HP Printers Running JetDirect Disclose Administrative Passwords to Remote Users
|
|
SecurityTracker Alert ID: 1004860 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jul 27 2002
|
Impact: Disclosure of authentication information, User access via network
|
Exploit Included: Yes
|
Advisory: Phenoelit Group
|
Description: An authentication information disclosure vulnerabiltiy was reported in HP's network-enabled printers. A remote user can determine the administrative access password.
It is reported that a remote user can use an SNMP READ request to obtain the HTTP and TELNET administrative access password on printers
running JetDirect. The password is returned in HEX format when a remote user requests the following variable:
.iso.3.6.1.4.1.11.2.3.9.4.2.1.3.9.1.1.0
The
printer will reportedly return a HEX string where the numbers after the second byte represent the password in ASCII.
A demonstration
exploit is provided:
linux# snmpget <printer_ip> public .iso.3.6.1.4.1.11.2.3.9.4.2.1.3.9.1.1.0
The vendor has reportedly
been notified.
|
Impact: A remote user can obtain the printer's administrative access password.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.hp.com/ (Links to External Site)
|
Cause: Access control error
|
Reported By: kim0 <kim0@phenoelit.de>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Sat, 27 Jul 2002 15:53:21 +0200
From: kim0 <kim0@phenoelit.de>
Subject: Phenoelit Advisory #0815 +-+
|
--------------030809020107040200090702
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
--
kim0 <kim0@phenoelit.de>
Phenoelit (http://www.phenoelit.de)
90C0 969C EC71 01DC 36A0 FBEF 2D72 33C0 77FC CD42
--------------030809020107040200090702
Content-Type: text/plain;
name="HP_snmp.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="HP_snmp.txt"
Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +-+>
[ Authors ]
FX <fx@phenoelit.de>
kim0 <kim0@phenoelit.de>
Phenoelit Group (http://www.phenoelit.de)
Advisroy http://www.phenoelit.de/stuff/HP_snmp.txt
[ Affected Products ]
Hewlett Packard (HP)
Printers
HP Bug ID: Not assigned
CERT Vulnerability ID: 377033
[ Vendor communication ]
06/29/02 Initial Notification, security-alert@hp.com
*Note-Initial notification by phenoelit
includes a cc to cert@cert.org by default
06/29/02 RBL blocked delivery to security-alert@hp.com
06/29/02 Creation of ho-mail account and resend
(note, kim0 HATES ho-mail at this point)
07/01/02 Auto-responder reply
07/01/02 Human Contact, PGP exchange and ack.
07/19/02 Notification of intent to post publically
in apx. 7 days.
07/23/02 Coordination for release date/times
[ Overview ]
HP Network-Enable Printers (JetDirect)
[ Description ]
SNMP variable accessible by SNMP READ exposes HTTP and TELNET
administrative access password in HEX
(.iso.3.6.1.4.1.11.2.3.9.4.2.1.3.9.1.1.0)
An SNMP read request to this variable will return a HEX string
such as 0x01 0X15 0x41 0X41, where the numbers after the second
byte represent the password in ASCII (in this case, the password is 'AA').
[ Example ]
linux# snmpget <printer_ip> public .iso.3.6.1.4.1.11.2.3.9.4.2.1.3.9.1.1.0
[ Solution ]
None known at this time.
[ end of file ]
--------------030809020107040200090702--
|
|
