Bugtraq mailing list archives

Re: nestea2 and HP Jet Direct cards.

From: bwoodard () CISCO COM (Ben Woodard)
Date: Wed, 20 May 1998 08:27:31 -0600


The problem is much more serious than you seem to recognise. The code
to autodiscover all the printers on a network using snmp is pretty
easy to write and is available in the JedAdmin tools. A disgruntled
employee behind a firewall or anyone on the internet can bring down
pretty much a whole organization's printing infostructure.

The problem is not that one printer can be brought down. The problem
is that every printer can be brought to its knees with just a few
packets in a few seconds. By the time we figure out what is
happening. _ALL_ the printers are down and we have no way to track
where the attack came from.

Two days after your initial post, we had an incident in one of our
field offices. Every printer on the network went dead. Guess who got
called? If all 2500 printers in our environment went down, I can't
even imagine how many calls our help desk would get? I worry about
unfirewalled environments such as universities.

I have some contacts deep within HP printer's firmware development
division. I made them aware of the problem and suggested that they
post to bugtraq with their intentions. I am still waiting for their
response.

-ben

nestea and nestea2 do a number on HP Jet Direct printer cards, I have
tested it on a HP 5/si and a HP 1600c with Jet Direct cards in them it
locks up until power cycled all of the print jobs that are going to them
are lost. The HP 5/si has a LCD on the front and there is an error code
that is displayed.

80 SERVICE (01E6) CALL SERVICE
            ^^^^
this number changes depending on how my times it is hit with nestea2,
which seems odd to me that if one hit  kills it, what difrence would it
make hitting it with 10 and why would it report a diffrent code.

HP's error code explination states the following.

------------------------
80 SERVICE(xxxx) CALL
SERVICE
------------------------
Indicates an
unrecoverable HP
Modular I/O (HP MIO)
protocol error. This
indicates a
catastrophic system
condition.
------------------------
Switch the printer OFF,
then ON. If the message
continues, contact your
dealer or HP service
representative for
service.
------------------------

I have also tried bonk, boink, teardrop, overdrop and none of them seem to
have any effect on the printers.

EOT

-- Damon Petta

Current thread:

Re: [MORE] Lynx's 2.x buffers overflows Bela Lubkin (May 06)
- check-ps 1.2 pre-release Duncan Simpson (May 06)
- Re: [MORE] Lynx's 2.x buffers overflows Theo de Raadt (May 06)
- admintool mode 0777 in Solaris 2.6 HW3/98 Paul B. Henson (May 07)
- nestea2 and HP Jet Direct cards. Damon Petta (May 07)
  - Re: nestea2 and HP Jet Direct cards. MrMurphy (May 08)
  - Re: nestea2 and HP Jet Direct cards. Ben Woodard (May 20)
    - Re: nestea2 and HP Jet Direct cards. (Lexmark patches) Ben Woodard (May 22)
    - Exploit: Windows95/98/ (NT?) Autorun Matt Hallacy (May 22)
- ircnn-1.3devel problems Warren Rees (May 08)