Bugtraq mailing list archives

Re: OCE' 9400 plotters

From: seamus () INSOMNIA ORG (Patrick Cantwell)
Date: Mon, 23 Aug 1999 06:29:55 -0500


Actually,
        that looks to be like the same firmware as certain intelligent
hubs with integrated Terminal/Printer server capabilities.. I have one
here on my LAN. The model in question is made my a company called
Microplex, and it's a discontinued model called the M208.

(Mon 6:17am) (Mon 6:17am) seamus@rtfm ttya7:~> telnet XXXXXXX
Trying XXX.XXX.XXX.XXX...
Connected to XXX.XXX.XXX.XXX.
Escape character is '^]'.

Network Printer Server Version 5.6.3 (XXX.XXX.XXX.XXX)

login: root
Password: <root pw here>

Welcome root user

XXX.XXX.XXX.XXX:root> list sysinfo
             name: XXXXXXXXXXXXXXX
          contact: XXXXXXXXXXXXXXX
         location: Insomnia Communications NOC
          version: 5.6.3
    serial number: 572
         compiled: Jul 16 1998
         checksum: 668E
          loginfo: sys
          logport: syslog
           syslog: XXXXXXXXXXXXXXX
            email: email: root@XXXXXXXXXX
       dns server: XXXXXXXXXXXXXXX
           module: novell, appletalk, netbios
XXX.XXX.XXX.XXX:root>

There is, however, quite a bit of documentation in the hub's manual about
setting a root password, and the importance of doing so.. don't know who
decided to use this same firmware in plotters/printers or what their
documentation is like, however it seems to come down to the general rule
of never leave a peripheral unpassworded on your network if you want to
avoid these sorts of problems (telnet proxy, etc..)

On Thu, 19 Aug 1999, Larry W. Cashdollar wrote:

Aleph1,
        I apologize if this has be brought up before, but with the recent
post concerning the QMS 2060 printers and the length of time I have sat on this
(4 months) I figured it should be released.  I sent this information to OCE long
ago with  no response.  I am aware of the Intelligent Peripherals bulletin by
CIAC.

        http://www.ciac.org/ciac/bulletins/j-019.shtml

        I have a few plotters / printers under my audit umbrella and
noticed something interesting on an Oce' 9400 plotter.  The printer has the
ability to be a telnet proxy.  Where as a user can hop via telnet to other
hosts.  If the printer is not setup properly the connections will go unlogged.

bunyip% telnet JPP1
Trying 192.168.38.244...
Connected to JPP1.
Escape character is '^]'.

Network Printer Server Version 5.6.3 (192.168.38.244)

login: root
Password:[Just enter here]

Welcome root user


WARNING: current and stored values differ.
Use 'list diff' command to find the differences.
Current values will be lost if unit is reset.

192.168.38.244:root> telnet 192.168.38.110
trying 192.168.38.110 ...
Connected to 192.168.38.110
Escape character is '0x18'

Red Hat Linux release 5.9 (Starbuck)
Kernel 2.2.3-5 on an i586
login:

192.168.38.244:root> list sysinfo
             name:
          contact:
         location:
          version: 5.6.3
    serial number: 13029
         compiled: Mar 25 1998    loginfo: sys
          logport:
           syslog: 255.255.255.255
            email: NetPrint@<unconfigured>
       dns server: 192.168.38.110
           module: novell, appletalk, netbios
         checksum: 1E54


         All that is needed is a valid DNS server setup in the plotter
configuration.

192.168.38.244:root> set sysinfo dns 192.168.38.100

And anyone can use the plotter as an anonymous telnet proxy.

Fix:

Enable passwords for the accounts on the plotter:

syntax: set user add <NAME>
         set user del <NAME>
         set user passwd <NAME> [<PASSWORD>]
         set user type <NAME> root|guest
         set user from default|stored

Enable logging:

syntax: set logpath <LOGPATH> name <NEW_NAME>
         set logpath <LOGPATH> type [[-]job] [[-]user] [[-]pgcnt] [[-]cksum]
                     [[-]printer] [[-]ioport]
         set logpath <LOGPATH> port <TCP-PORT>|email|syslog
         set logpath from default|stored

P.S. This plotter has ping functionality also. No, I have not tried DoS attacks
=)

syntax: ping [-s] <IPNAME> [<DATASZ> [<NUMPKTS>]]



-- Larry W. Cashdollar
   Unix Administrator
   Security Operations


--
Patrick Cantwell
President/Systems Administrator, Insomnia Communications
pat () insomnia org
TheFloyd @ irc
4668163 @ icq

Current thread:

Vulnerability in Solaris 2.6. rpc.statd ?, (continued)
- - - Vulnerability in Solaris 2.6. rpc.statd ? Bob Todd (Aug 21)
    - Re: Vulnerability in Solaris 2.6. rpc.statd ? Bob Todd (Aug 24)
    - Re: Vulnerability in Solaris 2.6. rpc.statd ? mb (Aug 28)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Martin Schulze (Aug 19)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Aaron Campbell (Aug 19)
    - Microsoft Security Bulletin (MS99-030) Aleph One (Aug 20)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Alan Cox (Aug 22)
    - libtermcap exploit fix ... smashcap.c Hudin Lucian (Aug 22)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Pavel Kankovsky (Aug 26)
    - OCE' 9400 plotters Larry W. Cashdollar (Aug 19)
    - Re: OCE' 9400 plotters Patrick Cantwell (Aug 23)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Tymm Twillman (Aug 19)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Olaf Kirch (Aug 18)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Martin Schulze (Aug 19)
  - Security Bug in Oracle Elias Levy (Aug 17)
    - Re: Security Bug in Oracle Jonathan A. Zdziarski (Aug 27)
    - [RHSA-1999:030-02] Buffer overflow in cron daemon Bill Nottingham (Aug 27)