[11427] in bugtraq
QMS 2060 printer security hole
daemon@ATHENA.MIT.EDU (Frank Bures)
Thu Aug 19 13:54:02 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <199908181402.KAA03077@alchemy.chem.utoronto.ca>
Date: Wed, 18 Aug 1999 10:02:13 -0400
Reply-To: Frank Bures <lisfrank@chem.toronto.edu>
From: Frank Bures <lisfrank@CHEM.TORONTO.EDU>
X-To: "BUGTRAQ@SECURITYFOCUS.COM" <BUGTRAQ@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <000301bee3ab$82146500$021d85d1@youwant.to>
I am in contact with the QMS customer support and they assured me they will
work on the solution to the problem. In the meantime, though, I think it is
important to let everyone know about this possible security hole.
There's a gapping security hole in QMS-2060 network printer that enables a
root access to the printer WITHOUT password protection:
According to the printer manual, one has to install file passwd.ftp in the
printer in order to establish eligible users and their passwords. After the
file has been installed, all the users mentioned in the file HAVE to provide
their passwords to log on the printer EXCEPT root, even if root and his
password are explicitly mentioned in the file.
It means that ANYONE can log on the printer as root, rewrite the passwd.ftp
file with an arbitrary file and disable an access to the printer to anyone
else. This person can also change the file hosts, that list machines, which
are allowed to connect to the printer. So, anyone can rewrite passwd.ftp
file and hosts file, print out hundreds of pages directly from his own
machine without being registered by the lp accounting system on the server
and then put the original files back to cover his tracks.
I will post here the solution from QMS as soon as it is found.
Frank Bures, Dept. of Chemistry, University of Toronto, M5S 3H6
fbures@chem.toronto.edu
http://frank.chem.utoronto.ca/electronics
