This snmp object .1.3.6.1.4.1.11.2.3.9.1.1.13.0 is for the embedded web server (ews) password - I've written a plugin for our internal use that I've included here. I know it's not the cleanest, but it works. First, it checks for a few web pages - one that _is_ available on the new version of ews (always responds no password - false positive), and then for the root page to make sure that the ews is enabled and is the old version (read:vulnerable). There is a small chance of a false positive, if the community string 'internal' is valid on another host that has a web server running, and responds to the snmp object listed above. This does not check for non-passworded telnet access - only ews. -----Original Message----- From: Javier Fernandez-Sanguino [mailto:jfernandezat_private] Sent: Tuesday, March 04, 2003 11:26 AM To: Renaud Deraison Cc: plugins-writersat_private Subject: Re: JetDirect password disclosure Renaud Deraison wrote: > Could anyone test this plugin on a password protected JetDirect, and > confirm that it indeed works ? (I could only test it on a non-password > protected HP jetdirect which has a crashed telnet server :) > Doesn't work for me. I'm testing against an HP JetDirect printer that _does_ answer when doing snmpget -v 1 -c internal XXXXX .1.3.6.1.4.1.11.2.3.9.1.1.13.0 After tracing the code the culprit seems to be this one: if(ord(r[17+strlen(community)]))exit(0); Note that the result I get if I uncomment this line is gibberish, whileas snmpget returns: enterprises.11.2.3.9.1.1.13.0 = Hex: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (15 x 16 '00's) Regards Javi
This archive was generated by hypermail 2b30 : Tue Mar 04 2003 - 12:14:57 PST