Difference between revisions of "Credential disclosure"

From Hacking Printers
Jump to: navigation, search
(Created page with "<!-- == Password Disclosure == % \textbf{SNMP} % \begin{lstlisting}[caption=Password Disclosure (older HP printers only\label{lst:snmp-passwd-disclosure}] % # snmpget -v 1...")
 
Line 2: Line 2:
  
 
== Password Disclosure ==
 
== Password Disclosure ==
 +
 +
 +
Ancient (before 2003) HP printers
 +
 +
ards JetDirect 300X, (J3263A), JetDirect EX Plus (J2591A),
 +
JetDirect 400N (J2552A, J2552B), JetDirect 600N (J3110A, J3111A, J3113A)
 +
and older.
 +
 +
-The Jetdirect card is being managed from HP Web Jetadmin.
 +
 +
-A Web Jetadmin "device password" had been set on the JetDirect card.
 +
(This password must be set from Web Jetadmin and has nothing to do with
 +
the Telnet password or the SNMP Set community name)
 +
 +
In the above situation the Web Jetadmin device password is readable as
 +
plain ASCII tekst from the JetDirect card using SNMP.
 +
 +
How to check your printers for this vulnerability:
 +
 +
Use an SNMP toolkit to read the following OID from your printer:
 +
.iso.org.dod.internet.private.enterprises.hp.nm.system.net-peripheral.ne
 +
t-
 +
printer.generalDeviceStatus.gdPasswords
 +
(In numerical format: .1.3.6.1.4.1.11.2.3.9.1.1.13.0)
 +
 +
An example on a Windows machine, using SNMPUTIL from the Windows Resource
 +
kit:
 +
C:\>snmputil get 131.155.120.118 public .1.3.6.1.4.1.11.2.3.9.1.1.13.0
 +
Variable = .iso.org.dod.internet.private.enterprises.11.2.3.9.1.1.13.0
 +
Value = String
 +
<0x41><0x42><0x43><0x44><0x55><0x56><0x3d><0x31><0x30><0x38><0
 +
x3b><0x00><0x00><0x00><0x00> ..etc...
 +
 +
The resulting string reads in ASCII: ABCDEF=108;
 +
The Web Jetadmin device password is the word before the '=' sign, in this
 +
case: ABCDEF
 +
 +
How to protect your printer:
 +
 +
1. Keep the Web Jetadmin device password EMPTY (don't do this on
 +
newer cards than the ones mentioned above)
 +
2. Define a 'Set community name' instead
 +
 +
Additional means of protection (does not address t
 +
  
  
Line 17: Line 62:
 
% in the early days, saved password often within html source code
 
% in the early days, saved password often within html source code
 
% also: GSOAP and other web services
 
% also: GSOAP and other web services
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
  
 
Lexmark SOAP
 
Lexmark SOAP
Line 93: Line 149:
  
  
Note that while PJL passwords could be set on various devices, actual disk lock and/or control panel lock was only supported by the \textit{HP LaserJet 4200N}, the \textit{HP LaserJet 4250N}, the \textit{Brother MFC-9120CN} and the \textit{Konica bizhub 20p}. We are not aware if the password has any undocumented, proprietary effects on the other machines or is just a dummy variable. Non-compliant with the PJL standard, the \textit{Brother MFC-9120CN}, the \textit{Brother DCP-9045CDN} and the \textit{Konica bizhub 20p} do not verify the password to lock or unlock the control panel, rendering it practically useless.
+
Note that while PJL passwords could be set on various devices, actual disk lock and/or control panel lock was only supported by the \textit{HP LaserJet 4200N}, the \textit{HP LaserJet 4250N}, the \textit{Brother MFC-9120CN} and the \textit{Konica bizhub 20p}. We are not aware if the password has any undocumented, proprietary effects on the other machines or is just a dummy variable.
 +
 
 +
 
 +
Non-compliant with the PJL standard, the \textit{Brother MFC-9120CN}, the \textit{Brother DCP-9045CDN} and the \textit{Konica bizhub 20p} do not verify the password to lock or unlock the control panel, rendering it practically useless.
 +
 
  
 
PostScript has similar protection mechanisms: The \textit{SystemParamsPassword} is used to change print job settings like paper size while the \textit{StartJobPassword} is required to exit the server loop and therefore permanently alter the PostScript environment. The \texttt{checkpassword} operator which takes either an integer or a string as input checks for both passwords at once \cite{adobe1995supplement}. The key size is very large: PostScript strings can contain arbitrary \acs{ASCII} characters and have a maximal length of 65565 \cite{postscript1999language} which theoretically allows 524,280 bit passwords. On the positive side, \mbox{brute-force} attacks against PostScript passwords can be performed extremely fast because the PostScript interpreter can be programmed to literally crack itself. A simple PostScript password cracker testing for numerical values as passwords is given below:
 
PostScript has similar protection mechanisms: The \textit{SystemParamsPassword} is used to change print job settings like paper size while the \textit{StartJobPassword} is required to exit the server loop and therefore permanently alter the PostScript environment. The \texttt{checkpassword} operator which takes either an integer or a string as input checks for both passwords at once \cite{adobe1995supplement}. The key size is very large: PostScript strings can contain arbitrary \acs{ASCII} characters and have a maximal length of 65565 \cite{postscript1999language} which theoretically allows 524,280 bit passwords. On the positive side, \mbox{brute-force} attacks against PostScript passwords can be performed extremely fast because the PostScript interpreter can be programmed to literally crack itself. A simple PostScript password cracker testing for numerical values as passwords is given below:

Revision as of 18:57, 18 January 2017