cbcvebase.
CVE-2017-16249
published 2017-11-10

CVE-2017-16249: The Debut embedded http server contains a remotely exploitable denial of service where a single malformed HTTP POST request can cause the server to hang until…

PriorityP265high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
59.39%
99.0th percentile
The Debut embedded http server contains a remotely exploitable denial of service where a single malformed HTTP POST request can cause the server to hang until eventually replying (~300 seconds) with an HTTP 500 error. While the server is hung, print jobs over the network are blocked and the web interface is inaccessible. An attacker can continuously send this malformed request to keep the device inaccessible to legitimate traffic.

Affected

1 ranges
VendorProductVersion rangeFixed in
brotherdcp-j132w_firmware<= 1.20

Detection & IOCsextracted from sources · hover to see the quote

versionDebut embedded httpd <= 1.20
  • Detect malformed HTTP POST requests to Brother printer web interfaces where the Content-Length header value does not match the actual body length and the body contains no valid form-encoded key=value pairs (e.g., raw garbage after headers). This mismatch is the trigger for the ~300-second hang and HTTP 500 response.
  • Alert on repeated HTTP POST requests to port 80 (or configured web port) of Brother printers running Debut HTTPd, especially when the server becomes unresponsive for extended periods (~300 seconds). Continuous looping connections from a single source IP are indicative of active exploitation.
  • The exploit payload uses a declared Content-Length: 42 but the body ('asdasdasdasdasdasdasd') does not satisfy a valid URL-encoded form body. Detect HTTP POST requests to Brother printer IPs where Content-Type is application/x-www-form-urlencoded but the body contains no '=' character (invalid form encoding).
  • The Metasploit auxiliary module auxiliary/dos/http/brother_debut_dos can be used to test for this vulnerability. Monitor for its use in network traffic against Brother printer HTTP services.
  • ·No patch exists for this vulnerability. Mitigation relies entirely on network-level controls. Devices left exposed on routable networks remain permanently vulnerable.
  • ·The DoS condition is temporary (~300 seconds) after which the printer recovers automatically. Sustained denial of service requires the attacker to continuously resend the malformed request.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.