lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 12 May 2022 08:03:00 +0000
From: "SEC Consult Vulnerability Lab,
 Research via Fulldisclosure" <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] SEC Consult SA-20220512-0 :: Sandbox Escape with Root Access &
 Clear-text passwords in Konica Minolta bizhub MFP Printer Terminals

SEC Consult Vulnerability Lab Security Advisory < 20220512-0 >
=======================================================================
               title: Sandbox Escape with Root Access & Clear-text passwords
             product: Multiple Konica Minolta bizhub MFP Printer Terminals
  vulnerable version: see vulnerable / tested versions below
       fixed version: see solution section below
          CVE number: CVE-2022-29586, CVE-2022-29587, CVE-2022-29588
              impact: critical
            homepage: https://www.konicaminolta.com
               found: 2019-11-25
                  by: Werner Schober (Office Vienna)
                      Johannes Kruchem (Office Vienna)
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Konica Minolta is a Japanese multinational technology company headquartered
in Marunouchi, Chiyoda, Tokyo, with offices in 49 countries worldwide. The
company manufactures business and industrial imaging products, including
copiers, laser printers, multi-functional peripherals (MFPs) and digital
print systems for the production printing market. Konica Minolta's Managed
Print Service (MPS) is called Optimised Print Services. The company also
makes optical devices, including lenses and LCD film; medical and graphic
imaging products, such as X-ray image processing systems, colour proofing
systems, and X-ray film; photometers, 3-D digitizers, and other sensing
products; and textile printers."

Source: https://en.wikipedia.org/wiki/Konica_Minolta


Business recommendation:
------------------------
Konica Minolta provided a patch of the firmware and operating system very quickly
at the start of the year 2020. For most of the devices this firmware update must
be manually applied by service technicians as a remote service platform for remote
firmware updates is not fully rolled out yet. Multiple COVID-19 lockdowns delayed
this patching process of over hundreds of thousands of devices drastically.

In case you didn't receive an update yet, approach your Konica Minolta contact.

SEC Consult recommends to perform a thorough security review conducted by
security professionals to identify and resolve all security issues. Furthermore,
it is necessary to implement secure software design early in the development
life cycle and adapt secure patch management procedures through an ISMS.

SEC Consult also published a blog post titled
"Someone call the patch manager - how COVID-19 left hundreds of thousands of printers
vulnerable" containing a practical example of a possible attack vector.

https://sec-consult.com/blog/detail/someone-call-the-patch-manager


Vulnerability overview/description:
-----------------------------------
1) Sandbox Escape on the Physical Printer Touch Screen Terminal (CVE-2022-29586)
A touch screen terminal is attached to the printer in order to manage print jobs,
create new scans, simply copy a page or to configure the device. The touch screen
terminal hosts a user interface, which is based upon a proprietary application.

By opening certain applications and/or settings via the terminal, it was possible
to observe a slight change in the look and feel of the user interface itself.
It was quickly determined that this was the result of context change, meaning
that the applications running are not solely based on the proprietary
application only.

After attaching a keyboard to one of the multiple USB ports of the printer and
pressing specific key combinations, it was possible to determine that some
application parts are running an ordinary Chromium browser in "kiosk mode",
which can be escaped easily, although most of the key combinations were blacklisted.
This allows an attacker to get full access to the underlying printer's operating-
and file system, including configuration files, passwords in clear text, proprietary
scripts and many more.


2) Terminal UI/Chromium running as root (CVE-2022-29587)
It was determined that the printer UI and the Chromium browser are running with
root privileges after escaping the printer terminal's sandbox. This allows an attacker
to get full access to all files and folders on the operating system.


3) Passwords stored in clear text on the file system (CVE-2022-29588)
Multiple passwords in clear-text were found on the file system of the printer.

This includes:
-) Unix User Account Passwords
-) Printer Administrative Passwords

Examples can be found in the following proof of concept section.


Proof of concept:
-----------------
1) Sandbox Escape on the Physical Printer Touch Screen Terminal (CVE-2022-29586)
The following steps are necessary to get full access to the printer's
operating system. It is necessary to have physical access to the device and
"User Authentication" must be used and "Public User Access" must be enabled on the
device.

Step 1 - Public User Access
The attacker has access as "Public User" to the device.
The button is marked red in "step1.jpg" (see attachment).

Step 2 - Utility
An attacker has to click on the button called "Utility" in the user interface
which should be open after step 1. The button is marked red in "step2.jpg".

Step 3 - Utility again
An attacker has to click on the slightly different "Utility" button again in the
next window. The button is marked red in "step3.jpg".

Step 4 – Accessing Chromium
A slight change in the design of the user interface can be observed after clicking
on the "Utility" button marked red in the step above. The reason for that is that
the application, which is now visible, is launched inside of a Chromium browser in
kiosk mode. The loaded web application in Chromium can be seen in image "step4.jpg".

Step 5 – Attaching a keyboard
A keyboard has to be attached to the printer to breakout of the terminal's sandbox
and get access to the operating system. This can be done directly via the USB port
available on all printers.

Step 6 – Access Chromium Developer Console
Most of the shortcuts available on a normal Linux operating system are
blocked or crash the printer terminal, but it was still possible to
get full access to the system by pressing the key F12, which opened up
the Chromium developer console. This can be seen in "step6.jpg".

Step 7 – Accessing the file system
The tab sources in the Chromium developer tools can be used to get full file
system access. Arbitrary folders can be added and read by clicking
on "Add folder to workspace".

For example, the folder /var/log/nginx/html/ got added to Chromium,
which revealed a lot of interesting files. The probably most interesting
one is the file called "ADMINPASS" containing the printer's administrator
account password in cleartext.


2) Terminal UI/Chromium running as root  (CVE-2022-29587)
Files such as /etc/shadow can be accessed with the root user's permissions.


3) Passwords stored in clear text on the file system  (CVE-2022-29588)
The following files containing clear text passwords were identified on the
printer's file system:

3.1) /etc/shadow
The shadow file contained the password of the user ORDBMS. No passwords were
set for other users.

3.2) /var/log/nginx/html/ADMINPASS
This file contains the password for the printer's web interface.
Another file with sensitive content was found in /var/log/nginx/html.
The "ADMINPASS" file contained the administrator's password for the printer's
terminal/web interface in clear text.


Vulnerable / tested versions:
-----------------------------
According to Konica Minolta, 46 bizhub MFP models are affected. The number of affected
devices in the field are in the hundreds of thousands worldwide according to the vendor.
These devices are also re-branded and sold by other companies.

The vulnerabilities have been tested on the following devices:
* C3350i
* C3300i

Konica Minolta provided the following list of affected models / versions:

Model name                                      Affected FW version        CVE-ID
--------------------------------------------------------------------------------------
bizhub 227, 287, 367, 308, 368, 458,        |                       |
558, 758, 808, 958, PRO958, 308e, 368e,	    |                       |
458e, 558e, 658e, 4752, 4052, C227, C287,   |   G00-U8 or later	    |   CVE-2022-29586
C258, C308, C368, C458, C558, C658, C659,   |                       |   CVE-2022-29587
C759, C3351, C3851, C3851FS                 |                       |
--------------------------------------------------------------------|
bizhub C450i, C550i, C650i                  |   G00-73 or later     |
--------------------------------------------------------------------|
bizhub C250i, C300i, C360i, C4050i, C3350i, |   G00-73 or later     |
C4000i, C3300i                              |   --------------------|------------------
                                             |   Gxx-4A or prior     |   CVE-2022-29586
--------------------------------------------------------------------|   CVE-2022-29587
bizhub 306i, 226i, 246i, 266i, C3320i       |   Gxx-4A or prior     |   CVE-2022-29588
--------------------------------------------------------------------------------------


Vendor contact timeline:
------------------------
2020-01-16: Contacting vendor through "KONICA MINOLTA PSIRT Vulnerability Report Form"
2020-01-16: Vendor responds with GPG public key for psirt@...icaminolta.com
2020-01-16: Forwarding encrypted advisory to Konica Minolta PSIRT
2020-01-29: Update from Konica Minolta PSIRT - The reported vulnerabilities
             were successfully reviewed and will be patched in a future firmware
             release. The release date will be provided soon.
2020-2022:  Postponing release multiple times as the remote service platform for
             remote firmware updates has not been rolled out for most devices yet
             and hundreds of thousands of printers have to be patched manually
             on-site during the COVID-19 pandemic.
2022-04-13: Requesting status update from Konica Minolta PSIRT.
2022-04-14: Konica Minolta PSIRT responds by stating that all
             devices directly affected have already been patched.
2022-04-25: Sending security advisory draft to vendor for review.
2022-05-09: Konica Minolta provides a list of affected models and feedback.
2022-05-10: Receiving further feedback, adjusting advisory.
2022-05-12: Coordinated release of security advisory


Solution:
---------
Konica Minolta already provided a patch of the firmware and operating system at
the start of the year 2020 that must be applied by service technicians manually
on-site at all of their customer locations. Most affected devices don't have a
remote service platform for remote firmware updates yet.

If your service technician hasn't patched your system yet, schedule an appointment.

It has to be noted that Konica Minolta tried to patch most of their printers as
soon as possible, which is not an easy task due to the large amount of affected
printers and their manual procedure during the COVID-19 pandemic with multiple
lockdowns.

Konica Minolta provided the following list of models with fixed FW versions:

Model name                                      Fixed FW version	
-----------------------------------------------------------------
bizhub 227, 287, 367, 308, 368, 458, 558,   |
758, 808, 958, PRO958, 308e, 368e, 458e,    |
558e, 658e, 4752, 4052, C227, C287, C258,   |   GC2-X4 or later
C308, C368, C458, C558, C658, C659, C759,   |
C3351, C3851, C3851FS                       |
-----------------------------------------------------------------
bizhub C550i, C650i                         |   G00-2B or later
-----------------------------------------------------------------
bizhub C250i, C450i, C300i, C360i, C4050i,  |
C3350i, C4000i, C3300i                      |   G00-7B or later
-----------------------------------------------------------------
bizhub C3320i                               |   G00-4D or later
-----------------------------------------------------------------
bizhub 306i, 226i, 246i, 266i               |   G00-4F or later
-----------------------------------------------------------------


Workaround:
-----------
The following hardening/workaround is available and was provided directly
from Konica Minolta.

- Disable the use of the external USB keyboard by "Customer Administrator" setting.
- In addition, it is strongly recommended to change the Customer Admin password
   to a new one.


Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Atos company. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF W. Schober, J. Kruchem / @2022

Download attachment "step3.jpg" of type "image/jpeg" (152230 bytes)

Download attachment "step1.jpg" of type "image/jpeg" (139843 bytes)

Download attachment "step2.jpg" of type "image/jpeg" (180202 bytes)

Download attachment "step6.jpg" of type "image/jpeg" (183795 bytes)

Download attachment "step4.jpg" of type "image/jpeg" (82648 bytes)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists