Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Epson EventManager <= 2.50 Denial of Service

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 26 Views

Epson EventManager <= 2.50 Denial of Service vulnerability in Window

Code

                                                #######################################################################

                             Luigi Auriemma

Application:  Epson EventManager
              http://www.epson.com
Versions:     &#60;= 2.50
Platforms:    Windows
Bug:          Denial of Service
Exploitation: remote
Date:         14 Mar 2012
Author:       Luigi Auriemma
              e-mail: [email protected]
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Epson EventManager is a program started when the computer starts and
listens on port 2968 (&#34;Network Scan&#34; enabled by default), it allows to
automate some actions of the Epson scanners (like the scan&save button)
through the PushScan protocol.


#######################################################################

======
2) Bug
======


The secure strncpy function that copies the &#34;x-protocol-version&#34; string
in a 7 bytes buffer can be forced to (auto)terminate the program if
it&#39;s longer than that size and starts with &#34;1.&#34;:

  0163967F  |&#62; 53             PUSH EBX
  01639680  |. 8B5C24 24      MOV EBX,DWORD PTR SS:[ESP+24]
  01639684  |. 53             PUSH EBX
  01639685  |. 50             PUSH EAX
  01639686  |. E8 25F8FFFF    CALL epnsm.01638EB0   ; parse &#34;x-protocol-version&#34; string
  0163968B  |. 83C4 08        ADD ESP,8
  0163968E  |. 83F8 01        CMP EAX,1
  01639691  |. 0F85 FC000000  JNZ epnsm.01639793    ; version 1
  01639697  |. 8B4C24 2C      MOV ECX,DWORD PTR SS:[ESP+2C]
  0163969B  |. 8B5424 0C      MOV EDX,DWORD PTR SS:[ESP+C]
  0163969F  |. 6A 06          PUSH 6
  016396A1  |. 33C0           XOR EAX,EAX
  016396A3  |. 52             PUSH EDX
  016396A4  |. 8901           MOV DWORD PTR DS:[ECX],EAX
  016396A6  |. 51             PUSH ECX
  016396A7  |. 66:8941 04     MOV WORD PTR DS:[ECX+4],AX
  016396AB  |. E8 D0B5FFFF    CALL epnsm.01634C80   ; secure strncpy


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/eeventmanager_1.dat
http://www.exploit-db.com/sploits/18602.dat

  nc SERVER 2968 &#60; eeventmanager_1.dat


#######################################################################

======
4) Fix
======


No fix.


#######################################################################

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
epson eventmanagerdenial of servicewindowsremoteluigi auriemmanetwork scanpushscan protocol
26