HP Laserjet 4M Plus DirectJet Problem

Klaus Steding-Jessen (jessen@AHAND.UNICAMP.BR)
Sat, 04 Oct 1997 18:02:01 -0300

I don't know if this is a well known HP printer problem, but
I've found no references of it on the bugtraq archives.

It is possible to bypass lpd and page accounting on a HP
PostScript printer attached to an ethernet card sending PostScript
directly to tcp ports 9099 and 9100 from any machine over the network.

I've tested on a HP Laserjet 4M Plus DirectJet, connecting to
port 9099 or 9100 tcp and printing PostScript documents.

There is no way to tell the printer to accept connections only
from a range of valid IPs. Also, it is possible to telnet to the
printer and change the printer IP or disable logging. Protect the
printer inside a firewall appears to be the only safe way.

Find this kind of printer on a network is quite easy with a
good port scanner. It responds to ping and listens on tcp ports 23,
515, 9099 and 9100.

# nmap -P -s printer.foo.bar.org -p 23,515,9099,9100

Starting nmap V 1.25 by Fyodor (fyodor@dhp.com, www.dhp.com/~fyodor/nmap/
Hint: The -v option notifies you of open ports as they are found.

Host printer.foo.bar.org (xx.yy.ww.zz) appears to be up ... good.
Open ports on printer.foo.bar.org (xx.yy.ww.zz):
Port Number Protocol Service
23 tcp telnet
515 tcp printer
9099 tcp unknown
9100 tcp unknown

To print a PostScript document just send it to port 9099 or
9100. Netcat will do:

$ nc printer.foo.bar.org 9099 < huge_document.ps
or
$ nc printer.foo.bar.org 9100 < huge_document.ps

Anyone can confirm this with other printers? I think HP 5M is
also vulnerable, but I've not tested.

Klaus.