hp5.txt

`Date: Sat, 5 Sep 1998 19:47:29 -0600  
From: [email protected]  
Subject: Another way to crash HP 5M/5N printers  
  
In addition to using nestea2 to crash any HP printer, I seem to have  
found a way to crash certain HP printers with a single perfectly  
legitimate SNMP packet.  
  
The potential impact of this problem is that within a couple of  
seconds, someone could crash all the HP 5M and 5N printers within a  
whole network. Since the attack involves just one packet per network  
connected printer, it would be very difficult to trace where the  
attack came from. The danger is not that a person could crash one  
printer but rather that a person could severly impact printing in a  
fairly wide area.  
  
Ambrose Li reported to me that every time that he ran my program  
"npadmin --languages" (ftp://pasta.penguincomputing.com/pub/prtools)  
against a 5N printer it crashed the mio card with a 79 error. A 79  
error is almost a catch all error message. There are so many things  
that it can mean, that its meaning is very indistinct. I have  
also been able to reproduce this with 5M printers. (The 4 series  
printers as well as the HP color LaserJets don't have the objects that  
seem to cause the problem and the 5si printers don't seem to be  
affected.) I reported the problem to HP they gave me case number  
1420924269.  
  
In keeping with corporate policy, HP is very tight lipped about the  
problem and have said nothing since I reported the problem to  
them. They will not say anything until they have a patch available.  
Those that administer print services for an area might want to keep an  
eye out for a new version of firmware from HP.  
  
I am pretty sure that it is not a bug in my program because I can  
reproduce it without using my program by simply doing:  
  
$ snmpgetnext scv-sirloin public 43.15.1.1.2.1.5 43.15.1.1.3.1.5 \  
> 43.15.1.1.4.1.5 43.15.1.1.5.1.5 43.15.1.1.6.1.5 43.15.1.1.7.1.5 \  
> 43.15.1.1.8.1.5 43.15.1.1.9.1.5 43.15.1.1.12.1.5  
  
I also went through hex dumps for both the packet that snmpgetnext  
sends and the packet that I am sending and studied  
them at very great length. They are both VERY different but they  
ellicit the same problem and so I do not believe that it is a problem  
with the packet per se but rather a problem with the way that the  
printer deals with the packet. The fact that it does not affect 5si's  
suggests to me that the problem might be in the way that formatter  
software passes the information back to the MIO interface. In that  
case, it might require a hardware upgrade to remedy the problem.  
  
This problem does not seem to be mio firmware version dependent.The  
printer that I did my initial reproduction of the problem on has a  
J2552A MIO card in it running firmware version A.04.09 however I also  
tried it on printers that run A.04.08, and A.05.05 and they have the  
same problem.  
  
-ben  
`