lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 24 Jan 2022 17:21:32 -0600
From: Mahmoud Al-Qudsi <>
To: "" <>
Subject: [FD] Xerox vulnerability allows unauthenticated remote users to
 remotely brick network printers

[+] Credits: Mahmoud Al-Qudsi
[+] Website:
[+] Source:
[+] Media: and

Xerox Corporation

Xerox Versalink printers, other Xerox printers/copiers.

[Vulnerability Type]
Remote denial-of-service leading to bricked device.

[Security Issue]
A specifically crafted TIFF payload may be submitted to the printer's job queue
(in person or over the network) by unauthenticated/unprivileged users or network
or internet attackers by means of a JavaScript payload. The device will panic
upon attempting to read the submitted file and a physical reboot will be
required. Upon reboot, the device will attempt to resume the last-printed job,
triggering the panic once more. The process repeats ad-infinitum.

Extract the TIFF contents of the base64-encode archive below and submit directly
to the job queue on a vulnerable printer to trigger the exploit:


[Network Access]
Local or remote

The sample payload may also be submitted to exploit a Xerox printer with a known
ip address or host name over the web by taking advantage of the unprotected HTTP
POST interface exposed by the device on its network interface.


The denial-of-service attack results in a semi-permanent "bricking" of the Xerox
printer. Recovery may be possible if there are unapplied firmware updates by
forcing an update over the network, which clears the job queue in the process.
Otherwise, manually clearing the non-volatile storage memory on the device's
mainboard is required to break out of the loop.

[Disclosure Timeline]
- September 26, 2019: Reported to Xerox
- January 14, 2020: Confirmed by Xerox in response to a request for updates
- January 25, 2022: Publicly disclosed, remains unpatched and exploitable


Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists