lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <B14D9D9B-C559-46F7-B054-187D2AD93659@gmail.com> Date: Tue, 11 Nov 2014 15:28:36 +0100 From: Jim Bauwens <jimbauwens@...il.com> To: fulldisclosure@...lists.org Subject: [FD] Lantronix xPrintServer Code execution and CSRF vulnerability Hi, The Lantronix xPrintServer is a small Linux powered print server for iOS. Main configuration happens through a web interface. The problem is that the configuration happens through some ‘RPC’ interface; the web interfaces uses AJAX requests to talk to a CGI script that simply executes shell commands given to it. Take a look at the following screenshot: http://i.imgur.com/gjbZhXZ.png So.. that’s not really so secure. Launching a request to http://myip/ips?OP=rpc&c=whoami&a=0 tells me that everything is running as root. To make matters worse: - The CGI script is accessible without needing to use credentials - The devices uses bonjour that by defaults registers itself as xprintserver.local in the local network - The device has no CSRF protection Example code that allows any website to fetch the Linux version. <script src="http://xprintserver.local/ips?OP=rpc&c=echo%20var%20version=%27%22%27%20$(uname%20-a)%27%22%27&a=0”></script> This vulnerability is not reported to the vendor yet (because I need to register talk to their support). Greetings, Jim _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists