Penetration Testing mailing list archives

Re: empty sa passwords on network printers ??

From: H D Moore <sflist () digitaloffense net>
Date: Mon, 12 Dec 2005 13:45:53 -0600

If the printer runs a real operating system (linux, windows, solaris), 
treat it just like any other server with regards to risk. Xerox is famous 
for deploying huge printers that run exploitable services (Solaris 2.6, 
Linux-based, etc). If the printer is running Microsoft SQL Server with a 
blank password for the 'sa' account, you should be able to do the same 
things to it that could with a server - monitor all transactions, install 
sniffers, insert a backdoor, etc.

-HD

On Friday 09 December 2005 13:50, Jason Rusch wrote:

curious whats peoples opinion on the risk level etc concerning empty
SA passwords on network printers?


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

Current thread:

empty sa passwords on network printers ?? Jason Rusch (Dec 09)
- RE: empty sa passwords on network printers ?? Ben Nagy (Dec 10)
  - network printers Mark Brunner (Dec 10)
    - Re: network printers Justin (Dec 12)
    - Re: network printers perrymonj (Dec 13)
    - Re: network printers Paul Asadoorian (Dec 13)
    - Re: network printers Jason Baeder (Dec 13)
    - Re: network printers Sean Peterson (Dec 16)
- Re: empty sa passwords on network printers ?? H D Moore (Dec 12)