Difference between revisions of "Credential disclosure"
From Hacking Printers
(Created page with "<!-- == Password Disclosure == % \textbf{SNMP} % \begin{lstlisting}[caption=Password Disclosure (older HP printers only\label{lst:snmp-passwd-disclosure}] % # snmpget -v 1...") |
|||
| Line 2: | Line 2: | ||
== Password Disclosure == | == Password Disclosure == | ||
| + | |||
| + | |||
| + | Ancient (before 2003) HP printers | ||
| + | |||
| + | ards JetDirect 300X, (J3263A), JetDirect EX Plus (J2591A), | ||
| + | JetDirect 400N (J2552A, J2552B), JetDirect 600N (J3110A, J3111A, J3113A) | ||
| + | and older. | ||
| + | |||
| + | -The Jetdirect card is being managed from HP Web Jetadmin. | ||
| + | |||
| + | -A Web Jetadmin "device password" had been set on the JetDirect card. | ||
| + | (This password must be set from Web Jetadmin and has nothing to do with | ||
| + | the Telnet password or the SNMP Set community name) | ||
| + | |||
| + | In the above situation the Web Jetadmin device password is readable as | ||
| + | plain ASCII tekst from the JetDirect card using SNMP. | ||
| + | |||
| + | How to check your printers for this vulnerability: | ||
| + | |||
| + | Use an SNMP toolkit to read the following OID from your printer: | ||
| + | .iso.org.dod.internet.private.enterprises.hp.nm.system.net-peripheral.ne | ||
| + | t- | ||
| + | printer.generalDeviceStatus.gdPasswords | ||
| + | (In numerical format: .1.3.6.1.4.1.11.2.3.9.1.1.13.0) | ||
| + | |||
| + | An example on a Windows machine, using SNMPUTIL from the Windows Resource | ||
| + | kit: | ||
| + | C:\>snmputil get 131.155.120.118 public .1.3.6.1.4.1.11.2.3.9.1.1.13.0 | ||
| + | Variable = .iso.org.dod.internet.private.enterprises.11.2.3.9.1.1.13.0 | ||
| + | Value = String | ||
| + | <0x41><0x42><0x43><0x44><0x55><0x56><0x3d><0x31><0x30><0x38><0 | ||
| + | x3b><0x00><0x00><0x00><0x00> ..etc... | ||
| + | |||
| + | The resulting string reads in ASCII: ABCDEF=108; | ||
| + | The Web Jetadmin device password is the word before the '=' sign, in this | ||
| + | case: ABCDEF | ||
| + | |||
| + | How to protect your printer: | ||
| + | |||
| + | 1. Keep the Web Jetadmin device password EMPTY (don't do this on | ||
| + | newer cards than the ones mentioned above) | ||
| + | 2. Define a 'Set community name' instead | ||
| + | |||
| + | Additional means of protection (does not address t | ||
| + | |||
| Line 17: | Line 62: | ||
% in the early days, saved password often within html source code | % in the early days, saved password often within html source code | ||
% also: GSOAP and other web services | % also: GSOAP and other web services | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
Lexmark SOAP | Lexmark SOAP | ||
| Line 93: | Line 149: | ||
| − | Note that while PJL passwords could be set on various devices, actual disk lock and/or control panel lock was only supported by the \textit{HP LaserJet 4200N}, the \textit{HP LaserJet 4250N}, the \textit{Brother MFC-9120CN} and the \textit{Konica bizhub 20p}. We are not aware if the password has any undocumented, proprietary effects on the other machines or is just a dummy variable. Non-compliant with the PJL standard, the \textit{Brother MFC-9120CN}, the \textit{Brother DCP-9045CDN} and the \textit{Konica bizhub 20p} do not verify the password to lock or unlock the control panel, rendering it practically useless. | + | Note that while PJL passwords could be set on various devices, actual disk lock and/or control panel lock was only supported by the \textit{HP LaserJet 4200N}, the \textit{HP LaserJet 4250N}, the \textit{Brother MFC-9120CN} and the \textit{Konica bizhub 20p}. We are not aware if the password has any undocumented, proprietary effects on the other machines or is just a dummy variable. |
| + | |||
| + | |||
| + | Non-compliant with the PJL standard, the \textit{Brother MFC-9120CN}, the \textit{Brother DCP-9045CDN} and the \textit{Konica bizhub 20p} do not verify the password to lock or unlock the control panel, rendering it practically useless. | ||
| + | |||
PostScript has similar protection mechanisms: The \textit{SystemParamsPassword} is used to change print job settings like paper size while the \textit{StartJobPassword} is required to exit the server loop and therefore permanently alter the PostScript environment. The \texttt{checkpassword} operator which takes either an integer or a string as input checks for both passwords at once \cite{adobe1995supplement}. The key size is very large: PostScript strings can contain arbitrary \acs{ASCII} characters and have a maximal length of 65565 \cite{postscript1999language} which theoretically allows 524,280 bit passwords. On the positive side, \mbox{brute-force} attacks against PostScript passwords can be performed extremely fast because the PostScript interpreter can be programmed to literally crack itself. A simple PostScript password cracker testing for numerical values as passwords is given below: | PostScript has similar protection mechanisms: The \textit{SystemParamsPassword} is used to change print job settings like paper size while the \textit{StartJobPassword} is required to exit the server loop and therefore permanently alter the PostScript environment. The \texttt{checkpassword} operator which takes either an integer or a string as input checks for both passwords at once \cite{adobe1995supplement}. The key size is very large: PostScript strings can contain arbitrary \acs{ASCII} characters and have a maximal length of 65565 \cite{postscript1999language} which theoretically allows 524,280 bit passwords. On the positive side, \mbox{brute-force} attacks against PostScript passwords can be performed extremely fast because the PostScript interpreter can be programmed to literally crack itself. A simple PostScript password cracker testing for numerical values as passwords is given below: | ||
