White Wolf Labs #080826-1: Kyocera Mita Scanner File Utility (Multiple)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: White Wolf Labs #080826-1: Kyocera Mita Scanner File Utility (Multiple)
From: Seth Fogie <seth@xxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 26 Aug 2008 14:05:20 -0400
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Thunderbird 2.0.0.16 (Windows/20080708)

White Wolf Labs #080826-1:
Kyocera Mita Scanner File Utility (Multiple)

Product: Kyocera Mita Scanner File Utility 3.3.0.1

Platform: NA

Requirements: NA

Credits:

    Seth Fogie
    White Wolf Security
    http://www.whitewolfsecurity.com
    August 26, 2008

Risk Level:

High - Unauthorized document upload / File redirection / Uploadingof binaries / Overwriting of existing files

Summary:

Kyocera Mita multifunction devices come with the ability to scan tothe user's desktop. Part of the solution requires a listener at thePC/Mac, which handles authorization and document upload. This listenerhas several logic bugs and, as a result, the authorization can bebypassed, files can be uploaded, auditing can be spoofed, and thestorage location can be altered from the configured value.

Details:

Unauthorized document upload - The listener works in conjunctionwith the multifunction device to authorize the user. If an attackerconnects direct to the listener with a custom program, all authorizationcan be bypassed. This provides an attacker with the ability to directlyupload a file to the target's computer.

File Redirection - During the transfer process, the file name isprovided to the listener. This name can be altered to include "../",which causes the listener to break out of the specified file storagelocation and allows an attacker to upload a file anywhere on the targetsystem.

Upload any file type - There are no checks in the listener tovalidate the content of the uploaded file. As a result, an attacker canupload any file type with any file name. When combined with the otherbugs, this give the attacker the ability to overwrite existing files, orwrite a binary into the Startup Folder.

More details are located at:
http://www.informit.com/guides/content.aspx?g=security&seqNum=320
http://www.informit.com/guides/content.aspx?g=security&seqNum=321

MetaSploit module is located at:http://www.whitewolfsecurity.com/security/metasploit/fileutility.txt

Workaround: Uninstall the software from the PC/Mac.

Vendor Response: Vendor has released an update that fixes only the fileredirection issue.

Copyright © 2008 White Wolf Security

Permission is granted for the redistribution of this alertelectronically. It may not be edited in any way without the expresswritten consent of White Wolf Security. If you wish to reprint thewhole, or any part, of this alert in any other medium other thanelectronically, please contact White Wolf Security for permission.

Disclaimer: The information in this advisory is believed to be accurateat the time of publishing, based on currently available information. Useof the information constitutes acceptance for use on an AS IS condition.There are no warranties with regard to this information. Neither theauthor nor the publisher accepts any liability for any direct, indirect,or consequential loss or damage arising from use of, or reliance on,this information.

Prev by Date: [SECURITY] [DSA 1631-1] New libxml2 packages fix denial of service
Next by Date: PacSec 2008 CFP (Deadline Sept. 1, Conference Nov. 12/13) and BA-Con 2008 Speakers (Sept .30/ Oct. 1)
Previous by thread: Multiple Vulnerabilities in AWStats Totals
Next by thread: PacSec 2008 CFP (Deadline Sept. 1, Conference Nov. 12/13) and BA-Con 2008 Speakers (Sept .30/ Oct. 1)
Index(es):
- Date
- Thread