COMMAND
OCE' 9400 plotters
SYSTEMS AFFECTED
Those having OCE' 9400 plotters
PROBLEM
Larry W. Cashdollar found following. He has a few plotters /
printers under his audit umbrella and noticed something
interesting on an Oce' 9400 plotter. The printer has the ability
to be a telnet proxy. Where as a user can hop via telnet to
other hosts. If the printer is not setup properly the connections
will go unlogged.
bunyip% telnet JPP1
Trying 192.168.38.244...
Connected to JPP1.
Escape character is '^]'.
Network Printer Server Version 5.6.3 (192.168.38.244)
login: root
Password:[Just enter here]
Welcome root user
WARNING: current and stored values differ.
Use 'list diff' command to find the differences.
Current values will be lost if unit is reset.
192.168.38.244:root> telnet 192.168.38.110
trying 192.168.38.110 ...
Connected to 192.168.38.110
Escape character is '0x18'
Red Hat Linux release 5.9 (Starbuck)
Kernel 2.2.3-5 on an i586
login:
192.168.38.244:root> list sysinfo
name:
contact:
location:
version: 5.6.3
serial number: 13029
compiled: Mar 25 1998 loginfo: sys
logport:
syslog: 255.255.255.255
email: NetPrint@<unconfigured>
dns server: 192.168.38.110
module: novell, appletalk, netbios
checksum: 1E54
All that is needed is a valid DNS server setup in the plotter
configuration.
192.168.38.244:root> set sysinfo dns 192.168.38.100
And anyone can use the plotter as an anonymous telnet proxy.
That above looks to be like the same firmware as certain
intelligent hubs with integrated Terminal/Printer server
capabilities... The model in question is made my a company called
Microplex, and it's a discontinued model called the M208.
(Mon 6:17am) seamus@rtfm ttya7:~> telnet XXXXXXX
Trying XXX.XXX.XXX.XXX...
Connected to XXX.XXX.XXX.XXX.
Escape character is '^]'.
Network Printer Server Version 5.6.3 (XXX.XXX.XXX.XXX)
login: root
Password: <root pw here>
Welcome root user
XXX.XXX.XXX.XXX:root> list sysinfo
name: XXXXXXXXXXXXXXX
contact: XXXXXXXXXXXXXXX
location: Insomnia Communications NOC
version: 5.6.3
serial number: 572
compiled: Jul 16 1998
checksum: 668E
loginfo: sys
logport: syslog
syslog: XXXXXXXXXXXXXXX
email: root@XXXXXXXXXX
dns server: XXXXXXXXXXXXXXX
module: novell, appletalk, netbios
XXX.XXX.XXX.XXX:root>
There is, however, quite a bit of documentation in the hub's
manual about setting a root password, and the importance of doing
so.. don't know who decided to use this same firmware in
plotters/printers or what their documentation is like, however it
seems to come down to the general rule of never leave a peripheral
unpassworded on your network if you want to avoid these sorts of
problems (telnet proxy, etc..)
SOLUTION
Enable passwords for the accounts on the plotter:
syntax: set user add <NAME>
set user del <NAME>
set user passwd <NAME> [<PASSWORD>]
set user type <NAME> root|guest
set user from default|stored
Enable logging:
syntax: set logpath <LOGPATH> name <NEW_NAME>
set logpath <LOGPATH> type [[-]job] [[-]user] [[-]pgcnt] [[-]cksum]
[[-]printer] [[-]ioport]
set logpath <LOGPATH> port <TCP-PORT>|email|syslog
set logpath from default|stored