Security Incidents mailing list archives
Re: RES: SNMP vulnerability test?
From: "Kurt Seifried" <bt () seifried org>
Date: Mon, 14 Oct 2002 22:56:19 -0700
Everything I have read concerning SNMP vulnerabilities and printers refer to the Community Name and the fact that most vendors have no method for allowing Administrators to change those strings. Is it possible for an attacker to use default community names of printers to gain access to other parts of the enterprise? Some of the data I have read state that
Sure. SOme printers like the newer HP ones are essentially an X86 box with lots of memory/hd running linux/apache/samba/LPD/etc/etc. If an attacker gets in their they can install tools and launch pretty much any attack they want, or tunnel network traffic, or whatever. Or simply make a copy of all print jobs and send them "home" for bedtime reading (thus bypassing all your fancy security).
attacking the printer mib using the community string for the printer will only allow attackers to joy ride around the print server and printers.
That would be great if all the printers did was print. Alas they also do networking, SNMP, LPD, see above for the full blown OS comments.
Then other data state that the printers community string will allow attackers to obtain the http passwords and other network access password. 99% of those devices listed were just HP printers and did not state that these printers had the ability to network scan, scan to email, or scan to desktop. This bring another caviot into the mix in that these systems use http, smtp and other ports. Has anyone seen, heard or have any data on vulnerabilities with these systems?
Some of them run a pretty complete linux system. When's the last time you install an Apache/Samba/LPD update on your spiffy HP printer? I'm going to bet on "never".
John Beuke
Kurt Seifried, kurt () seifried org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: RES: SNMP vulnerability test? John Beuke (Oct 14)
- Re: RES: SNMP vulnerability test? Mark Tinberg (Oct 15)
- Re: RES: SNMP vulnerability test? Kurt Seifried (Oct 15)