Ethereal-users: [Ethereal-users] HP JetDirect and ethereal SNMP vulnerabilities

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: David Moore <davem@xxxxxxxxx>
Date: Wed, 20 Feb 2002 10:48:47 -0500
This just floated by in my email and implies an SNMP related expoit that will crash ethereal. They
don't state which version of ethereal. I have not tested it myself.

> --------------------------------------------------------------------------------------------------
> 
>    * Subject: [Fwd: Cert Advisory 2002-03 and HP JetDirect]
>    * Date: Tue, 19 Feb 2002 22:59:45 -0500
> 
> --------------------------------------------------------------------------------------------------
> 
>      --- Begin Message ---
> 
>         * Subject: Cert Advisory 2002-03 and HP JetDirect
>         * Date: Tue, 19 Feb 2002 10:53:48 -0500
>         * Delivered-to: mailing list bugtraq@xxxxxxxxxxxxxxxxx
>         * Delivered-to: moderator for bugtraq@xxxxxxxxxxxxxxxxx
>         * Importance: high
>         * List-help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
>         * List-id: <bugtraq.list-id.securityfocus.com>
>         * List-post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
>         * List-subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
>         * List-unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
>         * Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
> 
>      It appears that HP JetDirect firmware is more susceptible to SNMP
>      vulnerabilities than originally referenced in the CERT Advisory CA-2002-03
>      (http://www.cert.org/advisories/CA-2002-03.html).  Some basic testing with
>      Protos on an internal network seems to indicate that devices with JetDirect
>      firmware x.08.32 crash each time a single malformed SNMP packet is received.
>      The HP Download Manager for JetDirect reports that the printer software is
>      up-to-date.
> 
>      On the hardware I tested, the packet generated an "EIO" error and required
>      the device to be powered off to recover.  Control panel input was not
>      available.
> 
>      The packet can be generated using the req-enc protos test with the options
>      "-zerocase -showreply -single 13771".  The protos test name is
>      "set-req-ber-l-length" in the category of "Invalid BER length (L) fields".
> 
>      The TCPDump trace is:
>      15:43:38.979321 1.2.3.4.1890 > 1.2.3.5.161:
>            SetRequest(39) .1.3.6.1.2.1.1.5.0="c06-snmpv"
>      15:43:39.179098 1.2.3.4.1891 > 1.2.3.5.161:
>            GetRequest(25) .1.3.6.1.2.1.1.5.0
> 
>      As an interesting side note, Ethereal (a popular open source sniffer /
>      traffic analyzer) crashes every time it sees this packet also.  It gives the
>      error "GLib-ERROR **: could not allocate -1 bytes aborting...".
> 
>      This testing has been very limited (only LaserJet 4si and 8150 series
>      printers were tested), so please post your test results Bugtraq.
> 
>      --- End Message ---
> 

-- 
David E. Moore
The Mitre Corporation -- 11493 Sunset Hills Road -- Reston, VA.  20190-5214
703-883-7830 -- davem@xxxxxxxxx