From: Pat McPeak (pmcpeak@eecs.berkeley.edu)
Date: Fri Jul 20 2001 - 10:21:40 PDT
Thanks for posting this. We have one HP 4000, which started
exhibiting the same behavior yesterday. I, too, was figuring
it was a JetDirect card gone bad.
-Pat
Pat McPeak
Computer Support pmcpeak@coe.berkeley.edu
Dean's Office, College of Engineering 510-643-6966 (voice)
University of California, Berkeley 510-642-9178 (fax)
-----------
Greg Paschall <gregp@ssl.berkeley.edu> writes:
> Thursday, we started to have a couple of HP 4000 series printers with
> JetDirect cards freeze up and spew a JetDirect diagnostics page
> showing "S/W Exception 00fb". When the first one started doing it
> between 9am - 1pm, I suspected that I had a bad JetDirect card; and
> when it quit doing it I figured I got lucky. Then I got a report of a
> second HP printer (on another subnet) doing the same thing later in
> the afternoon.
>
> There is an exploit [www.securityfocus.com/archive/1/35500 -- copied
> below], which manifests itself on HP 4000/4500 printers with a
> specific JetDirect module causing the same behavior I saw today. It
> is caused by a http request to the printer followed by 256+
> characters of garbage [http://hp-printer's-ip/very-long-rubbish(256+
> bytes)].
>
> I have verified that this exploit causes the behavior I saw earlier.
>
> We started having the problems with the printers at about the same
> time the ida worm started scanning through the campus networks. It
> seems that crashing the HP printers is a side-effect of the worm --
> both the ida worm and the HP exploit contain an http request followed
> by 256+ garbage characters.
>
> Greg Paschall -- gregp@ssl.berkeley.edu
>
> -----------------------
> From securityfocus.com (http://www.securityfocus.com/archive/1/35500):
>
> Subject: buffer overflow in HP JetDirect module (probably affects all
> HP printers with network support)
> Date: Fri Nov 19 1999 10:57:00
>
> Hi folks!
>
> I just played with our network printer (a HP LaserJet 4500) and --
> boom -- it crashed ;-)
>
> The HP JetDirect J3111A module with firmware G.05.35 suffers from a
> buffer overflow in it's internal web server. If you enter the
> following URL in your web browser
>
> http://my-printer's-ip/very-long-rubbish(256 bytes or so)
>
> the printer prints a diagnostics page showing the contents of all
> registers and the following 64 bytes of all memory addresses that
> address registers point to.
>
> Obviously it's a M680x0 CPU with 512 KB of RAM in our model, so
> writing an exploit should be fairly easy. The nice point about it is
> that most people wouldn't expect their printer to be compromised --
> and since there is no logging on the printer, you can't easily be
> tracked down...
>
> ------------------------------------------------------------------------
> --
>
> --------
> Greg Paschall -- gregp@ssl.berkeley.edu
> Programmer/Analyst & Network Administrator
> Space Sciences Lab - University of California at Berkeley
> Room 230 -- (510) 643-6907 -- Fax: (510) 643-7629
>
> ------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> For information about Micronet, its meetings and events, and its
> mailing list, including information on subscribing and unsubscribing,
> see the Micronet Web site at <http://wss.berkeley.edu/micronet/>.
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about MAGNet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the MAGNet Web site at <http://mac.berkeley.edu/help/magnet/>.
This archive was generated by hypermail 2b29 : Fri Jul 20 2001 - 10:23:20 PDT