BugTraq
Back to list
|
Post reply
New HP Jetdirect SNMP password vulnerability when using Web JetAdmin
Mar 03 2003 03:25PM
Sven Pechler (helpdesk tm tue nl)
(1 replies)
Hello,
During an analysis of some HP Jetdirect cards I discovered a security
issue that could lead to full access to a networked printer.
It looks like the vulnerability described in
http://www.securityfocus.com/bid/5331, but the OID is different and you
can only obtain one specific password.
It is also different from the password vulnerability described in
http://www.securityfocus.com/bid/3132
It applies to the following situation:
- Any operating system
-HP Jetdirect cards JetDirect 300X, (J3263A), JetDirect EX Plus (J2591A),
JetDirect 400N (J2552A, J2552B), JetDirect 600N (J3110A, J3111A, J3113A)
and older.
-The Jetdirect card is being managed from HP Web Jetadmin.
-A Web Jetadmin "device password" had been set on the JetDirect card.
(This password must be set from Web Jetadmin and has nothing to do with
the Telnet password or the SNMP Set community name)
In the above situation the Web Jetadmin device password is readable as
plain ASCII tekst from the JetDirect card using SNMP.
How to check your printers for this vulnerability:
Use an SNMP toolkit to read the following OID from your printer:
.iso.org.dod.internet.private.enterprises.hp.nm.system.net-peripheral.ne
t-
printer.generalDeviceStatus.gdPasswords
(In numerical format: .1.3.6.1.4.1.11.2.3.9.1.1.13.0)
An example on a Windows machine, using SNMPUTIL from the Windows Resource
kit:
C:\>snmputil get 131.155.120.118 public .1.3.6.1.4.1.11.2.3.9.1.1.13.0
Variable = .iso.org.dod.internet.private.enterprises.11.2.3.9.1.1.13.0
Value = String
<0x41><0x42><0x43><0x44><0x55><0x56><0x3d><0x31><0x30><0x38><0
x3b><0x00><0x00><0x00><0x00> ..etc...
The resulting string reads in ASCII: ABCDEF=108;
The Web Jetadmin device password is the word before the '=' sign, in this
case: ABCDEF
How to protect your printer:
1. Keep the Web Jetadmin device password EMPTY (don't do this on
newer cards than the ones mentioned above)
2. Define a 'Set community name' instead
Additional means of protection (does not address the SNMP vulnerability):
3. Define a telnet password (do not keep it empty)
4. Create an 'allow list' from the Telnet console to restrict access
from defined IP-addresses
Sven Pechler
University of Technology Eindhoven
Faculty of Technology Management
[ reply ]
Re: New HP Jetdirect SNMP password vulnerability when using Web JetAdmin
Mar 03 2003 05:18PM
Mike Kristovich (mkristovich pivx com)
Privacy Statement
Copyright 2010, SecurityFocus
Hello,
During an analysis of some HP Jetdirect cards I discovered a security
issue that could lead to full access to a networked printer.
It looks like the vulnerability described in
http://www.securityfocus.com/bid/5331, but the OID is different and you
can only obtain one specific password.
It is also different from the password vulnerability described in
http://www.securityfocus.com/bid/3132
It applies to the following situation:
- Any operating system
-HP Jetdirect cards JetDirect 300X, (J3263A), JetDirect EX Plus (J2591A),
JetDirect 400N (J2552A, J2552B), JetDirect 600N (J3110A, J3111A, J3113A)
and older.
-The Jetdirect card is being managed from HP Web Jetadmin.
-A Web Jetadmin "device password" had been set on the JetDirect card.
(This password must be set from Web Jetadmin and has nothing to do with
the Telnet password or the SNMP Set community name)
In the above situation the Web Jetadmin device password is readable as
plain ASCII tekst from the JetDirect card using SNMP.
How to check your printers for this vulnerability:
Use an SNMP toolkit to read the following OID from your printer:
.iso.org.dod.internet.private.enterprises.hp.nm.system.net-peripheral.ne
t-
printer.generalDeviceStatus.gdPasswords
(In numerical format: .1.3.6.1.4.1.11.2.3.9.1.1.13.0)
An example on a Windows machine, using SNMPUTIL from the Windows Resource
kit:
C:\>snmputil get 131.155.120.118 public .1.3.6.1.4.1.11.2.3.9.1.1.13.0
Variable = .iso.org.dod.internet.private.enterprises.11.2.3.9.1.1.13.0
Value = String
<0x41><0x42><0x43><0x44><0x55><0x56><0x3d><0x31><0x30><0x38><0
x3b><0x00><0x00><0x00><0x00> ..etc...
The resulting string reads in ASCII: ABCDEF=108;
The Web Jetadmin device password is the word before the '=' sign, in this
case: ABCDEF
How to protect your printer:
1. Keep the Web Jetadmin device password EMPTY (don't do this on
newer cards than the ones mentioned above)
2. Define a 'Set community name' instead
Additional means of protection (does not address the SNMP vulnerability):
3. Define a telnet password (do not keep it empty)
4. Create an 'allow list' from the Telnet console to restrict access
from defined IP-addresses
Sven Pechler
University of Technology Eindhoven
Faculty of Technology Management
[ reply ]