Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] HP Photosmart vulnerabilities

from [uncleron] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] HP Photosmart vulnerabilities
Date: Fri, 28 Dec 2007 10:01:40 -0600 
A low price for the printer does not give the vendor a free pass 
for shipping insecure products.  Since this type of printer is 
targeted for home/home office use, it would be valid to ask why 
SNMP is enabled in the first place.  

Please explain how this printer would be any less easy to use if HP 
had used non default community strings in the firmware?  In a 
home/home office environment, the only thing that might have a 
valid need to communicate with the printer via SNMP would be HP's 
software, which could just as easily use a non default community 
string.


On Fri, 28 Dec 2007 09:32:29 -0600 Joshua Levitsky 
<jlevitsk@joshie.com> wrote:

Do you mean to tell me someone can come to my house and after I 
let  
them on my network they can see how soon I need toner? Oh crap I  
better not let anyone over for New Year's!!!

There is a reason it's a $200 home/home office printer. It's not 
meant  
to sit on the internet. It's not meant to be in a military 
facility.  
It is meant to be simple to use.

I think next I shall contact Sears because I suspect someone can 
steal  
my water by simply placing a glass up to the front of the fridge  
without my knowledge, and I'm not positive but I think they can 
take  
my ice as well.



On Dec 28, 2007, at 10:16 AM, <uncleron@hushmail.com> wrote:


HP Photosmart C6280 (and probably other) network printers ship 

with

insecure default settings.  The printer ships with SNMP enabled
using the default community strings for both public and private.
HP does not document the use of SNMP, or provide a way for users 

to

change the default community strings.  The printer also includes 

a

web based admin tool which runs over http, without even an 

option

for ssl.

Several attempts to contact HP have proven futile.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] HP Photosmart vulnerabilities, Mo.Ron Hubbard
Next by Date:  Re: [Full-disclosure] HP Photosmart vulnerabilities, Joshua Levitsky
Previous by Thread:  Re: [Full-disclosure] HP Photosmart vulnerabilities, Mo.Ron Hubbard
Next by Thread:  Re: [Full-disclosure] HP Photosmart vulnerabilities, Joshua Levitsky
Indexes:  [Date] [Thread] [Top] [All Lists]