Re: Cert Advisory 2002-03 and HP JetDirect

From: Joshua Newton (babyswanat_private)
Date: Tue Feb 19 2002 - 16:41:50 PST

Next message: Bob Fiero: "Re: Citrix NFuse 1.6 - additional network exposure"

Previous message: Steven M. Christey: "Internet-Draft for "Responsible Disclosure Process" released"
In reply to: Information Security: "Cert Advisory 2002-03 and HP JetDirect"
Next in thread: david evlis reign: "Re: Cert Advisory 2002-03 and HP JetDirect"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This has probably been done to death, but I can't help but note that all
HP JD firmware I've ever come in contact with has been horribly fragile
to all sorts of simple network abuses. A 1-second pingflood causes x
08.32 firmware to lock so hard that it refuses to pass any packets at
all anywhere ever again unless hard-reset. (I may be exaggerating in
this case, but I waited about ten minutes before I gave up and pulled
the plug.) A quick nmap OS fingerprint scan produces the same results,
on and off, and an nmap TCP connect() portscan can lock a JD box or card
almost instantaneously, depending on the delay between connect()s.

SNMP fragility is the /least/ of the JD product line's worries. In fact,
while I'm at it, most every embedded IP stack I've ever seen has been at
least this fragile, if not more so -- I've seen Intermec OpenAir access
points, Ricoh network print cards, and Powerware UPS SNMP boxes all
exhibit the same kind of awful -- and inexcusable -- fragility. In the
last case, this can give new meaning to "denial of service," especially
if there were multiple servers monitoring the box to see if they should
start a controlled shutdown...

On Tue, 2002-02-19 at 10:53, Information Security wrote:
> It appears that HP JetDirect firmware is more susceptible to SNMP
> vulnerabilities than originally referenced in the CERT Advisory CA-2002-03
> (http://www.cert.org/advisories/CA-2002-03.html).  Some basic testing with
> Protos on an internal network seems to indicate that devices with JetDirect
> firmware x.08.32 crash each time a single malformed SNMP packet is received.
> The HP Download Manager for JetDirect reports that the printer software is
> up-to-date.
> 
> On the hardware I tested, the packet generated an "EIO" error and required
> the device to be powered off to recover.  Control panel input was not
> available.
> 
> The packet can be generated using the req-enc protos test with the options
> "-zerocase -showreply -single 13771".  The protos test name is
> "set-req-ber-l-length" in the category of "Invalid BER length (L) fields".
> 
> The TCPDump trace is:
> 15:43:38.979321 1.2.3.4.1890 > 1.2.3.5.161:  
>       SetRequest(39) .1.3.6.1.2.1.1.5.0="c06-snmpv"
> 15:43:39.179098 1.2.3.4.1891 > 1.2.3.5.161:
>       GetRequest(25) .1.3.6.1.2.1.1.5.0
> 
> As an interesting side note, Ethereal (a popular open source sniffer /
> traffic analyzer) crashes every time it sees this packet also.  It gives the
> error "GLib-ERROR **: could not allocate -1 bytes aborting...".
> 
> This testing has been very limited (only LaserJet 4si and 8150 series
> printers were tested), so please post your test results Bugtraq.  
>

Next message: Bob Fiero: "Re: Citrix NFuse 1.6 - additional network exposure"
Previous message: Steven M. Christey: "Internet-Draft for "Responsible Disclosure Process" released"
In reply to: Information Security: "Cert Advisory 2002-03 and HP JetDirect"
Next in thread: david evlis reign: "Re: Cert Advisory 2002-03 and HP JetDirect"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Feb 20 2002 - 18:18:18 PST