From: Greg Paschall (gregp@ssl.berkeley.edu)
Date: Fri Jul 20 2001 - 09:13:05 PDT
Thursday, we started to have a couple of HP 4000 series printers with
JetDirect cards freeze up and spew a JetDirect diagnostics page
showing "S/W Exception 00fb". When the first one started doing it
between 9am - 1pm, I suspected that I had a bad JetDirect card; and
when it quit doing it I figured I got lucky. Then I got a report of a
second HP printer (on another subnet) doing the same thing later in
the afternoon.
There is an exploit [www.securityfocus.com/archive/1/35500 -- copied
below], which manifests itself on HP 4000/4500 printers with a
specific JetDirect module causing the same behavior I saw today. It
is caused by a http request to the printer followed by 256+
characters of garbage [http://hp-printer's-ip/very-long-rubbish(256+
bytes)].
I have verified that this exploit causes the behavior I saw earlier.
We started having the problems with the printers at about the same
time the ida worm started scanning through the campus networks. It
seems that crashing the HP printers is a side-effect of the worm --
both the ida worm and the HP exploit contain an http request followed
by 256+ garbage characters.
Greg Paschall -- gregp@ssl.berkeley.edu
-----------------------
From securityfocus.com (http://www.securityfocus.com/archive/1/35500):
Subject: buffer overflow in HP JetDirect module (probably affects all
HP printers with network support)
Date: Fri Nov 19 1999 10:57:00
Hi folks!
I just played with our network printer (a HP LaserJet 4500) and --
boom -- it crashed ;-)
The HP JetDirect J3111A module with firmware G.05.35 suffers from a
buffer overflow in it's internal web server. If you enter the
following URL in your web browser
http://my-printer's-ip/very-long-rubbish(256 bytes or so)
the printer prints a diagnostics page showing the contents of all
registers and the following 64 bytes of all memory addresses that
address registers point to.
Obviously it's a M680x0 CPU with 512 KB of RAM in our model, so
writing an exploit should be fairly easy. The nice point about it is
that most people wouldn't expect their printer to be compromised --
and since there is no logging on the printer, you can't easily be
tracked down...
------------------------------------------------------------------------
---------- Greg Paschall -- gregp@ssl.berkeley.edu Programmer/Analyst & Network Administrator Space Sciences Lab - University of California at Berkeley Room 230 -- (510) 643-6907 -- Fax: (510) 643-7629
------------------------------------------------------------------------ The following was automatically added to this message by the list server:
For information about MAGNet, its meetings and events, and its mailing list, including information on subscribing and unsubscribing, see the MAGNet Web site at <http://mac.berkeley.edu/help/magnet/>.
This archive was generated by hypermail 2b29 : Fri Jul 20 2001 - 09:14:18 PDT