lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <174060294.20071228191502@SECURITY.NNOV.RU>
Date: Fri, 28 Dec 2007 19:15:02 +0300
From: 3APA3A <3APA3A@...URITY.NNOV.RU>
To: uncleron@...hmail.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: HP Photosmart vulnerabilities

Dear uncleron@...hmail.com,

SNMP  is  used to monitor printing queue status with LPR or RAW printing
protocol.  This  is  standard  feature  in  e.g.  Windows  and is not HP
specific. You can find this option in port settings.

--Friday, December 28, 2007, 7:01:40 PM, you wrote to full-disclosure@...ts.grok.org.uk:

uhc> A low price for the printer does not give the vendor a free pass 
uhc> for shipping insecure products.  Since this type of printer is 
uhc> targeted for home/home office use, it would be valid to ask why 
uhc> SNMP is enabled in the first place.  

uhc> Please explain how this printer would be any less easy to use if HP
uhc> had used non default community strings in the firmware?  In a 
uhc> home/home office environment, the only thing that might have a 
uhc> valid need to communicate with the printer via SNMP would be HP's 
uhc> software, which could just as easily use a non default community 
uhc> string.


uhc> On Fri, 28 Dec 2007 09:32:29 -0600 Joshua Levitsky 
uhc> <jlevitsk@...hie.com> wrote:
>>Do you mean to tell me someone can come to my house and after I 
>>let  
>>them on my network they can see how soon I need toner? Oh crap I  
>>better not let anyone over for New Year's!!!
>>
>>There is a reason it's a $200 home/home office printer. It's not 
>>meant  
>>to sit on the internet. It's not meant to be in a military 
>>facility.  
>>It is meant to be simple to use.
>>
>>I think next I shall contact Sears because I suspect someone can 
>>steal  
>>my water by simply placing a glass up to the front of the fridge  
>>without my knowledge, and I'm not positive but I think they can 
>>take  
>>my ice as well.
>>
>>
>>
>>On Dec 28, 2007, at 10:16 AM, <uncleron@...hmail.com> wrote:
>>
>>> HP Photosmart C6280 (and probably other) network printers ship 
>>with
>>> insecure default settings.  The printer ships with SNMP enabled
>>> using the default community strings for both public and private.
>>> HP does not document the use of SNMP, or provide a way for users 
>>to
>>> change the default community strings.  The printer also includes 
>>a
>>> web based admin tool which runs over http, without even an 
>>option
>>> for ssl.
>>>
>>> Several attempts to contact HP have proven futile.
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>Hosted and sponsored by Secunia - http://secunia.com/

uhc> _______________________________________________
uhc> Full-Disclosure - We believe in it.
uhc> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
uhc> Hosted and sponsored by Secunia - http://secunia.com/


-- 
~/ZARAZA http://securityvulns.com/
Пока вы во власти провидения, вам не удастся умереть раньше срока. (Твен)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ