Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Fwd: Printer Vulnerability: Tektronix PhaserLink Webservergives Administrator Password]

From: dwmatt () NOSC MIL (Dennis W. Mattison)
Date: Thu, 18 Nov 1999 09:28:03 -0800

Apparently the 740, 780, and 840 printers are vulnerable.  According to
Bernhard Schneck and Gerhard den Hollander, the 350 and 560 printers are not
(confirmed on one of our printers here) vulnerable to this attack.  However,
this leaves me to wonder of there isn't some other undocumented feature in
these printers which is exploitable.

For those who asked, I actually didn't come up with this alone, I just put all
the pieces together to figure out how it could be exploited.  Like the 3Com
backdoor, and Microsoft's various remote administration tools, this bug is
something that Tektronix probably threw into their printers to help customer
support personnel working on printer problems remotely configure their client's
printers.  The bug is not the undocumented URLs themselves, but the fact that
these URLs allow a remote and unauthorized user to change printer
configurations without any sort of authentication or control.  Tektronix
requires a password be provided on their configuration pages in order to make
any changes, however, using these URLs the changes can be made without needing
a password.

The hint on the URL to recover a lost administrator password was first given to
one of our customers by the Tektronix folks, he forwarded it to us and from
there, we ran with it, discovering all the hidden treasures.  It is probably
safe to assume that the other printers have a similar hidden URL, maybe a
social engineering call to one of the Tektronix support personnel could get it
(they might be a little less sympathetic now that this is out though.)

Ronan Waide wrote:


On November 16, dwmatt () NOSC MIL said:

Tektronix has a particularly nasty bug which is quite amusing.  On their
Phaser 740 color printers (they may be on other printers, but I
haven't had


Confirmed for phaser 780.
--
waider () scope ie / Small Planet Ltd. / +353-1-8303455 / +353-1-8300888 (Fax)
"Multithreadedness, like object-orientedness, is a matter of perception.
 If it seems multithreaded, it is.  All else is an implementation detail."
                                                  - Jamie Zawinski


--
Dennis W. Mattison
SPAWAR Network Security Team
SAIC - Center for Information Security Technology (CIST)
Ph: (619) 553-2343 Email: dwmatt () nosc mil, mattisond () saic com

<!-- attachment="smime.p7s" -->
<HR>
<UL>
<LI>application/x-pkcs7-signature attachment: smime.p7s
</UL>
Previous By Date Next
Previous By Thread Next

Current thread: