Re: IBM Infoprint Remote Management Simple DoS

[Fredrik Björk <Fredrik.Bjork.List () varbergenergi se>]

Hi!

InfoPrint 32 (model 4332-002) with printer software version 2.55F, network 
software version 7.34, PCL version 1.4.7, Postscript version 4.25 and PJL 
version 1.4.7, is not vulnerable. At the login prompt, you cannot input 
more than 26 characters. As always, the software revision is very important 
when reporting this kind of vulnerabilities. The printers are not from the 
same product line, but InfoPrint 70 is the faster sibling of IP21 and might 
be vulnerable.

Here are updates for the printer (some as late as September 2002):
http://www-1.ibm.com/support/search.wss?rs=95&apar=exclude&tc=SRJSN6&dc=D400
http://www-1.ibm.com/support/docview.wss?rs=95&context=SRJSN6&uid=psd1P4000085
http://www.printers.ibm.com/R5PSC.NSF/web/npmwin4

/Fredrik

At 12:19 2002-10-25 +0300, you wrote:
> Overview
> ========
> IBM makes a series of TCP/IP enabled printers that come with remote
> management features:
>
> <http://www.printers.ibm.com/R5PSC.NSF/Web/wglaserselect>
>
> One of these features is a Telnet-based remote management service, which
> has a DoS vulnerability. The vulnerability discussed here was tested on an
> IBM Infoprint 21 (older model), but is probably present in other printers
> of the same product line.
>
>
> Issue
> =====
> The Telnet-enabled remote management feature used in the printer does not
> properly check user input, namely the login name. By connecting to port 23
> and entering a login name consisting of an excessive number of characters
> a DoS condition will occur, and the Telnet service will refuse to allow
> further logins to the service. This is most likely due to a buffer
> overflow vulnerability in the login handling code.
>
> Power cycling the printer will restore functionality.
>
>
> Impact
> ======
> After the DoS condition has occurred, the Telnet service on the printer
> will continue accepting connections but will no longer display a login
> prompt. The connection will eventually time out. Other services are
> unaffected.
>
> While testing with large input data I was able to bring the entire printer
> down hard by sending enough data (several k) to port 23. The entire
> network interface was down, and the physical control panel on the printer
> was unresponsive. Printing was not possible. The only solution was to
> power cycle the printer once or twice(!) to restore functionality.
>
>
> Workaround
> ==========
> There do not appear to be any firmware updates available for the specific
> printer, nor any mention of these kind of issues on the vendors web site.
> Best practices dictate that printers and other internal assets should be
> only accessible from the internal network or through authenticated
> connections.
>
> It does not seem to be possible to disable the Telnet service without
> disabling all TCP/IP functionality from the printer.
>
>
> Vendor Status
> =============
> IBM was contacted on 2002-10-18. No acknowledgement of response of any
> kind was received.