Nmap 7.91 - Aggressive option (-A) print unwanted documents

[Grizzly2000]

Hi !! :)

Describe the bug
Aggressive option '-A' on printers produce unwanted print : binary blob with 'random1random2...'.
The printed payload 'random1random2...' is located here : "/usr/share/nmap/nselib/shortport.lua" line 261

To Reproduce
Run the following command on a printer device :

nmap -A X.X.X.34 -vvvvvvvvv -p 9100 --script-trace

Expected behavior
Aggressive option '-A' on printers should not print. (like the version 7.80+dfsg1-2build1 of nmap)

Version info :

• Output of 'uname -a'

Linux hive 5.4.88-1-lts #1 SMP Sat, 09 Jan 2021 14:02:47 +0000 x86_64 GNU/Linux

• Output of nmap --version:

Nmap version 7.91 ( https://nmap.org )
Platform: x86_64-unknown-linux-gnu
Compiled with: liblua-5.3.6 openssl-1.1.1h libssh2-1.9.0 libz-1.2.11 libpcre-8.44 libpcap-1.9.1 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

Debug output of nmap -A X.X.X.34 -vvvvvvvvv -p 9100 --script-trace

Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-25 17:12 CET
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:12
Completed NSE at 17:12, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:12
Completed NSE at 17:12, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:12
Completed NSE at 17:12, 0.00s elapsed
Initiating ARP Ping Scan at 17:12
Scanning X.X.X.34 [1 port]
Completed ARP Ping Scan at 17:12, 0.10s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:12
Completed Parallel DNS resolution of 1 host. at 17:12, 0.03s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 17:12
Scanning X.X.X.34 [1 port]
Discovered open port 9100/tcp on X.X.X.34
Completed SYN Stealth Scan at 17:12, 0.09s elapsed (1 total ports)
Initiating Service scan at 17:12
Initiating OS detection (try #1) against X.X.X.34
NSE: Script scanning X.X.X.34.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:13
NSOCK INFO [2.3680s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [X.X.X.34:9100]
NSE: TCP X.X.X.26:38568 > X.X.X.34:9100 | CONNECT
NSE: TCP X.X.X.26:38568 > X.X.X.34:9100 | 00000000: 16 03 00 00 69 01 00 00 65 03 03 55 1c a7 e4 72     i   e  U   r
00000010: 61 6e 64 6f 6d 31 72 61 6e 64 6f 6d 32 72 61 6e andom1random2ran
00000020: 64 6f 6d 33 72 61 6e 64 6f 6d 34 00 00 0c 00 2f dom3random4    /
00000030: 00 0a 00 13 00 39 00 04 00 ff 01 00 00 30 00 0d      9       0  
00000040: 00 2c 00 2a 00 01 00 03 00 02 06 01 06 03 06 02  , *            
00000050: 02 01 02 03 02 02 03 01 03 03 03 02 04 01 04 03                 
00000060: 04 02 01 01 01 03 01 02 05 01 05 03 05 02                     

NSOCK INFO [2.3680s] nsock_write(): Write request for 110 bytes to IOD #1 EID 19 [X.X.X.34:9100]
NSOCK INFO [2.3680s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 19 [X.X.X.34:9100]
NSE: TCP X.X.X.26:38568 > X.X.X.34:9100 | SEND
NSOCK INFO [2.3680s] nsock_read(): Read request from IOD #1 [X.X.X.34:9100] (timeout: 7000ms) EID 26
NSOCK INFO [9.3680s] nsock_trace_handler_callback(): Callback: READ TIMEOUT for EID 26 [X.X.X.34:9100]
NSE: TCP X.X.X.26:38568 > X.X.X.34:9100 | CLOSE
NSOCK INFO [9.3680s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
NSOCK INFO [9.3680s] nsock_iod_new2(): nsock_iod_new (IOD #2)
NSOCK INFO [9.3680s] nsock_connect_tcp(): TCP connection requested to X.X.X.34:9100 (IOD #2) EID 32
NSOCK INFO [9.3710s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 32 [X.X.X.34:9100]
NSE: TCP X.X.X.26:38572 > X.X.X.34:9100 | CONNECT
NSE: TCP X.X.X.26:38572 > X.X.X.34:9100 | 00000000: 16 03 00 00 53 01 00 00 4f 03 00 3f 47 d7 f7 ba     S   O  ?G   
00000010: 2c ee ea b2 60 7e f3 00 fd 82 7b b9 d5 96 c8 77 ,   `~    {    w
00000020: 9b e6 c4 db 3c 3d db 6f ef 10 6e 00 00 28 00 16     <= o  n  (  
00000030: 00 13 00 0a 00 66 00 05 00 04 00 65 00 64 00 63      f     e d c
00000040: 00 62 00 61 00 60 00 15 00 12 00 09 00 14 00 11  b a `          
00000050: 00 08 00 06 00 03 01 00                                 

NSOCK INFO [9.3710s] nsock_write(): Write request for 88 bytes to IOD #2 EID 43 [X.X.X.34:9100]
NSOCK INFO [9.3710s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 43 [X.X.X.34:9100]
NSE: TCP X.X.X.26:38572 > X.X.X.34:9100 | SEND
NSOCK INFO [9.3710s] nsock_read(): Read request from IOD #2 [X.X.X.34:9100] (timeout: 7000ms) EID 50
NSOCK INFO [16.3710s] nsock_trace_handler_callback(): Callback: READ TIMEOUT for EID 50 [X.X.X.34:9100]
NSE: TCP X.X.X.26:38572 > X.X.X.34:9100 | CLOSE
NSOCK INFO [16.3710s] nsock_iod_delete(): nsock_iod_delete (IOD #2)
Completed NSE at 17:13, 14.02s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:13
Completed NSE at 17:13, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:13
Completed NSE at 17:13, 0.00s elapsed
Nmap scan report for X.X.X.34
Host is up, received arp-response (0.0022s latency).
Scanned at 2021-01-25 17:12:58 CET for 16s

PORT     STATE SERVICE    REASON         VERSION
9100/tcp open  jetdirect? syn-ack ttl 64 Excluded from version scan
MAC Address: 3C:2A:F4:35:4D:82 (Brother Industries)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Wind River VxWorks
OS CPE: cpe:/o:windriver:vxworks
OS details: VxWorks
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=1/25%OT=9100%CT=%CU=37458%PV=Y%DS=1%DC=D%G=N%M=3C2AF4%
OS:TM=600EEE1A%P=x86_64-unknown-linux-gnu)SEQ(SP=F9%GCD=1%ISR=10E%II=I%TS=A
OS:)OPS(O1=M5B4NW0NNSNNT11%O2=M578NW0NNSNNT11%O3=M280NW0NNT11%O4=M5B4NW0NNS
OS:NNT11%O5=M218NW0NNSNNT11%O6=M109NNSNNT11)WIN(W1=21F0%W2=2088%W3=2258%W4=
OS:21F0%W5=20C0%W6=209D)ECN(R=Y%DF=N%T=40%W=2238%O=M5B4NW0NNS%CC=N%Q=)T1(R=
OS:Y%DF=N%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=N%T=40%W=0%S=A
OS:%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y
OS:%DF=N%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=40%W=0%S=Z%A=S+%F=AR
OS:%O=%RD=0%Q=)U1(R=Y%DF=N%T=FF%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD
OS:=G)IE(R=Y%DFI=N%T=FF%CD=S)

Uptime guess: 2.974 days (since Fri Jan 22 17:50:58 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=249 (Good luck!)
IP ID Sequence Generation: Busy server or unknown class

TRACEROUTE
HOP RTT     ADDRESS
1   2.20 ms X.X.X.34

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:13
Completed NSE at 17:13, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:13
Completed NSE at 17:13, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:13
Completed NSE at 17:13, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.39 seconds
           Raw packets sent: 24 (1.850KB) | Rcvd: 16 (1.042KB)

Thank you for your tools!
Thank you in advance !

[dmiller-nmap]

Thanks for this report. Because of the risk of printing garbage data from our version detection probes, Nmap specifically excludes ports 9100-9107 from being probed with -sV. The data printed in your case is coming from further probing within the ssl-* NSE scripts, which attempt their own probes if -sV did not do so. I will correct this to check whether the port ought to be excluded from probing like this.

[b1gy7]

Well i have the same problem as of nmap version 7.94SVN. When i scan printers with the -A option i get the same behaviour as described above . (The printer starts printing about 70 or more Pages with binary and http data on it). I fixed it temporarly by not using the -A option.

[b1gy7]

I found out that this bug does not have anything in common with the options used in the nmap command . This behaviour happens when Nmap Scans the RAW-Ports of a printer (Vendor specific , in my case 9100-9109 and/or 9112-9116 ) If you exclude those ports the behaviour will not get triggered. This happens because of the functionality and the initial design of those ports. If they are not secured / filtered they will print anything you send to that/those specific port/s. (For example netcatting a Postscript with a simple "Hello World" output in it). It will be very usefull if nmap could check this scenario before targetting those ports. Doesn't make any sense to scan those ports if anything send to those specific ports gets printed out or If I may be wrong I'll glady accept a better explanation of why that should be the case .