exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

PrinterOn Enterprise 4.1.4 Arbitrary File Deletion

PrinterOn Enterprise 4.1.4 Arbitrary File Deletion
Posted Dec 12, 2018
Authored by bzyo

PrinterOn Enterprise version 4.1.4 suffers from an arbitrary file deletion vulnerability.

tags | exploit, arbitrary
advisories | CVE-2018-19936
SHA-256 | 03bd58d699a1641571b06266f49cf4355cadc56b6f6b93031bbb8cfa2f7b8a44

PrinterOn Enterprise 4.1.4 Arbitrary File Deletion

Change Mirror Download
# Exploit Author: bzyo
# CVE: CVE-2018-19936
# Twitter: @bzyo_
# Exploit Title: PrinterOn Enterprise 4.1.4 - Arbitrary File Deletion
# Date: 12-07-18
# Vulnerable Software: PrinterOn Enterprise 4.1.4
# Vendor Homepage: https://www.printeron.com/
# Version: 4.1.4


Tested On
---------------------------------------------------------------------
PrinterOn Enterprise 4.1.4
Windows 2012 R2 Datacenter
Software running under User Account: PONservice (part of local administrators group)

Software Notes
---------------------------------------------------------------------
Per the PrinterOn Enterprise 4.1.4 Installation Guide on Page 10, a local administrator account is required to run the software.

On a default installation, the Post Print Option is to aDelete From Storea. Meaning, if you upload a file to print, this file is deleted immediately after it is printed.

When printing as a Guest or Authenticated user, you have the choice of either uploading a file to be printed or entering a Web Page. The file type you upload or supply via URI needs to be supported by the application in order for it to process and print. Per page 11 of the installation guide, under Recommended Software, itas advised to install an application such as Microsoft Word to print .docx documents. There is also some additional configuration needed to be able to print specific file types otherwise you receive an error such as aThis type of file cannot be processed by your servicea.

Vulnerability
---------------------------------------------------------------------
When either printing as a Guest (when enabled) or as an Authenticated user via the CPS URL https://<hostname or ip>/cps, the user printing has the ability to delete any file on the host system that isnat currently in use by the system itself. The field to enter a web page does not properly check the URI being entered, as such the user can enter a system file path and delete a file on the system.

Exploit
---------------------------------------------------------------------
Login as either Guest or an Authenticated user to print
https://<hostname or ip>/cps
Choose any printer
Entering a system path to a file in the web page field
Examples:
C:\Users\Administrator\Desktop\DoNotDelete.txt
C:\Program Files (x86)\PrinterOn Corporation\Apache Tomcat\Conf\web.xml
Send the print job, an error will show
Check system, file is deleted

Impact
---------------------------------------------------------------------
By deleting specific files the application, and possibly the host system, can become unusable.

Timeline
---------------------------------------------------------------------
10-22-18: Vendor notified of vulnerability
10-22-18: Initial response from vendor
10-23-18: PoC submitted
10-25-18: Vendor to pass along to Product team
11-??-18: New version released
12-03-18: Tested and Confirmed with vendor vulnerability fixed in update
12-07-18: Submitted public disclosure

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close