[Snort-sigs] SID 568

Warchild warchild at ...288...
Fri Feb 15 18:07:12 EST 2002

alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"INFO HP JetDirect
LCD modification attempt"; flags:A+; content:"@PJL RDYMSG DISPLAY =";
classtype:misc-activity; reference:bugtraq,2245;
reference:arachnids,302; sid:568; rev:3;) 


An attempt to change the message on the LCD display on a
JetDirect-enabled HP printer was detected.

User confusion and comedy, mostly.

Detailed Information:
The HP JetDirect printers allow remote machines to change the message
that is displayed on the LCD panel. 

Attack Scenarios:
As part of an attempt to confuse and annoy users, an attacker may
attempt to change the previously mentioned message.  
Ease of Attack:
Relatively simple.  All that is required is a way to connect to the
JetDirect port of the victim printer and a minimal knowledge of how
JedDirect works.  A telnet/nc client would suit the job well, but
there are also many featureful programs that'll allow you to
accomplish the same ends.

False Positives:
This rule will get triggered everytime a legitimate print job is
executed and the display is updated.

False Negatives:

Corrective Action:
Update to the latest JetDirect, and investigate the possibility of
restricting access to a central print-server using the "allow: <ip>
<netmask>" directive in a printer config file. 

Jon Hart <jhart at ...289...>
Warchild <warchild at ...288...>

Additional References:

More information about the Snort-sigs mailing list