Full Disclosure mailing list archives
Xerox Phaser 6700 - Remote Root-Exploits utilizing Clone Files
From: Raphael Ernst <raphael.ernst () fkie fraunhofer de>
Date: Wed, 27 Apr 2016 15:08:32 +0200
Document Title: =============== Xerox Phaser 6700 - Remote Root-Exploits utilizing Clone Files References (Source): ==================== - http://www.fkie.fraunhofer.de/de/forschungsbereiche/cyber-analysis-and-defense/vulnerability-disclosure.html - https://www.rapid7.com/db/modules/exploit/unix/misc/xerox_mfp - http://h.foofus.net/~percX/Xerox_hack.pdf Release Date: ============= 2016-04-27 Product & Service Introduction: =============================== The Xerox Phaser 6700 is an office printer. http://www.office.xerox.com/printers/color-printers/phaser-6700/spec-enus.html Vulnerability Disclosure Timeline: ================================== 2016-03-24: Notification and information exchange with Xerox. 2016-03-29: Verified issue for firmware 081.140.106.01300 as requested by Xerox and notified Xerox. 2016-04-27: Public Disclosure. Discovery Status: ================= Published Affected Product(s): ==================== Xerox Phaser 6700: - 081.140.103.22600 - 081.140.104.17600 - 081.140.105.00700 - 081.140.105.20400 - 081.140.106.01300 Exploitation Technique: ======================= - Remote: Xerox provides a clone feature to transfer printer settings. It is possible to run arbitrary code in these clone files. - Remote: The clone file upload page does not check the login credentials. - Local: The firmware is located on an easily accessible SD-card. It is possible to change the Linux based firmware. Solution - Fix & Patch: ======================= - Disable update and clone features. - Restrict admin access. Credits & Authors: ================== Fraunhofer FKIE: Raphael Ernst, Peter Weidenbach _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Xerox Phaser 6700 - Remote Root-Exploits utilizing Clone Files Raphael Ernst (Apr 27)