This has probably been done to death, but I can't help but note that all HP JD firmware I've ever come in contact with has been horribly fragile to all sorts of simple network abuses. A 1-second pingflood causes x 08.32 firmware to lock so hard that it refuses to pass any packets at all anywhere ever again unless hard-reset. (I may be exaggerating in this case, but I waited about ten minutes before I gave up and pulled the plug.) A quick nmap OS fingerprint scan produces the same results, on and off, and an nmap TCP connect() portscan can lock a JD box or card almost instantaneously, depending on the delay between connect()s. SNMP fragility is the /least/ of the JD product line's worries. In fact, while I'm at it, most every embedded IP stack I've ever seen has been at least this fragile, if not more so -- I've seen Intermec OpenAir access points, Ricoh network print cards, and Powerware UPS SNMP boxes all exhibit the same kind of awful -- and inexcusable -- fragility. In the last case, this can give new meaning to "denial of service," especially if there were multiple servers monitoring the box to see if they should start a controlled shutdown... On Tue, 2002-02-19 at 10:53, Information Security wrote: > It appears that HP JetDirect firmware is more susceptible to SNMP > vulnerabilities than originally referenced in the CERT Advisory CA-2002-03 > (http://www.cert.org/advisories/CA-2002-03.html). Some basic testing with > Protos on an internal network seems to indicate that devices with JetDirect > firmware x.08.32 crash each time a single malformed SNMP packet is received. > The HP Download Manager for JetDirect reports that the printer software is > up-to-date. > > On the hardware I tested, the packet generated an "EIO" error and required > the device to be powered off to recover. Control panel input was not > available. > > The packet can be generated using the req-enc protos test with the options > "-zerocase -showreply -single 13771". The protos test name is > "set-req-ber-l-length" in the category of "Invalid BER length (L) fields". > > The TCPDump trace is: > 15:43:38.979321 1.2.3.4.1890 > 1.2.3.5.161: > SetRequest(39) .1.3.6.1.2.1.1.5.0="c06-snmpv" > 15:43:39.179098 1.2.3.4.1891 > 1.2.3.5.161: > GetRequest(25) .1.3.6.1.2.1.1.5.0 > > As an interesting side note, Ethereal (a popular open source sniffer / > traffic analyzer) crashes every time it sees this packet also. It gives the > error "GLib-ERROR **: could not allocate -1 bytes aborting...". > > This testing has been very limited (only LaserJet 4si and 8150 series > printers were tested), so please post your test results Bugtraq. >
