ID CVE-2004-2166 Type cve Reporter cve@mitre.org Modified 2017-07-11T01:31:00
Description
The print-from-email feature in the Canon ImageRUNNER (iR) 5000i and C3200 digital printer, when not using IP address range filtering, allows remote attackers to print arbitrary text without authentication via a text/plain email to TCP port 25.
{"nessus": [{"lastseen": "2019-11-01T02:15:02", "bulletinFamily": "scanner", "description": "The remote host seems to be a Canon ImageRUNNER printer, which runs a\nSMTP service.\n\nIt is possible to send an email to the SMTP service and have it\nprinted out. An attacker may use this flaw to send an endless stream\nof emails to the remote device and cause a denial of service by using\nall of the print paper.", "modified": "2019-11-02T00:00:00", "id": "CANON_PRINT_BY_SMTP.NASL", "href": "https://www.tenable.com/plugins/nessus/14819", "published": "2004-09-24T00:00:00", "title": "Canon ImageRUNNER SMTP Arbitrary Content Printing", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# A big thanks to Andrew Daviel\n#\n\n\ninclude(\"compat.inc\");\n\n\nif(description)\n{\n script_id(14819);\n script_version (\"1.21\");\n script_cve_id(\"CVE-1999-0564\", \"CVE-2004-2166\");\n script_bugtraq_id(11247);\n\n script_name(english:\"Canon ImageRUNNER SMTP Arbitrary Content Printing\");\n script_summary(english:\"Determines if the remote host is a Canon ImageRUNNER Printer\");\n \n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote printer has a denial of service vulnerability.\"\n );\n script_set_attribute( attribute:\"description\", value:\n\"The remote host seems to be a Canon ImageRUNNER printer, which runs a\nSMTP service.\n\nIt is possible to send an email to the SMTP service and have it\nprinted out. An attacker may use this flaw to send an endless stream\nof emails to the remote device and cause a denial of service by using\nall of the print paper.\" );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://seclists.org/bugtraq/2004/Sep/322\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Disable the email printing service via the device's web interface.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:ND/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/09/24\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2004/09/23\");\n script_cvs_date(\"Date: 2018/11/15 20:50:24\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SMTP problems\");\n \n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n \n script_dependencie(\"smtpserver_detect.nasl\");\n script_require_ports(\"Services/smtp\", 25);\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"smtp_func.inc\");\n\n\nport = get_kb_item(\"Services/smtp\");\nif(!port)port = 25;\n\nsoc = open_sock_tcp(port);\nif ( ! soc ) exit(0);\n\nbanner = smtp_recv_line(socket:soc);\nif ( ! banner ) exit(0);\n\nif ( !ereg(pattern:\"^220 .* SMTP Ready.$\", string:banner ) ) exit(0);\nsend(socket:soc, data:'EHLO there\\r\\n');\nr = smtp_recv_line(socket:soc);\nif ( ! ereg(pattern:\"^550 Command unrecognized\", string:banner) ) exit(0);\nsend(socket:soc, data:'HELO there\\r\\n');\nr = smtp_recv_line(socket:soc);\nif ( ! ereg(pattern:\"^250 . Hello there \\[[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+\\] please to meet you\\.\", string:banner) ) exit(0);\n\nsend(socket:soc, data:'RCPT TO: nessus\\r\\n');\nr = smtp_recv_line(socket:soc);\nif ( ! ereg(pattern:\"^503 need MAIL From: first\\.\", string:r) ) exit(0);\n\nsend(socket:soc, data:'MAIL FROM: nessus\\r\\n');\nr = smtp_recv_line(socket:soc);\nif ( ! ereg(pattern:\"^250 nessus\\.\\.\\. Sender Ok\", string:r) ) exit(0);\nsend(socket:soc, data:'RCPT TO: nessus\\r\\n');\nr = smtp_recv_line(socket:soc);\nif ( ! ereg(pattern:\"^250 nessus\\.\\.\\. Receiver Ok\", string:r) ) exit(0);\n\nsecurity_warning(port);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:04", "bulletinFamily": "software", "description": "## Vulnerability Description\nPrinter allows unauthenticated users to print documents via multiple methods.\n## Short Description\nPrinter allows unauthenticated users to print documents via multiple methods.\n## References:\n[Secunia Advisory ID:12659](https://secuniaresearch.flexerasoftware.com/advisories/12659/)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-09/0320.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-09/0307.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-09/0386.html\nISS X-Force ID: 17512\n[CVE-1999-0564](https://vulners.com/cve/CVE-1999-0564)\n[CVE-2004-2166](https://vulners.com/cve/CVE-2004-2166)\n", "modified": "1999-06-07T00:00:00", "published": "1999-06-07T00:00:00", "id": "OSVDB:9346", "href": "https://vulners.com/osvdb/OSVDB:9346", "title": "Printer Allows Unauthenticated Printing", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
