lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 12 Nov 2004 10:47:06 -0500
From: KF_lists <kf_lists@...netops.com>
To: Lawrence MacIntyre <macintyrelp@...l.gov>
Cc: Justin Rush <jrush@...ut.wisc.edu>, bugtraq@...urityfocus.com
Subject: Re: Unsecure Ftpd on HP PSC 2510 Printer


Excuse me... Hijetter.exe uses port 9100 to dump files off... however 
you CAN retrieve them via port 21 AFTER dumping them off via port 9100.

-KF

Lawrence MacIntyre wrote:
> A write-only ftp server doesn't seem like a good place to do that since 
> you can't get them back out...
> 
> (nice try, though...)
> 
> KF_lists wrote:
> 
>> Nothing like someone using the memory on your printer to stash a few 
>> files...
>>
>> http://www.phenoelit.de/hp/docu.html
>> -KF
>>
>> Lawrence MacIntyre wrote:
>>
>>> So why is this insecure?  Why is this different from port 631 (ipp) or
>>> port 515 (lpd)?  It's a printer.  You give it a file, it prints it.  The
>>> port or protocol it uses is immaterial...
>>>
>>> On Wed, 2004-11-10 at 15:26 -0600, Justin Rush wrote:
>>>
>>>> Product Name: HP PSC 2510
>>>> Summary: Ftp print service is not configurable
>>>>
>>>>     This printer comes with an ftp daemon which allows anonymous
>>>> access, and drops the user into a write only directory.  By default
>>>> anyone from anywhere can drop a file into this directory and the
>>>> printer will print the document.  There is no documentation about
>>>> this feature, nor is there anyway to change (enable/disable) it
>>>> via any of their software or on the printer itself.  HP Tech.
>>>> support says that if you don't want this feature then you should
>>>> hook up the printer as a local printer, however this printer
>>>> comes with both wireless and wired connectors on the back.
>>>>
>>>> Justin Rush
>>>> jrush@...ut.wisc.edu
>>>
>>>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ