The Oce 9400 plotter can be used as a telnet proxy in its default configuration.
7dc17fea3ce18547115679dce3605f71296d6cdbc78e338c5547cbcc1a17902e
This appeared on bugtraq in August of 99
I am aware of the Intelligent Peripherals bulletin by CIAC.
http://www.ciac.org/ciac/bulletins/j-019.shtml
I have a few plotters / printers under my audit umbrella and
noticed something interesting on an Oce' 9400 plotter. The printer has
the ability to be a telnet proxy. Where as a user can hop via telnet to
other hosts. If the printer is not setup properly the connections will
go unlogged.
bunyip% telnet JPP1
Trying 192.168.38.244...
Connected to JPP1.
Escape character is '^]'.
Network Printer Server Version 5.6.3 (192.168.38.244)
login: root
Password:[Just enter here]
Welcome root user
WARNING: current and stored values differ.
Use 'list diff' command to find the differences.
Current values will be lost if unit is reset.
192.168.38.244:root> telnet 192.168.38.110
trying 192.168.38.110 ...
Connected to 192.168.38.110
Escape character is '0x18'
Red Hat Linux release 5.9 (Starbuck)
Kernel 2.2.3-5 on an i586
login:
192.168.38.244:root> list sysinfo
name:
contact:
location:
version: 5.6.3
serial number: 13029
compiled: Mar 25 1998 loginfo: sys
logport:
syslog: 255.255.255.255
email: NetPrint@<unconfigured>
dns server: 192.168.38.110
module: novell, appletalk, netbios
checksum: 1E54
All that is needed is a valid DNS server setup in the plotter
configuration.
192.168.38.244:root> set sysinfo dns 192.168.38.100
And anyone can use the plotter as an anonymous telnet proxy.
Fix:
Enable passwords for the accounts on the plotter:
syntax: set user add <NAME>
set user del <NAME>
set user passwd <NAME> [<PASSWORD>]
set user type <NAME> root|guest
set user from default|stored
Enable logging:
syntax: set logpath <LOGPATH> name <NEW_NAME>
set logpath <LOGPATH> type [[-]job] [[-]user] [[-]pgcnt]
[[-]cksum]
[[-]printer] [[-]ioport]
set logpath <LOGPATH> port <TCP-PORT>|email|syslog
set logpath from default|stored
Larry W. Cashdollar
http://vapid.dhs.org
lwc@vapid.dhs.org