Vulnerability

    HP JetDirect module

Affected

    Probably affects all HP printers with network support

Description

    Tobias  Haustein  found  following.   He  played  with our network
    printer (a HP LaserJet  4500) and -- boom  -- it crashed.   The HP
    JetDirect  J3111A  module  with  firmware  G.05.35  suffers from a
    buffer overflow  in it's  internal web  server.   If you enter the
    following URL in your web browser

        http://my-printer's-ip/very-long-rubbish(256 bytes or so)

    the printer prints a diagnostics page showing the contents of  all
    registers and the following 64 bytes of all memory addresses  that
    address registers point to.

    Obviously it's a M680x0  CPU with 512 KB  of RAM in our  model, so
    writing an exploit  should be fairly  easy.  The  nice point about
    it  is  that  most  people  wouldn't  expect  their  printer to be
    compromised -- and since there  is no logging on the  printer, you
    can't  easily  be  tracked  down...   It  has  been confirmed with
    JetDirect 300x print server J3263A firmware H.06.00 too.

Solution

    HP JetDirects  can have  the web  server turned  off (a good idea)
    and use remote syslog to log all connections to the printer.   The
    HP  print  server  control  software  automaticly  turns  the  web
    configuration back on, so don't use  that - physicly go up to  the
    printer and  disable all  services you  don't need.   If only  one
    could  add  in  ip  allow  ranges...   Not  Vulnerable  seem to be
    Firmware Revision G.07.17.  To disable port 80 use the command:

        ews-config: 0

    If you are  using bootp/tftp to  configure your printers,  you can
    specify  an  allowed  IP  range  in  /tftpboot/<printer-name>.cfg,
    like:

        xxx.yyy.zzz.0  255.255.255.0