Epson EventManager <= 2.50 Denial of Service



EKU-ID: 1672 CVE: OSVDB-ID:
Author: Luigi Auriemma Published: 2012-03-15 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#######################################################################
                             Luigi Auriemma
Application:  Epson EventManager
              http://www.epson.com
Versions:     <= 2.50
Platforms:    Windows
Bug:          Denial of Service
Exploitation: remote
Date:         14 Mar 2012
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Epson EventManager is a program started when the computer starts and
listens on port 2968 ("Network Scan" enabled by default), it allows to
automate some actions of the Epson scanners (like the scan&save button)
through the PushScan protocol.
#######################################################################
======
2) Bug
======
The secure strncpy function that copies the "x-protocol-version" string
in a 7 bytes buffer can be forced to (auto)terminate the program if
it's longer than that size and starts with "1.":
  0163967F  |> 53             PUSH EBX
  01639680  |. 8B5C24 24      MOV EBX,DWORD PTR SS:[ESP+24]
  01639684  |. 53             PUSH EBX
  01639685  |. 50             PUSH EAX
  01639686  |. E8 25F8FFFF    CALL epnsm.01638EB0   ; parse "x-protocol-version" string
  0163968B  |. 83C4 08        ADD ESP,8
  0163968E  |. 83F8 01        CMP EAX,1
  01639691  |. 0F85 FC000000  JNZ epnsm.01639793    ; version 1
  01639697  |. 8B4C24 2C      MOV ECX,DWORD PTR SS:[ESP+2C]
  0163969B  |. 8B5424 0C      MOV EDX,DWORD PTR SS:[ESP+C]
  0163969F  |. 6A 06          PUSH 6
  016396A1  |. 33C0           XOR EAX,EAX
  016396A3  |. 52             PUSH EDX
  016396A4  |. 8901           MOV DWORD PTR DS:[ECX],EAX
  016396A6  |. 51             PUSH ECX
  016396A7  |. 66:8941 04     MOV WORD PTR DS:[ECX+4],AX
  016396AB  |. E8 D0B5FFFF    CALL epnsm.01634C80   ; secure strncpy
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/eeventmanager_1.dat
http://www.exploit-db.com/sploits/18602.dat
  nc SERVER 2968 < eeventmanager_1.dat
#######################################################################
======
4) Fix
======
No fix.
#######################################################################