Very Low
CVE-2017-16249
CVE-2017-16249
Description
The Debut embedded http server contains a remotely exploitable denial of service where a single malformed HTTP POST request can cause the server to hang until eventually replying (~300 seconds) with an HTTP 500 error. While the server is hung, print jobs over the network are blocked and the web interface is inaccessible. An attacker can continuously send this malformed request to keep the device inaccessible to legitimate traffic.
Add Assessment
Technical Analysis
Debut makes an embedded http server which is likely on ‘dumb’ devices which need a web server for configuration such as Brother and HP printers. Exploitation is trivial, just send 40 characters of data in a POST request w/o authentication, and the service will crash. Since these devices are typically cheap and ‘dumb’, crashing the http server will most likely also cause the entire device to reboot, or require a watchdog service to restart the http server. Isn’t much to gain here though since you’re simply crashing a service. DoS printers, save trees?
However, of note, these devices may not include a firmware update mechanism, and may therefore be vulnerable for life, such as my Brother HL-L2380DW.
CVSS V3 Severity and Metrics
General Information
Vendors
- brother
Products
- dcp-j132w firmware
Metasploit Modules
References
Miscellaneous
