____ ____ __ __ / \ / \ | | | | ----====####/ /\__\##/ /\ \##| |##| |####====---- | | | |__| | | | | | | | ___ | __ | | | | | ------======######\ \/ /#| |##| |#| |##| |######======------ \____/ |__| |__| \______/ Computer Academic Underground http://www.caughq.org Security Advisory ===============/======================================================== Advisory ID: CAU-1999-0001 Release Date: 1999.08.10 Title: HP JetDirect Printers and Print Servers - DoS / spam Application/OS: HP JetDirect Printers and Print Servers Topic: Default or "convienient" setup of HP JetDirect enabled printers are vulnerable to spam attacks as well as possible DoS attacks. Vendor Status: No Response Attributes: Denial of Service Advisory URL: http://www.caughq.org/advisories/CAU-1999-0001.txt Author/Email: I)ruid (druid@caughq.org) ===============/======================================================== Problem ------- Hewlett Packard JetDirect Print Server enabled printers are insecure and vulnerable right out of the box. Upon setup of a JetDirect enabled printer, the user is presented with either a console (directly on the printer) configuration menu, a web-based management utility, or JetAdmin software configuration. During setup via the console, there is no mention of a JetDirect Administration password at all. If the user setting up the printer does not use (or is not aware of) the web-based management utility, the printer is left totally insecure and vulnerable to this attack. If the user setting up the printer uses the web-based management utility or JetAdmin software configuration, they are presented with the option to set an Administrator password, but it is not required. Setting an Administrator password may negate the primary vulnerabilities that I will describe here, however it does not solve all of the issues that I will discuss within this advisory. Because of the nature of the JetAdmin utility and JetDirect enabled printers, "expected functionality" can become quite unwanted. The HP JetAdmin utility is designed primarily to bind a local virtual port to a remote network printer with a JetDirect card. There are a few protocols such as IPX/SPX, LLC/DLC, and ETalk that are supported, but we'll be primarily talking about TCP/IP because it is a routeable protocol. If an HP JetDirect enabled printer is setup and running without an Administrator password, any user with the JetAdmin utilities and printer drivers for that printer installed can print to the vulnerable printer. Obviously, anyone anywhere with a route to your printer's IP being allowed to print can be a very bad thing. Not only does this open up a whole new world of printer spam, it also allows for possible denials of service, such as exausting the printer's paper supply, filling up the queue with print jobs, and so on. "So set an Administrator password" you say. Great idea, however very few people do, and if you choose to use the console configuration menu rather than the web-based management utility or JetAdmin remote software configuration, you can't set an Administrator password. If you do have an Administrator password set, any future workstation wishing to install and print to this printer is prompted for the Administrator password. If this printer is in a large business environment, or perhaps an academic environment, the Administrator's assistance is sometimes hard to come by, so many printers are left open with no Administrator password set. Furthermore, even with an Administrator password set, anyone that has already installed this printer to their workstation remains able to print, and anyone who points a web browser at your printer's IP is allowed to view all network settings, printer settings, and so on. If there is no Administrator password, anyone viewing these pages are allowed to change any displayed settings as well. Example / Lab ------------- Replication of this scenario is quite simple, it's exactly like setting up a LAN printer. First, point a web browser at: http://troubleshooting.support.hp.com/servlet/FindIt?t=hp&q=JetAdmin Here you will find the JetAdmin software for your platform. Next, you will need to locate a JetDirect enabled printer or Print Server, or if you already have one, set up your printer as you normally would, or as HP describes. Finally, use the JetAdmin utility to set up a JetDirect port on your system that points to this printer. Follow the instructions as it prompts you. This is, after all, expected functionality of HP Print Servers. Set this new printer to your default printer and print something. Solution -------- Your first line of defense should obviously be the Administrator password. Setting the Administration password may prevent malicious attempts to print to your printer, DoS attacks, or attempts to change your printer's settings, however it does not prevent someone from simply connecting to your printer's web-based management utility and viewing all of your printer's settings. This information could be usefull to someone attempting to penetrate your networks or systems, as this information contains the JetDirect card's network settings, hardware address, software version information, printer uptime, printer and protocol diagnostics, and so on. Secondly, if you have a firewall, denying traffic to your printer's IP from outside of the firewall is also an option. However, a firewall is not always the solution. As Yuri Volobuev put it back in his ARP and ICMP redirection paper: I anticipate that many of you, having read the section about ICMP, are already flexing the fingers preparing to write a follow-up explaining that all those ICMP packets can be filtered out on the firewall, thus it's not a problem. Please don't. I'm well aware of the concept. And if you feel you absolutely have to, don't cc the list needlessly. I have to note that many people use "i have firewall, and I like it, therefore everyone else should get one or get lost" logic to argue that certain security problems are less serious because they can be effectively eliminated by putting a firewall between the protected network and Internet. While I fully agree that having a firewall is very good for security, I want to note that it's not always possible or effective. Imagine an environment where all machines are directly connected to the Internet, you have to share subnets with people you don't know who have vanilla SGI boxes screaming "hack me pleeeease, my vendor did such a great job of making it eeeeeeasy" all over the place (and sure, these people know Unix, they've seen it in Jurassic Park... and that would be about it), and the router to your subnet is controlled by a separate organization. Welcome to a standard academic environment, where people don't use firewalls. In fact, in some of those environments one would be useful to protect the outside world from the people on the inside. Still, people work there, and use computers, too. And that's where per-host security solutions are necessary, it's a jungle where every host is for itself. So please, next time you think "firewall", remember, it's not for everyone. Finally, my recommended solution is that HP should implement simple firewall-style ACCEPT and DENY rules for accepting print jobs via TCP/IP, as well as encompasing the entire web-based management utility under an Administrator login page. Only the Administrator should have access to the configuration information stored there, not anyone who points a web browser at it. Both of these simple solutions would prevent unauthorized users from using your printer, viewing it's settings, and so on. How To Exploit -------------- From the explanations above, it's not hard to get ideas. HP also provides you with a variety of remote scanning tools embedded within their JetAdmin utility for easily scanning remote subnets or IP blocks to find JetDirect enabled printers and Print Servers.