exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Xerox WorkCentre 5665/5675/5687 Backdoor

Xerox WorkCentre 5665/5675/5687 Backdoor
Posted Feb 23, 2010
Authored by Daniel Fabian | Site sec-consult.com

Xerox WorkCentre versions 5665, 5675, and 5687 suffers from backdoor and authentication vulnerabilities.

tags | exploit, vulnerability
SHA-256 | 5f40de32a9dd28a731693198b0787cdbd7dff2200019016edc179dd16ce2dbae

Xerox WorkCentre 5665/5675/5687 Backdoor

Change Mirror Download
SEC Consult Security Advisory < 20100208-0 >
=======================================================================
title: Backdoor and Vulnerabilities in Xerox
WorkCentre Printers Web Interface
products: Xerox WorkCentre 5665/5675/5687
vulnerable version: 21.120.39.000 and possibly others
fixed version: http://www.xerox.com/information-security/enus.html
impact: critical
homepage: http://www.xerox.com/
found: 2009-10-05
by: D. Fabian / SEC Consult / www.sec-consult.com
=======================================================================

Vendor description:
-------------------
WorkCentre 5665 / 5675 / 5687
High-speed performance, outstanding productivity and advanced
multifunction capabilities. These are the essentials of the all-in-one
offce powerhouse that easily handles the high-volume print demands of
large, busy workgroups. And with robust copying, scanning, faxing and a
host of innovative Xerox technologies, you get a total workfow solution
that excels at streamlining your unique job processes.


Vulnerability 1: Backdoor to Mailboxes
--------------------------------------
For some reasons, Xerox decided to integrate a backdoor into the scan
system of the WorkCentre 5665 / 5675 / 5678 web interface. Scan folders
("mailboxes") can be protected with a password. The documentation says
on folder passwords:

"A folder password may or may not be required depending on the Scan
Policies set by the administrator. If a password is required to create
a folder, type the password here. If no password is required by the
Scan Policies, you can optionally choose whether or not to password
protect your folder."

Some files require a job password. If someone tries to access a private
folder without logging in previously, this does not work since a cookie
is compared to a precomputed checksum. However there is a script named
"YoUgoT_It.php" that creates the correct checksum for any folder. By
simply calling the script with the folder name as argument, an attacker
can access any folder.

Here is the relevant code from the file folder.php that allows access,
if the checksum is correct:

/* see if the private folder is trying to be accessed, without
logging in previously; this can be done by checking to see if
the cookie matches the computed "checksum" */

if ( $gFolderName === $_SESSION['MBOX_FOLDER'] )
{
// continue on as this is okay
}
elseif (( false === isset( $_COOKIE[$gFolderName] )) ||
( $theChecksum !== $_COOKIE[$gFolderName] ))
{
header( "Location: /mailbox/pin.php?" . NAME_KEY .
"=" . $gFolderName ); exit;
}


Vulnerability 2: Authentication not validated
---------------------------------------------
In multiple instances, when a password is required to access certain
pages, the developers seemed to forget the vital "die()" or "exit()"
statement after the redirect. This allows an attacker access to
multiple pages that would require authentication.

Here are a couple of examples:
/diagnostics/authenticationQuery.php:

if ( "" === $gUserName )
{
header( "Location: /properties/authentication/login.php?redir=" .
$_SERVER['SCRIPT_NAME'] );
}
elseif ( false === $gSaLoggedIn )
{
header( "Location: /properties/no_modify.php" );
}

/php_includes/sa_check.php: This script seems to check whether the
currently logged in user is an administrative user

if ( "" === $gUserName )
{
header( "Location: /properties/authentication/login.php?redir=" .
$_SERVER['REQUEST_URI'] );
}
elseif (( false === $gSaLoggedIn ) &&
( "" !== $gUserName ))
{
header( "Location: /properties/no_modify.php" );
exit;
}

As you can see from the code, if the user is logged in, but not an
administrator, he is correctly denied access. However if the
user is not logged in at all, only a Location-header is sent,
but the rest of the script can continue to run.

The very same vulnerability can be found in many cases. In some cases,
the authentication is also only in the page that provides only the
frameset. The actual content-pages can be called without any
authentication at all.


Vulnerable versions:
--------------------
The vulnerabilities were discovered in version 21.120.39.000. It is
likely that other versions are affected also.


Vendor contact timeline:
------------------------
2009-10-06: Contacting the Xerox Security Team via Email


Solution:
---------
http://www.xerox.com/information-security/enus.html
http://www.xerox.com/downloads/usa/en/c/cert_XRX10-002_v1.0.pdf

Advisory URL:
-------------
https://www.sec-consult.com/advisories_e.html#a65


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com

SEC Consult conducts periodical information security workshops on ISO
27001/BS 7799 in cooperation with BSI Management Systems. For more
information, please refer to https://www.sec-consult.com/academy_e.html

EOF D. Fabian / @2009

Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    0 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close