lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <BAEFKJBBCIPAKCGNHICFGELGDDAA.pkr@csis.dk>
Date: Tue, 20 Jul 2004 22:46:56 +0200
From: "Peter Kruse" <pkr@...s.dk>
To: <bugtraq@...urityfocus.com>
Subject: Denial of Service vulnerability in several Lexmark HTTP servers


Denial of Service vulnerability in several Lexmark HTTP servers.

Several Lexmark network printers is shipped with a build-in HTTP server for
administrative tasks. The webserver software is vulnerable to a Denial of
Service attack that will force the webserver to restart and/or stop taking
requests.

The vulnerability has been discovered during a security audit and was
positively identified in model T522 (others models are affected by this
issue as well). As far as we know many Dell network printers also uses this
webserver software and are therefore likely to be vulnerable.

The Server does not handle long HOST arguments in the HTTP Header correctly
and therefore causes the server to crash.

We recommend that Lexmark ASAP updates their firmware in order to fix this
issue. However, we have not been able to get in contact with Lexmark. They
have choosen not to reply on our e-mails.

This issue can be reproduced by sending a large buffer (1024 characters) in
the HTTP host request, eg. GET / HTTP/1.0\r\n /Host:AAAAAA[1024].

Kind regards
Peter Kruse
http://www.csis.dk



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ