Years ago, Air Print worked in my house on my current printer.
Wireless suppliers have a history of changing the actual hardware (the electronics design and chip), but keeping the model numbers the same and adding a revision level on the box and/or the device.epi_ttcp is being called by the usr/sbin/httpd without checking/validating the parameters being passed."epi_ttcp -tsufm -l %s -n %s %s &", ttcp_size, ttcp_num, ttcp_ip So its a similar issue as what was disclosed in May 2013, but instead of exploiting a problem with the ping test part of the code its in the ttcp section in Start_epi function inside httpd.One important update: This affects other Linksys routers as well. The user agent is randomised; we can see how quickly (actually not that fast) it scanned through a small range of IPs here: 75.69.x.x - admin [13/Feb/ 0000] "GET /HNAP1/ HTTP/1.1" 301 185 " "Opera/9.60 (Windows NT 5.1; U; de) Presto/2.1.1" 75.69.x.x - admin [13/Feb/ 0000] "GET /HNAP1/ HTTP/1.1" 404 247 " "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.0.1) Gecko/20030306 Camino/0.7" 75.69.x.x - admin [13/Feb/ 0000] "GET /HNAP1/ HTTP/1.1" 301 185 " "Opera/6.x (Linux 2.4.8-26mdk i686; U) [en]" 75.69.x.x - admin [13/Feb/ 0000] "GET /HNAP1/ HTTP/1.1" 404 247 " "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) Apple Web Kit/xxx.x (KHTML like Gecko) Safari/12x.x" I wonder if the port for stage2 is always 193?For example, we do have some routers conecting to the honeypot that identify themselves as E2500 (Firmware 1.0.03 build 4) Finally our honeypot did capture something that looks like it is responsible for the scanning activity we see: The initial request, as discussed earlier, is: POST /[withheld]HTTP/1.1 Host: [ip of honeypot]:8080 User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Mac_Power PC) Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: of honeypot]:8080/ Authorization: Basic YWRta W46Jmkx Kk BVJDZ4dm NH So it looks like it will try to download a "second stage" from port 193 from the attacking router. L26" file appears to be a lock file to prevent multiple exploitation. From once source I get Connection Refused, from another I get Connection Timed Out although both their port 80's are still reachable.I believe it's only for fingerprinting the model [email protected] From what I've seen, it's using the username "admin" and randomly generated password, not password "admin".However, there is a way to circumvent the authentication requirement completely (password does not matter) and that's what this worm is exploiting.The worm does use a CGI script that doesn't check credentials (authentication bypass) so the authentication header doesn't really matter.Then a year or two ago, I installed DD-WRT on my Linksys WRT160N router.I installed it so I could add a guest wireless network, but I probably shouldn't have, because the technical specifics of networking that I see everywhere on the DD-WRT site and forums are mostly over my head.