RE: More information regarding Etherleak

["Basil Hussain" <basil.hussain () kodakweddings com>]

Hi,

> I audited our system running under various operating systems.
> The following OS do _not_ pad the packets with zero but something
> else,

> HP Printers           JetDirect       Various

I have just tested a HP JetDirect J6035A by pinging with the 1-byte method
from a Windows 2000 workstation. Whilst pinging, I continually refreshed the
web admin interface of the JetDirect to generate some HTTP traffic. I
captured the following ICMP Echo Reply packet clearly showing part of an
HTTP request/response.

00 B0 D0 EE | 8A BE 00 01 | E6 45 3C 65 | 08 00 45 00 [.........E<e..E.]
00 1D 21 38 | 00 00 40 01 | 82 E0 C0 A8 | 2A D2 C0 A8 [..!8..@.....*...]
2A A5 00 00 | 42 FF 02 00 | 5A 00 61 18 | 0D E4 50 10 [*...B...Z.a...P.]
16 D0 E4 86 | 00 00 48 54 | 54 50 2F 31 |             [......HTTP/1]

So, it would appear that this particular model of HP JetDirect is
vulnerable, and doesn't pad with random data. It may be advisable to more
closely investigate HP JetDirect devices.

On another note, in CERT's information, they include a statement from Cisco
stating that "all of the latest shipping versions of Cisco IOS releases in
the 12.1 and 12.2 trains are not vulnerable". They do not mention other
Cisco operating systems.

I tested a Cisco PIX 515 firewall appliance running PIX O/S version 6.0(1)
and found that it wasn't vulnerable. A packet typical of those I have logged
shows all null bytes for the padding:

00 B0 D0 EE | 8A BE 00 03 | 6B F6 6C 35 | 08 00 45 00 [........k.l5..E.]
00 1D E5 D8 | 00 00 FF 01 | FF 47 C0 A8 | 2A C9 C0 A8 [.........G..*...]
2A A5 00 00 | 93 FF 02 00 | 09 00 61 00 | 00 00 00 00 [*.........a.....]
00 00 00 00 | 00 00 00 00 | 00 00 00 00 |             [............]

Regards,
Basil Hussain