============================================================================ Foofus.net Security Advisory: foofus-20111107 ============================================================================ Title: Lexmark Multifunction Printer Information exposure Version: X656de Vendor: Lexmark Release Date: 08/05/2011 ============================================================================ 1. Summary: Lexmark multifunction printer device found to be vulnerable to an information leakage vulnerability. ============================================================================ 2. Description: Passwords can be extracted in plan text from the settings export file. http://hostname-IP_Address/cgi-bin/exportfile/printer/config/secure/settingfile.ucf ============================================================================ 3. Impact: Exploiting this allows an adversary to extract passwords that can be used to gain access to other critical systems. ============================================================================ 4. Affected Products: Lexmark X656de multifunction printer (Kernel=FPR.APS.F184-0, Base=LR.MN.P224a-0) Other Lexmark and Dell branded Multifunction printers may also be vulnerable ============================================================================ 5. Solution: Insure that a complex password is set on printer. ============================================================================ 6) Time Table: 08/05/2011 Vulnerability Disclosed. 11/07/2011 Publishes Advisory ============================================================================ 7) Credits: Discovered by Deral Heiland PercX ============================================================================ 8. Reference: http://www.foofus.net/?page_id=483 http://www.foofus.net http://praeda.foofus.net ============================================================================ The Foofus.Net team is an assortment of security professionals located through out the United States. http://www.foofus.net Follow percX on Twitter @Percent_X ============================================================================