Bugtraq mailing list archives
Re: [Fwd: Printer Vulnerability: Tektronix PhaserLink Webservergives Administrator Password]
From: dwmatt () NOSC MIL (Dennis W. Mattison)
Date: Thu, 18 Nov 1999 09:28:03 -0800
Apparently the 740, 780, and 840 printers are vulnerable. According to Bernhard Schneck and Gerhard den Hollander, the 350 and 560 printers are not (confirmed on one of our printers here) vulnerable to this attack. However, this leaves me to wonder of there isn't some other undocumented feature in these printers which is exploitable. For those who asked, I actually didn't come up with this alone, I just put all the pieces together to figure out how it could be exploited. Like the 3Com backdoor, and Microsoft's various remote administration tools, this bug is something that Tektronix probably threw into their printers to help customer support personnel working on printer problems remotely configure their client's printers. The bug is not the undocumented URLs themselves, but the fact that these URLs allow a remote and unauthorized user to change printer configurations without any sort of authentication or control. Tektronix requires a password be provided on their configuration pages in order to make any changes, however, using these URLs the changes can be made without needing a password. The hint on the URL to recover a lost administrator password was first given to one of our customers by the Tektronix folks, he forwarded it to us and from there, we ran with it, discovering all the hidden treasures. It is probably safe to assume that the other printers have a similar hidden URL, maybe a social engineering call to one of the Tektronix support personnel could get it (they might be a little less sympathetic now that this is out though.) Ronan Waide wrote:
On November 16, dwmatt () NOSC MIL said:Tektronix has a particularly nasty bug which is quite amusing. On their Phaser 740 color printers (they may be on other printers, but I haven't hadConfirmed for phaser 780. -- waider () scope ie / Small Planet Ltd. / +353-1-8303455 / +353-1-8300888 (Fax) "Multithreadedness, like object-orientedness, is a matter of perception. If it seems multithreaded, it is. All else is an implementation detail." - Jamie Zawinski
-- Dennis W. Mattison SPAWAR Network Security Team SAIC - Center for Information Security Technology (CIST) Ph: (619) 553-2343 Email: dwmatt () nosc mil, mattisond () saic com <!-- attachment="smime.p7s" --> <HR> <UL> <LI>application/x-pkcs7-signature attachment: smime.p7s </UL>
Current thread:
- Windows NT update carries bug Williams, Ken (Nov 15)
- Re: Windows NT update carries bug Alan J. Wylie (Nov 16)
- Re: Windows NT update carries bug Fabian Kroenner (Nov 16)
- [Fwd: Printer Vulnerability: Tektronix PhaserLink Webserver gives Administrator Password] Dennis W. Mattison (Nov 16)
- Jet Vulnerability affect Office 95 users (fwd) ah1 () SECURITYFOCUS COM (Nov 17)
- Re: [Fwd: Printer Vulnerability: Tektronix PhaserLink Webserver gives Administrator Password] Ronan Waide (Nov 17)
- Re: Tektronix PhaserLink Webserver Reveals Admin Password Blake Frantz (Nov 17)
- Remote DoS attack against Microsoft SQL Server 7.0 Kevork Belian (Nov 17)
- Re: Tektronix PhaserLink Webserver Reveals Admin Password elfchief () LUPINE ORG (Nov 18)
- Potential vulnerability in Oracle Mary Ann Davidson (Nov 18)
- Re: [Fwd: Printer Vulnerability: Tektronix PhaserLink Webservergives Administrator Password] Dennis W. Mattison (Nov 18)
- buffer overflow in HP JetDirect module (probably affects all HP printers with network support) Tobias Haustein (Nov 19)
- Re: buffer overflow in HP JetDirect module (probably affects all HP printers with network support) Brian (Nov 19)
- Re: buffer overflow in HP JetDirect module (probably affects all HP printers with network support) Pat Hayden (Nov 20)
- Remote DoS Attack in Vermillion FTP Daemon (VFTPD) v1.23 Vulnerability Ussr Labs (Nov 22)
- Re: Windows NT update carries bug Alan J. Wylie (Nov 16)
- <Possible follow-ups>
- Re: Windows NT update carries bug Peter Kane (Nov 16)
- Re: Windows NT update carries bug Tony Plastino (Nov 16)