HP Jetdirect security - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: HP Jetdirect security

  1. #11
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    How can a file server execute a ddos program???
    That which does not kill me makes me stronger -- Friedrich Nietzche

  2. #12
    Senior Member deftones12's Avatar
    Join Date
    Jan 2003
    Location
    cali forn i a
    Posts
    333
    i guess the printer could ping a server to death? i dunno...its just an article i read. Only one way to find out...someone try it.

  3. #13
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    I mean unless your able to upload out of the bound (ie ../../) and put the file in a location where it get executed or you can overwirte a certain program.

    But in the case of simple file sharing configured correctly theres no way an uploaded file could execute a dos is there?
    That which does not kill me makes me stronger -- Friedrich Nietzche

  4. #14
    Senior Member deftones12's Avatar
    Join Date
    Jan 2003
    Location
    cali forn i a
    Posts
    333
    there is though a vulnerabilty that can kill the printer to where u have to restart it.
    I'm havin no luck finding the article of where the guy had that DDoS problem with the FTP Service on his printer. Heres the link to the vulnerability though.
    http://www.securiteam.com/securitynews/5DP0C2K20O.html

  5. #15
    Well blow me down...

    I didn't know my JetDirect printers had an FTP service running... Nor does that article on securing them mention one

    I had implemented the Admin password for the HTTP interface and Telnet interfaces but had no idea it also had a FTP interface... Thanks deftones12 for the telnet disable command, before running this it was allowing anyone to ftp into my printer (internal to Lan only). Now its nice and secure.

    Glad this was brought up...

    RRP

  6. #16
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    bpiedlow: It was in the article that Agent_Steal posted.
    http://www.hp.com/cposupport/network...99.html#N1016A

    Use any of the following commands in Telnet to disable protocols or services:

    To disable the Internet Printing Protocol, type ipp-config: 0

    To disable the File Transfer Protocol, type ftp-config: 0

    To disable HP Jetdirect?s Embedded Web server, type ews-config: 0

    To disable the Service Location Protocol, type tl-slp: -1

    To disable SNMP, type snmp-config: 0

    When finished, type quit and press Enter to exit and save the configuration.
    I read right over it the first time, but then caught it went to disable everything.

    deftones: thanks for the advise and for posting the vulnerability.
    Somehow I do remember reading about that ddos or something funky with the printer... I don't quite remember where though... the hacker challenges maybe?
    Maybe thats what made me thought of posting this thread? dunno... the subconcience does weird things. I'm looking back over that hacker's challenge book and I don't see it in there... but I DO remember it... this is gonna bug me.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  7. #17
    D'oh - didn't even notice it there, even when going through and securing it...

    I guess I own agent_steel a thanks also - - thanks

    In either case - glad to find out about this and to lock it down...

    Now I just have one question, if I were going to enable FTP - say to allow my UNIX system to directly put files to it for printing, how does one go about adding username/password security to its FTP interface, or can you???

    RRP

  8. #18
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    bpiedlow: my understanding is the password you set to protect itelnet t is the password you use for ftp too. At least with my 300x. It didn't require a username though. just leave that blank and then enter the password.

    I'm looking over and it doesn't look like you can setup separate usernames and passwords...

    In fact:

    HP Jetdirect Printer FTP Service Lets Any Remote User Print

    Description: A security issue was reported in HP Jetdirect printers. Any remote user can print by sending files to the printer's FTP server.

    HP reports that a remote user can send files to the printer via FTP. Any file sent to the Jetdirect FTP service will be printed.

    HP also notes that because the FTP service provides writable directories to allow this function, some security vulnerability scanners will identify the Jetdirect printers as containing a vulnerable FTP server configuration.

    Impact: Any remote user can print on the printer.

    Solution: The vendor reports that users that want to restrict printing can disable the FTP service by telnetting to the Jetdirect device and typing the following:

    ftp-config: 0

    This change will not permit you to upgrade firmware via FTP, according to HP. You can update firmware using the HP Download Manager or Web Jetadmin applications.
    Source
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  9. #19
    Senior Member
    Join Date
    Jul 2003
    Posts
    217
    agent_steal....thats a very good link. At least HP has some official info on securing their devices. Although most of the info most network admins should know. its better when you have something from the vendor of the product.

  10. #20
    Senior Member deftones12's Avatar
    Join Date
    Jan 2003
    Location
    cali forn i a
    Posts
    333
    i'll be lookin tonight for the article where i read about the DDoS and about loading malicious stuff onto printer FTP services. I'll post a page or link if i find any info. Are u gonna play with the FTP at all and see if its possible? that'd be a cool deal to do and have fun with...lil testing. Keep me updated.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •