COMMAND
multivarible SNMP query
SYSTEMS AFFECTED
HP 5 series firmware less than 19960829
PROBLEM
Ben previously reported that you could crash HP 5m printers by
doing a multivarible SNMP query on the interpreters table. He has
since found a similar problem that applies to all HP 5 series
printers whose firmware datecode is less than 19960829. The
easiest way to figure out if your printer is affected is to use a
snmptool such as those from UC Davis from:
http://www.ece.ucdavis.edu/ucd-snmp/
and try the command:
snmpget printername public 43.15.1.1.4.1.1
The easiest way to manifest the bug is to use a program like
npadmin from:
http://www.penguincomputing.com/prtools/npadmin.html
and try to examine a large table like the interpreters or channels
table:
npadmin --languages printername
or
npadmin --protocol printername
The bug leaves the printer in different conditions depending on
the JetDirect firmware revision, the model of the printer, and
possibly the state of the printer at the time of the attack. In
many cases it leaves the printer with a 79(12BF) or 79(9208) error
but still pingable. In this state it may even accept one print job
but not print it. In other cases, ther error message in the
display is missing. In a few cases the printer is left unpingable.
The problem seems to be independant of the JetDirect hardware and
firmware revision and so doing a flash upgrade will not solve the
problem. The problem seems to be due to a bug in the printer
firmware, often times called the formwatter, which crashes when
certain multivariable SNMP queries are executed. Upgrading the
formatter software involves replacing some hardware within the
printer and so this can not be trivially done.
SOLUTION
Ben reported this bug to HP and they believe that it is the same
bug that causes all HP 5m's to crash on certain multivariable
queries. They are in the process of preparing a JetDirect flash
upgrade that works around the bug in the formatter.