OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: J Edgar Hoover (zorchtotally.righteous.net)
Date: Fri May 17 2002 - 13:50:08 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I'm forwarding this for people who would like to remain
    anonymous.

    This case illustrates why software product vendors should be
    held legally and financially accountable for the security
    problems caused by their reckless and sometimes arrogant
    disregard of known problems.

    Xerox replied with a document mirrored at
    http://totally.righteous.net/jedgar/overview_of_security.pdf
    which doesn't address many of the problems, and states that the
    ultimate responsibility for security lies with the customer.

    Kudos to Xerox for setting a new standard of incompetence.

    Begin forwarded (and edited) message
    ------------------------------------------

    The model is a Xerox DocuTech 6110 or 6115.

    These puppies are not old-fashioned optical copiers but
    basically two units, a high-speed scanner and a high speed laser
    printer.

    The laser printer is controlled by a dual-processor Sun Uitra 60
    running Solaris 8. The Scanner is controlled by an Intel box
    running Windows NT.

    The scanner sends jobs via ftp to the printer. Jobs can also be
    sent to the printer via lpd through a windows print driver or
    other means.

    So, they install it, first thing we do is ask what the root
    password is for the Solaris box. "Oh, no problem, it's
    "service!" -- it's the same for all of our machines."

    WTF? First thing I say is "We will want to change that."

    "No, you can't. It will probably break things."

    Well, this puppy is WIDE OPEN like you wouldn't believe.
    Everything imaginable is running and listening, including such
    arcane services like sprayd. Then I do a "rpcinfo -p" and see a
    shitload of unknown RPC services running. But best yet,
    showmount -e reveals numerous directories exported to the entire
    world, world writable!

    The NT box Administrator account password is "administ" and is
    wide open, so anyone can connect to C$. Copies of all jobs
    scanned are saved in case they are needed to be rerun later, so
    anyone wanting to grab that document doesn't have to wait for it
    to appear in the spool dir of the Solaris box, just grab it from
    the scanner box at your leisure.

    Go to the server's http port and there's a complete web page
    which is very helpful for allowing you to submit jobs over the
    web and directly into the "print now" queue so an operator
    doesn't even have to approve it before it prints out. Imagine
    the fun you can have. Also, there's a very helpful job history
    so you can see who has been copying what, all anonymous, no
    authentication required.

    So, we lock the box down tight, installing ssh, disabling
    telnet, finger, echo, chargen, and other shit you wouldn't
    believe. Also installed security updates from Microsoft on the
    NT box. Xerox comes in today and has a fit and starts to
    reinstall everything from scratch.

    And scanning for these puppies would be easy as pie. Just do a
    finger against a block of addresses for xrxusr account and if it
    replies, you got yourself one...

    ------------------------------------------