SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Printer)  >   Tektronix/Xerox Network Printers Vendors:   Tektronix
(Info on Specific Models) Re: Xerox/Tektronix Network Printers Disclose Administrator Password to Remote Users and Allow Remote Users to Shut Down the Printer, Possibly Resulting in Physical Damage to the Printer
SecurityTracker Alert ID:  1001441
SecurityTracker URL:  http://securitytracker.com/id/1001441
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 28 2001
Impact:   Denial of service via network, Disclosure of authentication information, Disclosure of system information, Modification of system information


Description:   A vulnerability was reported in Xerox/Tektronix network printers that allows remote users to obtain the administrator user id and password and change certain configuration parameters on the printer via a backdoor access method, possibly causing a denial of service condition.

The printers reportedly use a backdoor web URL that does not require authentication for configuration (http://printername/_ncl_subjects.shtml). Configuration pages are accessible via this URL, with the format http number that corresponds to a particular configuration page. The printer allows remote unauthenticated users to set the "Shutdown" option on the URL http without properly clearing the ink reservoir. It is reported that if the reservoir is cooled without being cleared, the ink may coagulate and the printer may sustain physical damage. The web configuration page reportedly displays the administrator user id and password to any remote user with the URL It appears that the web server cannot be turned off.

A user reports the following:

"Phaser 560
Tektronix Version: 1.01/21
Didn't find any variants that worked.

Phaser 740
Firmware Version: 1.24 / 4.08 / 21 / 8.62
http://printername/ncl_subjects.html works

Phaser 750DP
Firmware Version
PostScript: 5.62
VxWorks: 2.28
Network: 11.100.11.15.1999
Engine: 10
http://printername/_ncl_subjects.shtml works

In both 740 and 750 the password is exposed in plain text for anyone to see."

The user suggests not setting a default gateway for the printer's IP configuration to limit the vulnerability to the local subnet.

Impact:   A remote user can obtain the administrator user id and password and can then reconfigure the printer and cause a denial of service condition, possibly inflicting physical damage on the printer.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.officeprinting.xerox.com/ (Links to External Site)
Cause:   Access control error, Authentication error

Message History:   This archive entry is a follow-up to the message listed below.
Apr 27 2001 Xerox/Tektronix Network Printers Disclose Administrator Password to Remote Users and Allow Remote Users to Shut Down the Printer, Possibly Resulting in Physical Damage to the Printer



 Source Message Contents

Subject:  Re: Tektronix (Xerox) PhaserLink 850 Webserver Vulnerability (NEW


>From my testing:

Phaser 560
Tektronix Version:  1.01/21	
	Didn't find any variants that worked.

Phaser 740
Firmware Version:  1.24 / 4.08 / 21 / 8.62
	http://printername/ncl_subjects.html works

Phaser 750DP
	Firmware Version
		PostScript: 5.62
		VxWorks: 2.28
		Network: 11.100.11.15.1999
		Engine: 10
	http://printername/_ncl_subjects.shtml works

In both 740 and 750 the password is exposed in plain text for anyone to see.

I suggest not setting a default gateway for the printer's IP configuration.
This should limit the vulnerability to your own subnet.

-Francis

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC