Security Incidents mailing list archives

Re: Printer exploit?

From: sarnold () wirex com
Date: Wed, 27 Jun 2001 10:51:53 -0700

On Tue, Jun 26, 2001 at 02:32:05PM -0600, Brendan Murphy wrote:

  More than a few of our networked HP Laserjet printers have been
sporadically printing out entire trays of paper that have a '1', 'u', 'i'

[...]

Some facts, just in case:
      - Printers are using JetDirect cards over TCP/IP
      - Some users connected through print server, others directly.
      - Printers are NOT the same model


The second note is the source of your problem. By allowing users to
connect directly to the printer, you lose all possibilities of
convserving your resources.

It has been many years since I have had to work with HP JetDirect Cards
(Oh, how I hope they have improved :) but the thing to look for in their
setup utilities is a way to restrict connections to only a few IP
addresses -- the print servers on your NT/Unix machines that have
logging and much better access controls (tcpd aka tcp wrappers, or an NT
equivelent which I hope exists).

Of course, if the JetDirect cards don't have the ability to set a list
of IP addresses that are allowed to submit print jobs, you are in a bit
more troubling spot. My first thought is to set different RFC1918
addresses on the printer, and put two IPs on your print servers -- one
that the existing tcp/ip subnet knows how to speak to, one that can only
speak with the printers. This ought to keep idiots from doing it again,
though it will never deter a determined attacker.

Another possibility is to look into using OpenBSD as an ethernet bridge
thingy: bridge(4) brconfig(8)
http://www.obfuscation.org/ipf/ipf-howto.html#TOC_49

Sadly, this technique will require one OpenBSD box per printer. (It
might be able to work with other IPF-running unices, I don't know.)

Good luck.


----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Current thread:

Printer exploit? Brendan Murphy (Jun 26)
- Re: Printer exploit? Tohru Watanabe (Jun 27)
- Re: Printer exploit? Piotr Klaban (Jun 27)
- Re: Printer exploit? sarnold (Jun 27)
  - Re: Printer exploit? Thomas Corriher (Jun 28)
- Re: Printer exploit? John Leach (Jun 28)
  - Re: Printer exploit? Vangelis Haniotakis (Jun 28)
    - Re: Printer exploit? HyunWoo Lee (Jun 29)
  - RE: Printer exploit? Rocket Downing (Jun 28)
- <Possible follow-ups>
- Re: Printer exploit? lifeonmars (Jun 27)
- RE: Printer exploit? John Hanks (Jun 27)
- RE: Printer exploit? Richard . Grant (Jun 27)
- Re: Printer exploit? Piotr Klaban (Jun 28)
- Re: Printer exploit? Jeremy Sanders (Jun 29)