Advisory #: 78
Title: OCE plotter anonymous proxy
Author: Larry W. Cashdollar, @_larry0
Date: 1999-08-01
Download Site:
Vendor: OCE
Vendor Notified: 1999-08-01
Vendor Contact:
Description: OCE 9600 plotter is a printing hardware device
I apologize if this has be brought up before, but with the recent post concerning the QMS 2060 printers and the length of time I have sat on this (4 months) I figured it should be released. I sent this information to OCE long ago with no response. I am aware of the Intelligent Peripherals bulletin by CIAC. I have a few plotters / printers under my audit umbrella and noticed something interesting on an Oce' 9400 plotter. The printer has the ability to be a telnet proxy. Where as a user can hop via telnet to other hosts. If the printer is not setup properly the connections will go unlogged. bunyip% telnet JPP1 Trying Connected to JPP1. Escape character is '^]'. Network Printer Server Version 5.6.3 ( login: root Password:[Just enter here] Welcome root user WARNING: current and stored values differ. Use 'list diff' command to find the differences. Current values will be lost if unit is reset.> telnet trying ... Connected to Escape character is '0x18' Red Hat Linux release 5.9 (Starbuck) Kernel 2.2.3-5 on an i586 login:> list sysinfo name: contact: location: version: 5.6.3 serial number: 13029 compiled: Mar 25 1998 loginfo: sys logport: syslog: email: NetPrint@<unconfigured> dns server: module: novell, appletalk, netbios checksum: 1E54 All that is needed is a valid DNS server setup in the plotter configuration.> set sysinfo dns And anyone can use the plotter as an anonymous telnet proxy. Fix Enable passwords for the accounts on the plotter: syntax: set user add <NAME> set user del <NAME> set user passwd <NAME> [<PASSWORD>] set user type <NAME> root|guest set user from default|stored Enable logging: syntax: set logpath <LOGPATH> name <NEW_NAME> set logpath <LOGPATH> type [[-]job] [[-]user] [[-]pgcnt] [[-]cksum] [[-]printer] [[-]ioport] set logpath <LOGPATH> port <TCP-PORT>|email|syslog set logpath from default|stored P.S. This plotter has ping functionality also. No, I have not tried DoS attacks =) syntax: ping [-s] <IPNAME> [<DATASZ> [<NUMPKTS>]]
Exploit Code:
Screen Shots: