It seems that a byproduct of the Code Red scans is also causing woes to HP
JetDIrect printers, causing them to print some diagnostics pages, then
dropping off the network. This is not from the actual Code Red .ida exploit
code or the shellcode, but from the NOPs instead. If you send a HP
JetDirect >4096 characters to the HTTP port, you will get the same results
as when the Code Red worm hits it. I have tested against some HP JetDirect
printers at various firmware releases, and am unable to reproduce it after
upgrading the printers to firmware g08.32. After upgrading, I have
attempted to send all types of characters and hex code up to 100000
characters at a time and was unable to reproduce. I have not yet tested the
g05.05 code yet, but feel that anything that can be flashed up to version
g08.32 should no longer be vulnerable.
Vulnerability test:
1) Perform a continuous ping to the HP JetDirect Printer
2) Execute the overflow:
perl -e 'print "\x90"x4097;'|telnet <HP JetDirect Printer> 80
-OR-
perl -e 'print "<any character>"x4097;'|telnet <HP JetDirect Printer>
80
3) The ping should time out and the printer should print diagnostic pages
4) To recover, power-cycle the printer, then flash the firmware
Joe Klemencic
This archive was generated by hypermail 2b30 : Fri Aug 03 2001 - 17:28:44 PDT