Code Red Infecting HP JetDirect - Not Exactly

From: JKlemenc@fnal.gov
Date: 08/03/01

• Previous message: Andrea Efstathiou: "Strange connection attempts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Subject: Code Red Infecting HP JetDirect - Not Exactly
To: VULN-DEV@securityfocus.com, incidents@securityfocus.com
Message-ID: <OF027F0F5E.5F55283F-ON86256A9D.00753DCE@fnal.gov>
From: JKlemenc@fnal.gov
Date: Fri, 3 Aug 2001 16:28:31 -0500

It seems that a byproduct of the Code Red scans is also causing woes to HP
JetDIrect printers, causing them to print some diagnostics pages, then
dropping off the network. This is not from the actual Code Red .ida exploit
code or the shellcode, but from the NOPs instead. If you send a HP
JetDirect >4096 characters to the HTTP port, you will get the same results
as when the Code Red worm hits it. I have tested against some HP JetDirect
printers at various firmware releases, and am unable to reproduce it after
upgrading the printers to firmware g08.32. After upgrading, I have
attempted to send all types of characters and hex code up to 100000
characters at a time and was unable to reproduce. I have not yet tested the
g05.05 code yet, but feel that anything that can be flashed up to version
g08.32 should no longer be vulnerable.

Vulnerability test:
1) Perform a continuous ping to the HP JetDirect Printer
2) Execute the overflow:
     perl -e 'print "\x90"x4097;'|telnet <HP JetDirect Printer> 80
          -OR-
     perl -e 'print "<any character>"x4097;'|telnet <HP JetDirect Printer>
80
3) The ping should time out and the printer should print diagnostic pages
4) To recover, power-cycle the printer, then flash the firmware

Joe Klemencic

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: Andrea Efstathiou: "Strange connection attempts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Code Red Infecting HP JetDirect - Not Exactly ... Code Red Infecting HP JetDirect - Not Exactly ... It seems that a byproduct of the Code Red scans is also causing woes to HP ... JetDIrect printers, causing them to print some diagnostics pages, then ... upgrading the printers to firmware g08.32. ... (Vuln-Dev) Re: Printing an extra (banner?) page - wnat to get rid of it. ... removing banner pages on Laser printers with JetDirect cards ... >>Lets say the print servers IP is 10.0.0.24 ... Banners are controlled at the JetDirect. ... (comp.unix.sco.misc) Re: non pjl printers via jetdirect ... In a previous position we would use JetDirect on Lexmark printers. ... non pjl printers via jetdirect ... To join/leave the list, search archives, change list settings, * ... (comp.sys.hp.mpe) Re: Printers on TS servers ... but the TS server is a member server on a ... >Quite a few of my remote users have printers attached to HP Jetdirect boxes, ... >and their printers aren't being remapped into their TS sessions. ... I don't want one workstation to be dependent on any other ... (microsoft.public.backoffice.smallbiz2000) Re: Windows Server 2003 and Networked LaserJet 4000N Problem ... maybe do firmware updates. ... > Standard TCP/IP port on a Windows Server 2003 server. ... > LaserJet 4000N printers on our network. ... > Windows XP but there are a few Windows 2000 and Windows NT 4.0 PCs. ... (microsoft.public.windows.server.general)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > incidents  > 2001-08