COMMAND

    printing problems

SYSTEMS AFFECTED

    Systems runninng HP printers with JetDirect card

PROBLEM

    Klaus  Steding-Jessen  posted  about  following  problem.   It  is
    possible to  bypass lpd  and page  accounting on  a  HP PostScript
    printer attached to an  ethernet card sending PostScript  directly
    to tcp ports 9099 and 9100 from any machine over the network.

    This  was  tested  on  a  HP  Laserjet  4M  and 5M Plus DirectJet,
    connecting  to  port  9099  or  9100  tcp  and printing PostScript
    documents.   All  the  HP  printers  which  can  be configured for
    TCP/IP have this  `feature'.  Actually,  if you look  at the print
    filters installed by the JetDirect software, you'll see that  they
    actually use those ports to deliver  documents to.  So, this is  a
    feature of the JetDirect card;  it's not unique to any  particular
    printer. All JetDirect cards with TCP/IP support behave this way.

    It is possible to telnet to the printer and change the printer  IP
    or disable logging.  Protect the printer inside a firewall appears
    to be the only safe way.

    Find this kind of printer on  a network is quite easy with  a good
    port scanner.  It  responds to ping and  listens on tcp ports  23,
    515, 9099 and 9100.

    # nmap -P -s printer.foo.bar.org -p 23,515,9099,9100

    Starting nmap V 1.25 by Fyodor (fyodor@dhp.com, www.dhp.com/~fyodor/nmap/
    Hint: The -v option notifies you of open ports as they are found.

    Host printer.foo.bar.org (xx.yy.ww.zz) appears to be up ... good.
    Open ports on printer.foo.bar.org (xx.yy.ww.zz):
    Port Number  Protocol  Service
    23           tcp        telnet
    515          tcp        printer
    9099         tcp        unknown
    9100         tcp        unknown

    To print a PostScript document just send it to port 9099 or  9100.
    Netcat will do:

        $ nc printer.foo.bar.org 9099 < huge_document.ps

    or

        $ nc printer.foo.bar.org 9100 < huge_document.ps

SOLUTION

    It is possible to restrict the printer to accept connections  from
    fromn  either  a  short  list  of  IP addresses or a subnet range.
    However, you must boot the printer via BOOTP in order to do  this:
    if you configure the printer's IP address directly from the  front
    panel, it won't work.

    You  need  to  have  a  version  of  bootpd  that  supports vendor
    extensions running on a  machine to act as  a boot server for  the
    printer. (The  bootpd that  ships with  SGI IRIX  is an example of
    one  which  doesn't  support  vendor  extensions;  you'll  need to
    download  and  install  a  newer  bootpd  if you run IRIX.) In the
    bootptab file, you can configure the printer's IP address,  subnet
    mask,  default  gateway,  _and_  you  can supply a vendor-specific
    option that specifies  the name of  a configuration file  that the
    printer should load. Once the printer receives the bootp  response
    and  sets  its   IP  address,  it   will  attempt  to   TFTP   the
    configuration file from the bootp server host.  The  configuration
    file contains settings for  things such as 'contact  information,'
    'system  location'  and  host  access  restrictions.  All  of this
    information can be viewed  via SNMP using the  'hpnpadmin' program
    that comes with  the JetAdmin software  for UNIX. The  config file
    can  also  be  used  to  set  the  printer's  SNMP community name.
    Hpnpadmin  can  also  show  you  the  printer's  model  number and
    capabilities,  it's  current   status,  connection  and   printing
    statistics,  and  what  message   is  currently  showing  on   the
    printer's front panel display.

    In any case: once you set the host access list, only machines with
    those IP addresses specified in the list will be able to send data
    to the printer. All others will get a 'connection refused' error.

    All of  the information  concerning how  to set  up bootpd and the
    config files  (including examples)  should be  available with  the
    documentation for the UNIX JetAdmin software.