CVE-2017-16249
published 2017-11-10CVE-2017-16249: The Debut embedded http server contains a remotely exploitable denial of service where a single malformed HTTP POST request can cause the server to hang until…
PriorityP265high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
59.39%
99.0th percentile
The Debut embedded http server contains a remotely exploitable denial of service where a single malformed HTTP POST request can cause the server to hang until eventually replying (~300 seconds) with an HTTP 500 error. While the server is hung, print jobs over the network are blocked and the web interface is inaccessible. An attacker can continuously send this malformed request to keep the device inaccessible to legitimate traffic.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| brother | dcp-j132w_firmware | <= 1.20 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect malformed HTTP POST requests to Brother printer web interfaces where the Content-Length header value does not match the actual body length and the body contains no valid form-encoded key=value pairs (e.g., raw garbage after headers). This mismatch is the trigger for the ~300-second hang and HTTP 500 response. ↗
- →Alert on repeated HTTP POST requests to port 80 (or configured web port) of Brother printers running Debut HTTPd, especially when the server becomes unresponsive for extended periods (~300 seconds). Continuous looping connections from a single source IP are indicative of active exploitation. ↗
- →The exploit payload uses a declared Content-Length: 42 but the body ('asdasdasdasdasdasdasd') does not satisfy a valid URL-encoded form body. Detect HTTP POST requests to Brother printer IPs where Content-Type is application/x-www-form-urlencoded but the body contains no '=' character (invalid form encoding). ↗
- →The Metasploit auxiliary module auxiliary/dos/http/brother_debut_dos can be used to test for this vulnerability. Monitor for its use in network traffic against Brother printer HTTP services. ↗
- ·No patch exists for this vulnerability. Mitigation relies entirely on network-level controls. Devices left exposed on routable networks remain permanently vulnerable. ↗
- ·The DoS condition is temporary (~300 seconds) after which the printer recovers automatically. Sustained denial of service requires the attacker to continuously resend the malformed request. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Debut Embedded HTTPd 1.20 - Denial of Service
exploitdb·2017-11-02·CVSS 7.5
CVE-2017-16249 [HIGH] Debut Embedded HTTPd 1.20 - Denial of Service
Debut Embedded HTTPd 1.20 - Denial of Service
---
# Exploit Title: Remote un-authenticated DoS in Debut embedded httpd server in Brother printers
# Date: 11/02/2017
# Exploit Author: z00n (@0xz00n)
# Vendor Homepage: http://www.brother-usa.com
# Version: <= 1.20
# CVE : CVE-2017-16249
#
#Description:
#The Debut embedded http server contains a remotely exploitable denial of service where a single malformed HTTP POST request can cause the server to hang until eventually replying with an HTTP 500 error. While the server is hung, print jobs over the network are blocked and the web interface is inaccessible. An attacker can continuously send this malformed request to keep the device inaccessible to legitimate traffic.
#
#Remediation Steps:
#No patch currently exists for this issue. To limit e
Metasploit
Brother Debut http Denial Of Service
metasploit
Brother Debut http Denial Of Service
Brother Debut http Denial Of Service
The Debut embedded HTTP server <= 1.20 on Brother printers allows for a Denial of Service (DoS) condition via a crafted HTTP request. The printer will be unresponsive from HTTP and printing requests for ~300 seconds. After which, the printer will start responding again.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/144908/Debut-Embedded-httpd-1.20-Denial-Of-Service.htmlhttps://www.exploit-db.com/exploits/43119/https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2017-017/?fid=10211https://www.trustwave.com/Resources/SpiderLabs-Blog/Denial-of-Service-Vulnerability-in-Brother-Printers/?page=1&year=0&month=0&LangType=1033http://packetstormsecurity.com/files/144908/Debut-Embedded-httpd-1.20-Denial-Of-Service.htmlhttps://www.exploit-db.com/exploits/43119/https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2017-017/?fid=10211https://www.trustwave.com/Resources/SpiderLabs-Blog/Denial-of-Service-Vulnerability-in-Brother-Printers/?page=1&year=0&month=0&LangType=1033
2017-11-10
Published