I don't know if this is a well known HP printer problem, but I've found no references of it on the bugtraq archives. It is possible to bypass lpd and page accounting on a HP PostScript printer attached to an ethernet card sending PostScript directly to tcp ports 9099 and 9100 from any machine over the network. I've tested on a HP Laserjet 4M Plus DirectJet, connecting to port 9099 or 9100 tcp and printing PostScript documents. There is no way to tell the printer to accept connections only from a range of valid IPs. Also, it is possible to telnet to the printer and change the printer IP or disable logging. Protect the printer inside a firewall appears to be the only safe way. Find this kind of printer on a network is quite easy with a good port scanner. It responds to ping and listens on tcp ports 23, 515, 9099 and 9100. # nmap -P -s printer.foo.bar.org -p 23,515,9099,9100 Starting nmap V 1.25 by Fyodor (fyodor@dhp.com, www.dhp.com/~fyodor/nmap/ Hint: The -v option notifies you of open ports as they are found. Host printer.foo.bar.org (xx.yy.ww.zz) appears to be up ... good. Open ports on printer.foo.bar.org (xx.yy.ww.zz): Port Number Protocol Service 23 tcp telnet 515 tcp printer 9099 tcp unknown 9100 tcp unknown To print a PostScript document just send it to port 9099 or 9100. Netcat will do: $ nc printer.foo.bar.org 9099 < huge_document.ps or $ nc printer.foo.bar.org 9100 < huge_document.ps Anyone can confirm this with other printers? I think HP 5M is also vulnerable, but I've not tested. Klaus. ---------------------------------------------------------------------------- In some mail from Klaus Steding-Jessen, sie said: [...] > Anyone can confirm this with other printers? I think HP 5M is > also vulnerable, but I've not tested. They are. All the HP printers which can be configured for TCP/IP have this `feature', I think. Actually, if you look at the print filters installed by the JetDirect software, you'll see that they actually use those ports to deliver documents to. Ports 9099 and 9100 would appear to fall into the "undocumented feature" category, although they're very easily discovered. However, the telnet feature is a definate problem, as anyone can login to the printer and (re)configure it. Hmmm, if postscript allowed you to make arbitary TCP/IP connections, you'd even be able to run a portscan (and more!) from the printer :-) Darren ---------------------------------------------------------------------------- Of all the gin joints in all the towns in all the world, Klaus Steding-Jessen had to walk into mine and say: > I don't know if this is a well known HP printer problem, but > I've found no references of it on the bugtraq archives. > > It is possible to bypass lpd and page accounting on a HP > PostScript printer attached to an ethernet card sending PostScript > directly to tcp ports 9099 and 9100 from any machine over the network. This information may not be documented in the owner's manual for the printer itself, but it should be mentioned in the JetDirect card's manual somewhere. Or, at the very least, it should be mentioned in the documentation for the JetAdmin for UNIX software, which is what generally uses these ports. > I've tested on a HP Laserjet 4M Plus DirectJet, connecting to > port 9099 or 9100 tcp and printing PostScript documents. This is a feature of the JetDirect card; it's not unique to any particular printer. All JetDirect cards with TCP/IP support behave this way (modulo a few firmware tweaks). > There is no way to tell the printer to accept connections only > from a range of valid IPs. This is not true. It is possible to restrict the printer to accept connections from fromn either a short list of IP addresses or a subnet range. However, you must boot the printer via BOOTP in order to do this: if you configure the printer's IP address directly from the front panel, it won't work. You need to have a version of bootpd that supports vendor extensions running on a machine to act as a boot server for the printer. (The bootpd that ships with SGI IRIX is an example of one which doesn't support vendor extensions; you'll need to download and install a newer bootpd if you run IRIX.) In the bootptab file, you can configure the printer's IP address, subnet mask, default gateway, _and_ you can supply a vendor-specific option that specifies the name of a configuration file that the printer should load. Once the printer receives the bootp response and sets its IP address, it will attempt to TFTP the configuration file from the bootp server host. The configuration file contains settings for things such as 'contact information,' 'system location' and host access restrictions. All of this information can be viewed via SNMP using the 'hpnpadmin' program that comes with the JetAdmin software for UNIX. The config file can also be used to set the printer's SNMP community name. Hpnpadmin can also show you the printer's model number and capabilities, it's current status, connection and printing statistics, and what message is currently showing on the printer's front panel display. In any case: once you set the host access list, only machines with those IP addresses specified in the list will be able to send data to the printer. All others will get a 'connection refused' error. All of the information concerning how to set up bootpd and the config files (including examples) should be available with the documentation for the UNIX JetAdmin software. (Curiously, the I think the PC/Lose95/LoseNT version of JetAdmin is only designed to work with Netware.) You can get the JetAdmin software off of one of HP's FTP servers. > Anyone can confirm this with other printers? I think HP 5M is > also vulnerable, but I've not tested. It's not a bug, it's a feature. :) All HP printers with JetDirect cards configured for TCP/IP will behave like this. People who aren't aware of this are guilty of not RTFM'ing. -Bill