Nmap 7.91 - Aggressive option (-A) print unwanted documents

[Grizzly2000]

Hi !! :)

Describe the bug
Aggressive option '-A' on printers produce unwanted print : binary blob with 'random1random2...'.
The printed payload 'random1random2...' is located here : "/usr/share/nmap/nselib/shortport.lua" line 261

To Reproduce
Run the following command on a printer device :

nmap -A X.X.X.34 -vvvvvvvvv -p 9100 --script-trace

Expected behavior
Aggressive option '-A' on printers should not print. (like the version 7.80+dfsg1-2build1 of nmap)

Version info :

• Output of 'uname -a'

Linux hive 5.4.88-1-lts #1 SMP Sat, 09 Jan 2021 14:02:47 +0000 x86_64 GNU/Linux

• Output of nmap --version:

Nmap version 7.91 ( https://nmap.org )
Platform: x86_64-unknown-linux-gnu
Compiled with: liblua-5.3.6 openssl-1.1.1h libssh2-1.9.0 libz-1.2.11 libpcre-8.44 libpcap-1.9.1 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

Debug output of nmap -A X.X.X.34 -vvvvvvvvv -p 9100 --script-trace

Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-25 17:12 CET
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:12
Completed NSE at 17:12, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:12
Completed NSE at 17:12, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:12
Completed NSE at 17:12, 0.00s elapsed
Initiating ARP Ping Scan at 17:12
Scanning X.X.X.34 [1 port]
Completed ARP Ping Scan at 17:12, 0.10s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:12
Completed Parallel DNS resolution of 1 host. at 17:12, 0.03s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 17:12
Scanning X.X.X.34 [1 port]
Discovered open port 9100/tcp on X.X.X.34
Completed SYN Stealth Scan at 17:12, 0.09s elapsed (1 total ports)
Initiating Service scan at 17:12
Initiating OS detection (try #1) against X.X.X.34
NSE: Script scanning X.X.X.34.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:13
NSOCK INFO [2.3680s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [X.X.X.34:9100]
NSE: TCP X.X.X.26:38568 > X.X.X.34:9100 | CONNECT
NSE: TCP X.X.X.26:38568 > X.X.X.34:9100 | 00000000: 16 03 00 00 69 01 00 00 65 03 03 55 1c a7 e4 72     i   e  U   r
00000010: 61 6e 64 6f 6d 31 72 61 6e 64 6f 6d 32 72 61 6e andom1random2ran
00000020: 64 6f 6d 33 72 61 6e 64 6f 6d 34 00 00 0c 00 2f dom3random4    /
00000030: 00 0a 00 13 00 39 00 04 00 ff 01 00 00 30 00 0d      9       0  
00000040: 00 2c 00 2a 00 01 00 03 00 02 06 01 06 03 06 02  , *            
00000050: 02 01 02 03 02 02 03 01 03 03 03 02 04 01 04 03                 
00000060: 04 02 01 01 01 03 01 02 05 01 05 03 05 02                     

NSOCK INFO [2.3680s] nsock_write(): Write request for 110 bytes to IOD #1 EID 19 [X.X.X.34:9100]
NSOCK INFO [2.3680s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 19 [X.X.X.34:9100]
NSE: TCP X.X.X.26:38568 > X.X.X.34:9100 | SEND
NSOCK INFO [2.3680s] nsock_read(): Read request from IOD #1 [X.X.X.34:9100] (timeout: 7000ms) EID 26
NSOCK INFO [9.3680s] nsock_trace_handler_callback(): Callback: READ TIMEOUT for EID 26 [X.X.X.34:9100]
NSE: TCP X.X.X.26:38568 > X.X.X.34:9100 | CLOSE
NSOCK INFO [9.3680s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
NSOCK INFO [9.3680s] nsock_iod_new2(): nsock_iod_new (IOD #2)
NSOCK INFO [9.3680s] nsock_connect_tcp(): TCP connection requested to X.X.X.34:9100 (IOD #2) EID 32
NSOCK INFO [9.3710s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 32 [X.X.X.34:9100]
NSE: TCP X.X.X.26:38572 > X.X.X.34:9100 | CONNECT
NSE: TCP X.X.X.26:38572 > X.X.X.34:9100 | 00000000: 16 03 00 00 53 01 00 00 4f 03 00 3f 47 d7 f7 ba     S   O  ?G   
00000010: 2c ee ea b2 60 7e f3 00 fd 82 7b b9 d5 96 c8 77 ,   `~    {    w
00000020: 9b e6 c4 db 3c 3d db 6f ef 10 6e 00 00 28 00 16     <= o  n  (  
00000030: 00 13 00 0a 00 66 00 05 00 04 00 65 00 64 00 63      f     e d c
00000040: 00 62 00 61 00 60 00 15 00 12 00 09 00 14 00 11  b a `          
00000050: 00 08 00 06 00 03 01 00                                 

NSOCK INFO [9.3710s] nsock_write(): Write request for 88 bytes to IOD #2 EID 43 [X.X.X.34:9100]
NSOCK INFO [9.3710s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 43 [X.X.X.34:9100]
NSE: TCP X.X.X.26:38572 > X.X.X.34:9100 | SEND
NSOCK INFO [9.3710s] nsock_read(): Read request from IOD #2 [X.X.X.34:9100] (timeout: 7000ms) EID 50
NSOCK INFO [16.3710s] nsock_trace_handler_callback(): Callback: READ TIMEOUT for EID 50 [X.X.X.34:9100]
NSE: TCP X.X.X.26:38572 > X.X.X.34:9100 | CLOSE
NSOCK INFO [16.3710s] nsock_iod_delete(): nsock_iod_delete (IOD #2)
Completed NSE at 17:13, 14.02s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:13
Completed NSE at 17:13, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:13
Completed NSE at 17:13, 0.00s elapsed
Nmap scan report for X.X.X.34
Host is up, received arp-response (0.0022s latency).
Scanned at 2021-01-25 17:12:58 CET for 16s

PORT     STATE SERVICE    REASON         VERSION
9100/tcp open  jetdirect? syn-ack ttl 64 Excluded from version scan
MAC Address: 3C:2A:F4:35:4D:82 (Brother Industries)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Wind River VxWorks
OS CPE: cpe:/o:windriver:vxworks
OS details: VxWorks
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=1/25%OT=9100%CT=%CU=37458%PV=Y%DS=1%DC=D%G=N%M=3C2AF4%
OS:TM=600EEE1A%P=x86_64-unknown-linux-gnu)SEQ(SP=F9%GCD=1%ISR=10E%II=I%TS=A
OS:)OPS(O1=M5B4NW0NNSNNT11%O2=M578NW0NNSNNT11%O3=M280NW0NNT11%O4=M5B4NW0NNS
OS:NNT11%O5=M218NW0NNSNNT11%O6=M109NNSNNT11)WIN(W1=21F0%W2=2088%W3=2258%W4=
OS:21F0%W5=20C0%W6=209D)ECN(R=Y%DF=N%T=40%W=2238%O=M5B4NW0NNS%CC=N%Q=)T1(R=
OS:Y%DF=N%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=N%T=40%W=0%S=A
OS:%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y
OS:%DF=N%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=40%W=0%S=Z%A=S+%F=AR
OS:%O=%RD=0%Q=)U1(R=Y%DF=N%T=FF%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD
OS:=G)IE(R=Y%DFI=N%T=FF%CD=S)

Uptime guess: 2.974 days (since Fri Jan 22 17:50:58 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=249 (Good luck!)
IP ID Sequence Generation: Busy server or unknown class

TRACEROUTE
HOP RTT     ADDRESS
1   2.20 ms X.X.X.34

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:13
Completed NSE at 17:13, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:13
Completed NSE at 17:13, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:13
Completed NSE at 17:13, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.39 seconds
           Raw packets sent: 24 (1.850KB) | Rcvd: 16 (1.042KB)

Thank you for your tools!
Thank you in advance !

[dmiller-nmap]

Thanks for this report. Because of the risk of printing garbage data from our version detection probes, Nmap specifically excludes ports 9100-9107 from being probed with -sV. The data printed in your case is coming from further probing within the ssl-* NSE scripts, which attempt their own probes if -sV did not do so. I will correct this to check whether the port ought to be excluded from probing like this.