Hi, > I audited our system running under various operating systems. > The following OS do _not_ pad the packets with zero but something > else, > HP Printers JetDirect Various I have just tested a HP JetDirect J6035A by pinging with the 1-byte method from a Windows 2000 workstation. Whilst pinging, I continually refreshed the web admin interface of the JetDirect to generate some HTTP traffic. I captured the following ICMP Echo Reply packet clearly showing part of an HTTP request/response. 00 B0 D0 EE | 8A BE 00 01 | E6 45 3C 65 | 08 00 45 00 [.........E<e..E.] 00 1D 21 38 | 00 00 40 01 | 82 E0 C0 A8 | 2A D2 C0 A8 [..!8..@.....*...] 2A A5 00 00 | 42 FF 02 00 | 5A 00 61 18 | 0D E4 50 10 [*...B...Z.a...P.] 16 D0 E4 86 | 00 00 48 54 | 54 50 2F 31 | [......HTTP/1] So, it would appear that this particular model of HP JetDirect is vulnerable, and doesn't pad with random data. It may be advisable to more closely investigate HP JetDirect devices. On another note, in CERT's information, they include a statement from Cisco stating that "all of the latest shipping versions of Cisco IOS releases in the 12.1 and 12.2 trains are not vulnerable". They do not mention other Cisco operating systems. I tested a Cisco PIX 515 firewall appliance running PIX O/S version 6.0(1) and found that it wasn't vulnerable. A packet typical of those I have logged shows all null bytes for the padding: 00 B0 D0 EE | 8A BE 00 03 | 6B F6 6C 35 | 08 00 45 00 [........k.l5..E.] 00 1D E5 D8 | 00 00 FF 01 | FF 47 C0 A8 | 2A C9 C0 A8 [.........G..*...] 2A A5 00 00 | 93 FF 02 00 | 09 00 61 00 | 00 00 00 00 [*.........a.....] 00 00 00 00 | 00 00 00 00 | 00 00 00 00 | [............] Regards, Basil Hussain
