It is possible to bypass lpd and page accounting on a HP
PostScript printer attached to an ethernet card sending PostScript
directly to tcp ports 9099 and 9100 from any machine over the network.
I've tested on a HP Laserjet 4M Plus DirectJet, connecting to
port 9099 or 9100 tcp and printing PostScript documents.
There is no way to tell the printer to accept connections only
from a range of valid IPs. Also, it is possible to telnet to the
printer and change the printer IP or disable logging. Protect the
printer inside a firewall appears to be the only safe way.
Find this kind of printer on a network is quite easy with a
good port scanner. It responds to ping and listens on tcp ports 23,
515, 9099 and 9100.
# nmap -P -s printer.foo.bar.org -p 23,515,9099,9100
Starting nmap V 1.25 by Fyodor (fyodor@dhp.com, www.dhp.com/~fyodor/nmap/
Hint: The -v option notifies you of open ports as they are found.
Host printer.foo.bar.org (xx.yy.ww.zz) appears to be up ... good.
Open ports on printer.foo.bar.org (xx.yy.ww.zz):
Port Number Protocol Service
23 tcp telnet
515 tcp printer
9099 tcp unknown
9100 tcp unknown
To print a PostScript document just send it to port 9099 or
9100. Netcat will do:
$ nc printer.foo.bar.org 9099 < huge_document.ps
or
$ nc printer.foo.bar.org 9100 < huge_document.ps
Anyone can confirm this with other printers? I think HP 5M is
also vulnerable, but I've not tested.
Klaus.