hp5crash.txt

1999-08-17T00:00:00
ID PACKETSTORM:12217
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `  
[ http://www.rootshell.com/ ]  
  
Date: Wed, 6 Jan 1999 14:59:21 -0800  
From: bwoodard@CISCO.COM  
Subject: Another way to crash HP printers  
  
A few months ago, I reported that you could crash HP 5m printers by doing a  
multivarible SNMP query on the interpreters table.  
  
I have since found a similar problem that applies to all HP 5 series  
printers whose firmware datecode is less than 19960829.  
  
The easiest way to figure out if your printer is affected is to use a  
snmptool such as those from UC Davis  
(http://www.ece.ucdavis.edu/ucd-snmp/) and try the command:  
  
snmpget printername public 43.15.1.1.4.1.1  
  
The easiest way to manifest the bug is to use a program like npadmin  
(http://www.penguincomputing.com/prtools/npadmin.html) and try to  
examine a large table like the interpreters or channels table:  
  
npadmin --languages printername  
  
or  
  
npadmin --protocol printername  
  
The bug leaves the printer in different conditions depending on the  
JetDirect firmware revision, the model of the printer, and possibly  
the state of the printer at the time of the attack. In many cases it  
leaves the printer with a 79(12BF) or 79(9208) error but still  
pingable. In this state it may even accept one print job but not print  
it. In other cases, ther error message in the display is missing. In a  
few cases the printer is left unpingable.  
  
The problem seems to be independant of the JetDirect hardware and  
firmware revision and so doing a flash upgrade will not solve the  
problem. The problem seems to be due to a bug in the printer firmware,  
often times called the formwatter, which crashes when certain  
multivariable SNMP queries are executed. Upgrading the formatter  
software involves replacing some hardware within the printer and so  
this can not be trivially done.  
  
I reported this bug to HP a couple of days ago, and they believe that  
it is the same bug that causes all HP 5m's to crash on certain  
multivariable queries. They are in the process of preparing a  
JetDirect flash upgrade that works around the bug in the formatter.  
  
-ben  
  
--------------------------------------------------------------------------  
  
Date: Mon, 8 Mar 1999 07:52:25 -0800  
From: bwoodard@CISCO.COM  
To: BUGTRAQ@netspace.org  
Subject: Update: HP printer vulnerabilities  
  
HP has finally addressed the two big bugs that allow anyone to crash a  
network connected printer.  
  
The first bug is their succeptability to the nestea2 and other TCP/IP  
exploits. This bug is fixed in several releases of firmware for their  
different cards. A05.08 is for most HP 5 series network printers. This  
release have been available for some time but they yet to release it  
to their web site. You must contact their support organization and ask  
for it specifically.  
  
The second bug only affects HP 5m and some 5si's with older formatter  
firmware. This bug is due to a communication error between the printer  
and the network interface. Using a simple multivarible SNMP getnext  
command, you can crash the network interface causing the printer to  
drop off the network. HP has provided the a beta firmware release  
A05.09 that addresses this issue. If you want to get this bugfix  
please contact HP customer care, indicate that you are getting a 79 SE  
problem with a 5M and ask for the BETA A.05.09 release which cisco  
has. Once they are comfortable that this firmware has been tested  
widly without incident they will release it.  
  
In my opinion both these firmware releases should be considered  
manditory anywhere where printer's are exposed to untrusted network  
traffic. I would strongly advise any institution that does not have  
their printers firewalled off (and most that do) to apply this patched  
firmware to eliminate the possibility of a widespread DOS attack.  
  
-ben  
  
`