It seems that a byproduct of the Code Red scans is also causing woes to HP JetDIrect printers, causing them to print some diagnostics pages, then dropping off the network. This is not from the actual Code Red .ida exploit code or the shellcode, but from the NOPs instead. If you send a HP JetDirect >4096 characters to the HTTP port, you will get the same results as when the Code Red worm hits it. I have tested against some HP JetDirect printers at various firmware releases, and am unable to reproduce it after upgrading the printers to firmware g08.32. After upgrading, I have attempted to send all types of characters and hex code up to 100000 characters at a time and was unable to reproduce. I have not yet tested the g05.05 code yet, but feel that anything that can be flashed up to version g08.32 should no longer be vulnerable. Vulnerability test: 1) Perform a continuous ping to the HP JetDirect Printer 2) Execute the overflow: perl -e 'print "\x90"x4097;'|telnet <HP JetDirect Printer> 80 -OR- perl -e 'print "<any character>"x4097;'|telnet <HP JetDirect Printer> 80 3) The ping should time out and the printer should print diagnostic pages 4) To recover, power-cycle the printer, then flash the firmware Joe Klemencic
This archive was generated by hypermail 2b30 : Fri Aug 03 2001 - 17:28:44 PDT