Re: SNMP vulnerabilities
From: Paul Nash (pnash@ATSTAKE.COM)Date: 02/14/02
- Previous message: 3APA3A: "dH & SECURITY.NNOV: buffer overflow in mshtml.dll"
- Maybe in reply to: Russ: "SNMP vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 14 Feb 2002 16:58:25 -0500 From: Paul Nash <pnash@ATSTAKE.COM> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
On Wednesday February 13th, Russ Cooper said:
> Date: Wed, 13 Feb 2002 19:49:45 -0500
> From: Russ <Russ.Cooper@RC.ON.CA>
> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
> Subject: SNMP vulnerabilities
>
> Robert Graham, in a post today on SecurityFocus.com's Bugtraq mailing
> list, suggests that someone is going to code up an exploit that causes a
> JetDirect to forward a copy of everything sent to it to the
> hacker...yeah, right. Sorry, but I give no credence to such dire
> warnings, its just too unlikely. Not only will the hacker have to sift
> through the tens of thousands of attack strings and figure out which
> few, if any, allow an HP JetDirect to be overflowed to an executable
> point in the stack (assuming that's even possible with a JetDirect),
> they also have to figure out how to get it onto those printers and still
> allow them to continue running their normal work (otherwise its just a
> DoS).
Robert Graham's post was not a dire warning, obtaining the RAM contents
of a HP JetDirect printer is actually quite easy to do. In fact, the
'npCtlImageDump' SNMP OID does just that. This functionality has been
around since at least 1993, where it was documented in an HP router mib
file. Surprisingly, it works on their printers as well. Who knows
what other HP devices are capable of doing this?
The OID in question is .1.3.6.1.4.1.11.2.4.3.7.6.0, and by setting the
value to '1', the printer will TFTP the contents of RAM to the IP
address that responded to it's BOOTP query. This implies that the
printer must be configured to use BOOTP to obtain it's IP address.
Surprise, this is also remotely configurable via SNMP. This still
limits that attacker to the same broadcast segment, unless they can
guess the bootp query ID that the printer uses in it's request. It
should be noted that you need SNMP write access for this. Printers ship
with standard read/write strings by default, unless an administrator
locks the printer down. Of note, the print jobs are encoded in either
PCL or PostScript.
In addition, by monitoring the '1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.6'
OID tree, a remote user can get a list of job descriptions sent to the
printer. By continually monitoring the job descriptions, a remote
person can use the npCtlImageDump OID to obtain copies of the "juicy"
documents as soon as they are printed.
Going back to Robert Grahams post, yes, it is quite trivial for someone
to code something up that reconfigures the printer to use BOOTP, answer
the BOOTP request, request the RAM contents, and then disable the BOOTP
functionality on the printer. Parsing the RAM contents for print jobs
is as easy as stripping out the PCL encoding, or by just splitting apart
the print jobs, and sending them right back to the printer, as is.
Additionally, seeing as SNMP is used during the HP JetDirect firmware
upgrade process, theoretically one could code an exploit that uploads a
trojaned firmware image.
BTW- I'm not currently subscribed to NTBugtraq. Can you forward this to
the list?
Regards,
-Paul
-- Paul Nash Research Scientist @stake, Inc.oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Delivery co-sponsored by Qualys - Make Your Network Secure oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Go Beyond PARTIAL Security: FREE White Paper
Stop hassling with half-baked ENTERPRISE SECURITY. FREE White Paper shows you how to ensure TOTAL security for your Internet perimeter with the most current and most complete PROACTIVE Vulnerability Assessment solution. Get your FREE White Paper now. Click here! https://www.qualys.com/forms/techwhite_86.html oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: 3APA3A: "dH & SECURITY.NNOV: buffer overflow in mshtml.dll"
- Maybe in reply to: Russ: "SNMP vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
