NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NTBugtraq> 2000-q2

Subject: HP DeskJet 970 driver can interfere with security policy
From: Dmitry Manakhov (dmitry_manakhovCARYACADEMY.PVT.K12.NC.US)
Date: Thu Jun 01 2000 - 16:45:40 CDT

Next message: Marc: "RELEASED: LibnetNT by eEye Digital Security"
Previous message: Security Team: "DST2K0008: Buffer Overrun in Sambar Server 4.3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have discovered a feature in HP DeskJet 970 printer driver which may
interfere with company security policy and since I never heard about it
before I decided to post it here.

Scenario:

I use several HP DeskJet 970 printers, all printers are connected to the
"ExtenNet" network print servers from Extended Systems.
Printers are created and shared on dedicated Windows NT server. Windows NT
server communicates with network print servers by using Microsoft TCP/IP
printing LPR protocol. People connect to the shared printers on Windows NT
server to print.

Problem:
When user sends a job to the NT print server DeskJet driver creates
temporary file inside "driveletter:\WINNT" folder. Those files are created
under the security content of a person who sends print job.
Files have the following name mask: "Hpdjxxxx.pdl" and "Hpdjxxxx.idx" (where
"xxxx" is a print job sequence number).
I had "read only" permission for this folder for my users and they were not
able to print. (Obviously they could not create temporary file and this is
how I have discovered this feature). I had to assign "Change" permission to
"Domain Users" for this folder. I called HP Technical Support and basically
I have been told that this is the way how this driver is supposed to work
and there is no workaround to reroute temporary files to another folder.
This is not a huge exploit but this information might be usefull be for
those who has a strict environment and doesn't allow people to have anything
but Read permission on servers system directories

I were able reproduce it with the drivers version 2.2 and 2.3 (2.3 is the
latest software driver HP has on its web site).

Thank you,

Dmitry Manakhov
Systems Engineer
Cary Academy
MCSE+I, CCA, CCNA
Phone: 919 6771946 ext. 4224

Next message: Marc: "RELEASED: LibnetNT by eEye Digital Security"
Previous message: Security Team: "DST2K0008: Buffer Overrun in Sambar Server 4.3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]