ------------------------------------------ > > The model is a Xerox DocuTech 6110 or 6115. > > These puppies are not old-fashioned optical copiers but > basically two units, a high-speed scanner and a high speed laser > printer. > > The laser printer is controlled by a dual-processor Sun Uitra 60 > running Solaris 8. The Scanner is controlled by an Intel box > running Windows NT. > > The scanner sends jobs via ftp to the printer. Jobs can also be > sent to the printer via lpd through a windows print driver or > other means. > > So, they install it, first thing we do is ask what the root > password is for the Solaris box. "Oh, no problem, it's > "service!" -- it's the same for all of our machines." > > WTF? First thing I say is "We will want to change that." > > "No, you can't. It will probably break things." > > Well, this puppy is WIDE OPEN like you wouldn't believe. > Everything imaginable is running and listening, including such > arcane services like sprayd. Then I do a "rpcinfo -p" and see a > shitload of unknown RPC services running. But best yet, > showmount -e reveals numerous directories exported to the entire > world, world writable! > > The NT box Administrator account password is "administ" and is > wide open, so anyone can connect to C$. Copies of all jobs > scanned are saved in case they are needed to be rerun later, so > anyone wanting to grab that document doesn't have to wait for it > to appear in the spool dir of the Solaris box, just grab it from > the scanner box at your leisure. > > Go to the server's http port and there's a complete web page > which is very helpful for allowing you to submit jobs over the > web and directly into the "print now" queue so an operator > doesn't even have to approve it before it prints out. Imagine > the fun you can have. Also, there's a very helpful job history > so you can see who has been copying what, all anonymous, no > authentication required. > > So, we lock the box down tight, installing ssh, disabling > telnet, finger, echo, chargen, and other shit you wouldn't > believe. Also installed security updates from Microsoft on the > NT box. Xerox comes in today and has a fit and starts to > reinstall everything from scratch. > > And scanning for these puppies would be easy as pie. Just do a > finger against a block of addresses for xrxusr account and if it > replies, you got yourself one... > > ------------------------------------------ > >
This archive was generated by hypermail 2b30 : Sat May 18 2002 - 19:04:33 PDT