[11515] in bugtraq
Re: OCE' 9400 plotters
daemon@ATHENA.MIT.EDU (Patrick Cantwell)
Wed Aug 25 20:41:34 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9908230623070.29727-100000@rtfm.insomnia.org>
Date: Mon, 23 Aug 1999 06:29:55 -0500
Reply-To: Patrick Cantwell <seamus@INSOMNIA.ORG>
From: Patrick Cantwell <seamus@INSOMNIA.ORG>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <199908191803.OAA18769@beanie.Biw.COM>
Actually,
that looks to be like the same firmware as certain intelligent
hubs with integrated Terminal/Printer server capabilities.. I have one
here on my LAN. The model in question is made my a company called
Microplex, and it's a discontinued model called the M208.
(Mon 6:17am) seamus@rtfm ttya7:~> telnet XXXXXXX
Trying XXX.XXX.XXX.XXX...
Connected to XXX.XXX.XXX.XXX.
Escape character is '^]'.
Network Printer Server Version 5.6.3 (XXX.XXX.XXX.XXX)
login: root
Password: <root pw here>
Welcome root user
XXX.XXX.XXX.XXX:root> list sysinfo
name: XXXXXXXXXXXXXXX
contact: XXXXXXXXXXXXXXX
location: Insomnia Communications NOC
version: 5.6.3
serial number: 572
compiled: Jul 16 1998
checksum: 668E
loginfo: sys
logport: syslog
syslog: XXXXXXXXXXXXXXX
email: root@XXXXXXXXXX
dns server: XXXXXXXXXXXXXXX
module: novell, appletalk, netbios
XXX.XXX.XXX.XXX:root>
There is, however, quite a bit of documentation in the hub's manual about
setting a root password, and the importance of doing so.. don't know who
decided to use this same firmware in plotters/printers or what their
documentation is like, however it seems to come down to the general rule
of never leave a peripheral unpassworded on your network if you want to
avoid these sorts of problems (telnet proxy, etc..)
On Thu, 19 Aug 1999, Larry W. Cashdollar wrote:
> Aleph1,
> I apologize if this has be brought up before, but with the recent
> post concerning the QMS 2060 printers and the length of time I have sat on this
> (4 months) I figured it should be released. I sent this information to OCE long
> ago with no response. I am aware of the Intelligent Peripherals bulletin by
> CIAC.
>
> http://www.ciac.org/ciac/bulletins/j-019.shtml
>
> I have a few plotters / printers under my audit umbrella and
> noticed something interesting on an Oce' 9400 plotter. The printer has the
> ability to be a telnet proxy. Where as a user can hop via telnet to other
> hosts. If the printer is not setup properly the connections will go unlogged.
>
> bunyip% telnet JPP1
> Trying 192.168.38.244...
> Connected to JPP1.
> Escape character is '^]'.
>
> Network Printer Server Version 5.6.3 (192.168.38.244)
>
> login: root
> Password:[Just enter here]
>
> Welcome root user
>
>
> WARNING: current and stored values differ.
> Use 'list diff' command to find the differences.
> Current values will be lost if unit is reset.
>
> 192.168.38.244:root> telnet 192.168.38.110
> trying 192.168.38.110 ...
> Connected to 192.168.38.110
> Escape character is '0x18'
>
> Red Hat Linux release 5.9 (Starbuck)
> Kernel 2.2.3-5 on an i586
> login:
>
> 192.168.38.244:root> list sysinfo
> name:
> contact:
> location:
> version: 5.6.3
> serial number: 13029
> compiled: Mar 25 1998 loginfo: sys
> logport:
> syslog: 255.255.255.255
> email: NetPrint@<unconfigured>
> dns server: 192.168.38.110
> module: novell, appletalk, netbios
> checksum: 1E54
>
>
> All that is needed is a valid DNS server setup in the plotter
> configuration.
>
> 192.168.38.244:root> set sysinfo dns 192.168.38.100
>
> And anyone can use the plotter as an anonymous telnet proxy.
>
> Fix:
>
> Enable passwords for the accounts on the plotter:
>
> syntax: set user add <NAME>
> set user del <NAME>
> set user passwd <NAME> [<PASSWORD>]
> set user type <NAME> root|guest
> set user from default|stored
>
> Enable logging:
>
> syntax: set logpath <LOGPATH> name <NEW_NAME>
> set logpath <LOGPATH> type [[-]job] [[-]user] [[-]pgcnt] [[-]cksum]
> [[-]printer] [[-]ioport]
> set logpath <LOGPATH> port <TCP-PORT>|email|syslog
> set logpath from default|stored
>
> P.S. This plotter has ping functionality also. No, I have not tried DoS attacks
> =)
>
> syntax: ping [-s] <IPNAME> [<DATASZ> [<NUMPKTS>]]
>
>
>
> -- Larry W. Cashdollar
> Unix Administrator
> Security Operations
>
--
Patrick Cantwell
President/Systems Administrator, Insomnia Communications
pat@insomnia.org
TheFloyd @ irc
4668163 @ icq
