Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Network Appliances :: oce9400.htm

OCE' 9400 plotter can be a telnet proxy!



Vulnerability

    OCE' 9400 plotters

Affected

    Those having OCE' 9400 plotters

Description

    Larry W.  Cashdollar found  following.   He has  a few  plotters /
    printers  under   his  audit   umbrella  and   noticed   something
    interesting on an Oce' 9400 plotter.  The printer has the  ability
    to be  a telnet  proxy.   Where as  a user  can hop  via telnet to
    other hosts.  If the printer is not setup properly the connections
    will go unlogged.

        bunyip% telnet JPP1
        Trying 192.168.38.244...
        Connected to JPP1.
        Escape character is '^]'.

        Network Printer Server Version 5.6.3 (192.168.38.244)

        login: root
        Password:[Just enter here]

        Welcome root user


        WARNING: current and stored values differ.
        Use 'list diff' command to find the differences.
        Current values will be lost if unit is reset.

        192.168.38.244:root> telnet 192.168.38.110
        trying 192.168.38.110 ...
        Connected to 192.168.38.110
        Escape character is '0x18'

        Red Hat Linux release 5.9 (Starbuck)
        Kernel 2.2.3-5 on an i586
        login:

        192.168.38.244:root> list sysinfo
                     name:
                  contact:
                 location:
                  version: 5.6.3
            serial number: 13029
                 compiled: Mar 25 1998    loginfo: sys
                  logport:
                   syslog: 255.255.255.255
                    email: NetPrint@<unconfigured>
               dns server: 192.168.38.110
                   module: novell, appletalk, netbios
                 checksum: 1E54

    All that  is needed  is a  valid DNS  server setup  in the plotter
    configuration.

        192.168.38.244:root> set sysinfo dns 192.168.38.100

    And anyone can use the plotter as an anonymous telnet proxy.

    That  above  looks  to  be  like  the  same  firmware  as  certain
    intelligent   hubs   with   integrated   Terminal/Printer   server
    capabilities...  The model in question is made my a company called
    Microplex, and it's a discontinued model called the M208.

        (Mon 6:17am) seamus@rtfm ttya7:~> telnet XXXXXXX
        Trying XXX.XXX.XXX.XXX...
        Connected to XXX.XXX.XXX.XXX.
        Escape character is '^]'.

        Network Printer Server Version 5.6.3 (XXX.XXX.XXX.XXX)

        login: root
        Password: <root pw here>

        Welcome root user

        XXX.XXX.XXX.XXX:root> list sysinfo
                     name: XXXXXXXXXXXXXXX
                  contact: XXXXXXXXXXXXXXX
                 location: Insomnia Communications NOC
                  version: 5.6.3
            serial number: 572
                 compiled: Jul 16 1998
                 checksum: 668E
                  loginfo: sys
                  logport: syslog
                   syslog: XXXXXXXXXXXXXXX
                    email: root@XXXXXXXXXX
               dns server: XXXXXXXXXXXXXXX
                   module: novell, appletalk, netbios
        XXX.XXX.XXX.XXX:root>

    There  is,  however,  quite  a  bit  of documentation in the hub's
    manual about setting a root password, and the importance of  doing
    so..  don't  know  who  decided  to  use  this  same  firmware  in
    plotters/printers or what their documentation is like, however  it
    seems to come down to the general rule of never leave a peripheral
    unpassworded on your network if  you want to avoid these  sorts of
    problems (telnet proxy, etc..)

Solution

    Enable passwords for the accounts on the plotter:

        syntax: set user add <NAME>
                 set user del <NAME>
                 set user passwd <NAME> [<PASSWORD>]
                 set user type <NAME> root|guest
                 set user from default|stored

    Enable logging:

        syntax: set logpath <LOGPATH> name <NEW_NAME>
                 set logpath <LOGPATH> type [[-]job] [[-]user] [[-]pgcnt] [[-]cksum]
                             [[-]printer] [[-]ioport]
                 set logpath <LOGPATH> port <TCP-PORT>|email|syslog
                 set logpath from default|stored


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH