Bugtraq mailing list archives

Re: New HP Jetdirect SNMP password vulnerability when using Web JetAdmin

From: "Mike Kristovich" <mkristovich () pivx com>
Date: Mon, 3 Mar 2003 12:18:43 -0500

Sven,

    Unfortunately, if you do a scan of a few subnets, you're bound to find
quite a bit of open, unpassworded Jetdirect hosts.  If you just scan for
port 23 and/or port 80, these Jetdirects pop up everywhere.  Most of them
will not have a password set on them.   You have this defined as #3 on your
"additional protection" list.  It makes a very good point that most
administrations don't tend to pay attention to.  This is a known issue, but
it still exists worldwide.  The information provided will hopefully remind a
good number of people to go ahead and set the password now, before somebody
else does.

    As you will see in the examples below, you can compromise an HP
Jetdirect via telnet quite easily.  If the password is disabled (as it is on
most), you'll have instant administrative access.  A similar interface can
be found on port 80 (WWW), but is java-driven almost entirely.  Take a look
at the examples below to see how easily you can compromise via telnet.

 Telnetting to port 23 will give you the following:
-------------------

HP JetDirect

Please type "?" for HELP, or "/" for current settings


-------------------

Typing "/" will give you the following:

   ===JetDirect Telnet Configuration===
        Firmware Rev.   : G.08.40
        MAC Address     : 00:X0:X0:cX:7X:Xf
        Config By       : USER SPECIFIED

        IP Address      : X.X.X.X
        Subnet Mask     : 255.255.255.0
        Default Gateway : X.X.X.X
        Syslog Server   : Not Specified
        Idle Timeout    : 120 Seconds
        Set Cmnty Name  : Not Specified
        Host Name       : Not Specified

        DHCP Config     : Disabled
---> Passwd          : Disabled
        IPX/SPX         : Enabled
        DLC/LLC         : Disabled
        Ethertalk       : Disabled
        Banner page     : Enabled

-------------------------

If you type "?" for help, you'll notice this line at the end.

        Type passwd to change the password.

Type "passwd", and..

        Enter Password[16 character max.; 0 to disable]: >

You now have complete control of the device, while locking out the "real"
administrator.

------------------

Additional means of protection (does not address the SNMP vulnerability):
3. Define a telnet password (do not keep it empty)


#3 on the list you provided is extremely important.  Remember to set a
password, or you're leaving the device open for public administration!

Thanks,

Mike Kristovich, Security Researcher
PivX Solutions, LLC
http://www.PivX.com


----- Original Message -----
From: "Sven Pechler" <helpdesk () tm tue nl>
To: <bugtraq () securityfocus com>
Sent: Monday, March 03, 2003 10:25 AM
Subject: New HP Jetdirect SNMP password vulnerability when using Web
JetAdmin



Hello,

During an analysis of some HP Jetdirect cards I discovered a security
issue that could lead to full access to a networked printer.

It looks like the vulnerability described in
http://www.securityfocus.com/bid/5331, but the OID is different and you
can only obtain one specific password.
It is also different from the password vulnerability described in
http://www.securityfocus.com/bid/3132


It applies to the following situation:

- Any operating system

-HP Jetdirect cards JetDirect 300X, (J3263A), JetDirect EX Plus (J2591A),
JetDirect 400N (J2552A, J2552B), JetDirect 600N (J3110A, J3111A, J3113A)
and older.

-The Jetdirect card is being managed from HP Web Jetadmin.

-A Web Jetadmin "device password" had been set on the JetDirect card.
(This password must be set from Web Jetadmin and has nothing to do with
the Telnet password or the SNMP Set community name)

In the above situation the Web Jetadmin device password is readable as
plain ASCII tekst from the JetDirect card using SNMP.


How to check your printers for this vulnerability:

Use an SNMP toolkit to read the following OID from your printer:
.iso.org.dod.internet.private.enterprises.hp.nm.system.net-peripheral.net-
printer.generalDeviceStatus.gdPasswords
(In numerical format: .1.3.6.1.4.1.11.2.3.9.1.1.13.0)

An example on a Windows machine, using SNMPUTIL from the Windows Resource
kit:
C:\>snmputil get 131.155.120.118 public .1.3.6.1.4.1.11.2.3.9.1.1.13.0
Variable = .iso.org.dod.internet.private.enterprises.11.2.3.9.1.1.13.0
Value    = String
<0x41><0x42><0x43><0x44><0x55><0x56><0x3d><0x31><0x30><0x38><0
x3b><0x00><0x00><0x00><0x00> ..etc...

The resulting string reads in ASCII: ABCDEF=108;
The Web Jetadmin device password is the word before the '=' sign, in this
case: ABCDEF


How to protect your printer:

1. Keep the Web Jetadmin device password EMPTY (don't do this on
newer cards than the ones mentioned above)
2. Define a 'Set community name'  instead

Additional means of protection (does not address the SNMP vulnerability):
3. Define a telnet password (do not keep it empty)
4. Create an 'allow list' from the Telnet console to restrict access
from defined IP-addresses



Sven Pechler
University of Technology Eindhoven
Faculty of Technology Management

Current thread:

New HP Jetdirect SNMP password vulnerability when using Web JetAdmin Sven Pechler (Mar 03)
- Re: New HP Jetdirect SNMP password vulnerability when using Web JetAdmin Mike Kristovich (Mar 03)
- <Possible follow-ups>
- RE: New HP Jetdirect SNMP password vulnerability when using Web JetAdmin snooper () satx rr com (Mar 03)
- New HP Jetdirect SNMP password vulnerability when using Web JetAdmin Sven Pechler (Mar 06)