> I don't know if this is a well known HP printer problem, but
> I've found no references of it on the bugtraq archives.
>
> It is possible to bypass lpd and page accounting on a HP
> PostScript printer attached to an ethernet card sending PostScript
> directly to tcp ports 9099 and 9100 from any machine over the network.
This information may not be documented in the owner's manual for
the printer itself, but it should be mentioned in the JetDirect card's
manual somewhere. Or, at the very least, it should be mentioned in
the documentation for the JetAdmin for UNIX software, which is what
generally uses these ports.
> I've tested on a HP Laserjet 4M Plus DirectJet, connecting to
> port 9099 or 9100 tcp and printing PostScript documents.
This is a feature of the JetDirect card; it's not unique to any
particular printer. All JetDirect cards with TCP/IP support behave
this way (modulo a few firmware tweaks).
> There is no way to tell the printer to accept connections only
> from a range of valid IPs.
This is not true. It is possible to restrict the printer to accept
connections from fromn either a short list of IP addresses or a
subnet range. However, you must boot the printer via BOOTP in order
to do this: if you configure the printer's IP address directly from
the front panel, it won't work.
You need to have a version of bootpd that supports vendor extensions
running on a machine to act as a boot server for the printer. (The
bootpd that ships with SGI IRIX is an example of one which doesn't
support vendor extensions; you'll need to download and install a
newer bootpd if you run IRIX.) In the bootptab file, you can configure
the printer's IP address, subnet mask, default gateway, _and_ you
can supply a vendor-specific option that specifies the name of
a configuration file that the printer should load. Once the printer
receives the bootp response and sets its IP address, it will attempt
to TFTP the configuration file from the bootp server host. The
configuration file contains settings for things such as 'contact
information,' 'system location' and host access restrictions. All
of this information can be viewed via SNMP using the 'hpnpadmin'
program that comes with the JetAdmin software for UNIX. The config
file can also be used to set the printer's SNMP community name.
Hpnpadmin can also show you the printer's model number and capabilities,
it's current status, connection and printing statistics, and what
message is currently showing on the printer's front panel display.
In any case: once you set the host access list, only machines with
those IP addresses specified in the list will be able to send data
to the printer. All others will get a 'connection refused' error.
All of the information concerning how to set up bootpd and the
config files (including examples) should be available with the
documentation for the UNIX JetAdmin software. (Curiously, the
I think the PC/Lose95/LoseNT version of JetAdmin is only designed
to work with Netware.) You can get the JetAdmin software off of
one of HP's FTP servers.
> Anyone can confirm this with other printers? I think HP 5M is
> also vulnerable, but I've not tested.
It's not a bug, it's a feature. :) All HP printers with JetDirect
cards configured for TCP/IP will behave like this. People who aren't
aware of this are guilty of not RTFM'ing.
-Bill
-- ============================================================================= -Bill Paul (212) 854-6020 | System Manager, Master of Unix-Fu Work: wpaul@ctr.columbia.edu | Center for Telecommunications Research Home: wpaul@skynet.ctr.columbia.edu | Columbia University, New York City ============================================================================= "Now, that's "Open" as used in the sentence "Open your wallet", right?" =============================================================================