From owner-freebsd-security  Fri Jan 28 14:16: 9 2000
Delivered-To: freebsd-security@freebsd.org
Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2])
	by hub.freebsd.org (Postfix) with ESMTP id 4441315AC3
	for <security@FreeBSD.ORG>; Fri, 28 Jan 2000 14:16:06 -0800 (PST)
	(envelope-from brett@lariat.org)
Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2])
	by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id PAA25052;
	Fri, 28 Jan 2000 15:15:57 -0700 (MST)
Message-Id: <4.2.2.20000128150919.046e33e0@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 
Date: Fri, 28 Jan 2000 15:15:54 -0700
To: James Wyatt <jwyatt@rwsystems.net>
From: Brett Glass <brett@lariat.org>
Subject: Re: Riddle me this
Cc: Matthew Dillon <dillon@apollo.backplane.com>,
	security@FreeBSD.ORG
In-Reply-To: <Pine.BSF.4.10.10001272333130.41265-100000@bsdie.rwsystems.
 net>
References: <4.2.2.20000127171529.00c56a00@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 10:40 PM 1/27/2000 , James Wyatt wrote:

> > And it gets worse. The default address of the print server hardware -- which
> > the client software tries to reach when it's setting up -- is (are you ready?)
> > 192.0.0.192.
>
>It can get even worse... My biggest employer thought the feature was quite
>cool given 12,000+ NT workstations and a *lot* of laser printers scattered
>over at least 28 states. This feature can be fantastic, but it also walked
>right out to The Internet and began discovering a *lot* of printers all
>over the planet! We got calls from some DOD sites, we found we could
>control printers in Southeast Asia, we ran *very* low on disk, ... - Jy@

Yep. In this case, it was just causing ICMP storms because a Cisco router
several hops upstream was blocking the address.

Unfortunately, because so much HP hardware is deployed out there, the
address is both useless (one doesn't dare assign anything to it) and
dangerous to pass (for the reasons you mention above). And it gets
worse. JetDirect print servers and adapters are extremely easy to
hack. I won't go into the details here, but suffice to say that if
people from the outside can reach the print server, they can easily "own" 
your network.

It might be a good idea to add that default address to the recommended sets of 
rules for IPFW and IPFilters. I saw a good ruleset for IPFW go by on this 
list only a few days ago; perhaps we can throw in one which catches 192.0.0.192 
as well.

--Brett




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message