Code Red Infecting HP JetDirect - Not Exactly

From: JKlemencat_private
Date: Fri Aug 03 2001 - 14:28:31 PDT

  • Next message: Sam Vaughan: "Re: slackware permissions"

    It seems that a byproduct of the Code Red scans is also causing woes to HP
    JetDIrect printers, causing them to print some diagnostics pages, then
    dropping off the network. This is not from the actual Code Red .ida exploit
    code or the shellcode, but from the NOPs instead. If you send a HP
    JetDirect >4096 characters to the HTTP port, you will get the same results
    as when the Code Red worm hits it. I have tested against some HP JetDirect
    printers at various firmware releases, and am unable to reproduce it after
    upgrading the printers to firmware g08.32. After upgrading, I have
    attempted to send all types of characters and hex code up to 100000
    characters at a time and was unable to reproduce. I have not yet tested the
    g05.05 code yet, but feel that anything that can be flashed up to version
    g08.32 should no longer be vulnerable.
    
    Vulnerability test:
    1) Perform a continuous ping to the HP JetDirect Printer
    2) Execute the overflow:
         perl -e 'print "\x90"x4097;'|telnet <HP JetDirect Printer> 80
              -OR-
         perl -e 'print "<any character>"x4097;'|telnet <HP JetDirect Printer>
    80
    3) The ping should time out and the printer should print diagnostic pages
    4) To recover, power-cycle the printer, then flash the firmware
    
    Joe Klemencic
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Aug 03 2001 - 15:13:27 PDT