JetDirect

Michael H. Warfield mhw at wittsend.com
Sun May 9 14:40:55 GMT 1999


hurtta+z1 at ozone.FMI.FI enscribed thusly:
> Johan Meiring:
> > Hi,

> > WOW, this was posted over a year ago!  A response now.

> > The problem still exists.  As reconfirmed in a post i read not to long ago
> > (within the last 2 weeks?).  HP jetdirect cards can only do one thing at a
> > time. (HP has been writing Jetdirect firmware for 5 years, PLEASE HP you
> > _MUST_ have the ability to fix it?!  Or don't you??)

> Well, I noticed that with newer HP printers it does not hang.
> Printer gives response

> 	Active connection from xxx.yyy.vvv.zzz

> when it is working.

	I wrote a security advisory on HP Jetdirect cards several months
ago (check bugtraq archives).  The older cards had a variety of flaws and
bugs that made them pretty simple to crash.  A fun trick was to take
advantage of the hole that allows you to print something on the LCD panel
(like 1-900-sex-line) and then attack the tcp port with any one of a
dozen ways to crash it.  Then see how many fools call the number thinking
the printer is asking for service.  :-)

	The newer JetDirect cards are much better.  The've got a
multithreaded interface with a dozen or so tcb's for connections.
This means that you can't just kill it by slowly dripping SYN packets
at it.  There are still a few "gotcha's" but they're really tough to
exploit.  A high speed sequence number prediction test (fire 64 SYN
packets at it, never complete the connection, then reset all the
connections) can occasionally cause a particular tcp port to become
unavailable.  The newer boards and firmware are much MUCH more ruggid,
though.

	If you've got the older JetDirect cards or firmware, you REALLY
NEED to upgrade.  If you don't and you running a security scanner like
the Internet Scanner from Internet Security Systems (my baby) or Nessus
(an open source equivalent) you will torch off your JetDirect printers
in wind rows.  I believe even nmap (a popular port scanning tool) will
blow away JetDirect cards like they were nothing.  You have to power
cycle them to recover...  :-/

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  (The Mad Wizard)      |  (770) 925-8248   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!



More information about the samba mailing list