lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <16c65c15-9b1b-5463-d5f1-87a99ce64fe4@sec-consult.com> Date: Thu, 12 May 2022 08:03:00 +0000 From: "SEC Consult Vulnerability Lab, Research via Fulldisclosure" <fulldisclosure@...lists.org> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] SEC Consult SA-20220512-0 :: Sandbox Escape with Root Access & Clear-text passwords in Konica Minolta bizhub MFP Printer Terminals SEC Consult Vulnerability Lab Security Advisory < 20220512-0 > ======================================================================= title: Sandbox Escape with Root Access & Clear-text passwords product: Multiple Konica Minolta bizhub MFP Printer Terminals vulnerable version: see vulnerable / tested versions below fixed version: see solution section below CVE number: CVE-2022-29586, CVE-2022-29587, CVE-2022-29588 impact: critical homepage: https://www.konicaminolta.com found: 2019-11-25 by: Werner Schober (Office Vienna) Johannes Kruchem (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Konica Minolta is a Japanese multinational technology company headquartered in Marunouchi, Chiyoda, Tokyo, with offices in 49 countries worldwide. The company manufactures business and industrial imaging products, including copiers, laser printers, multi-functional peripherals (MFPs) and digital print systems for the production printing market. Konica Minolta's Managed Print Service (MPS) is called Optimised Print Services. The company also makes optical devices, including lenses and LCD film; medical and graphic imaging products, such as X-ray image processing systems, colour proofing systems, and X-ray film; photometers, 3-D digitizers, and other sensing products; and textile printers." Source: https://en.wikipedia.org/wiki/Konica_Minolta Business recommendation: ------------------------ Konica Minolta provided a patch of the firmware and operating system very quickly at the start of the year 2020. For most of the devices this firmware update must be manually applied by service technicians as a remote service platform for remote firmware updates is not fully rolled out yet. Multiple COVID-19 lockdowns delayed this patching process of over hundreds of thousands of devices drastically. In case you didn't receive an update yet, approach your Konica Minolta contact. SEC Consult recommends to perform a thorough security review conducted by security professionals to identify and resolve all security issues. Furthermore, it is necessary to implement secure software design early in the development life cycle and adapt secure patch management procedures through an ISMS. SEC Consult also published a blog post titled "Someone call the patch manager - how COVID-19 left hundreds of thousands of printers vulnerable" containing a practical example of a possible attack vector. https://sec-consult.com/blog/detail/someone-call-the-patch-manager Vulnerability overview/description: ----------------------------------- 1) Sandbox Escape on the Physical Printer Touch Screen Terminal (CVE-2022-29586) A touch screen terminal is attached to the printer in order to manage print jobs, create new scans, simply copy a page or to configure the device. The touch screen terminal hosts a user interface, which is based upon a proprietary application. By opening certain applications and/or settings via the terminal, it was possible to observe a slight change in the look and feel of the user interface itself. It was quickly determined that this was the result of context change, meaning that the applications running are not solely based on the proprietary application only. After attaching a keyboard to one of the multiple USB ports of the printer and pressing specific key combinations, it was possible to determine that some application parts are running an ordinary Chromium browser in "kiosk mode", which can be escaped easily, although most of the key combinations were blacklisted. This allows an attacker to get full access to the underlying printer's operating- and file system, including configuration files, passwords in clear text, proprietary scripts and many more. 2) Terminal UI/Chromium running as root (CVE-2022-29587) It was determined that the printer UI and the Chromium browser are running with root privileges after escaping the printer terminal's sandbox. This allows an attacker to get full access to all files and folders on the operating system. 3) Passwords stored in clear text on the file system (CVE-2022-29588) Multiple passwords in clear-text were found on the file system of the printer. This includes: -) Unix User Account Passwords -) Printer Administrative Passwords Examples can be found in the following proof of concept section. Proof of concept: ----------------- 1) Sandbox Escape on the Physical Printer Touch Screen Terminal (CVE-2022-29586) The following steps are necessary to get full access to the printer's operating system. It is necessary to have physical access to the device and "User Authentication" must be used and "Public User Access" must be enabled on the device. Step 1 - Public User Access The attacker has access as "Public User" to the device. The button is marked red in "step1.jpg" (see attachment). Step 2 - Utility An attacker has to click on the button called "Utility" in the user interface which should be open after step 1. The button is marked red in "step2.jpg". Step 3 - Utility again An attacker has to click on the slightly different "Utility" button again in the next window. The button is marked red in "step3.jpg". Step 4 – Accessing Chromium A slight change in the design of the user interface can be observed after clicking on the "Utility" button marked red in the step above. The reason for that is that the application, which is now visible, is launched inside of a Chromium browser in kiosk mode. The loaded web application in Chromium can be seen in image "step4.jpg". Step 5 – Attaching a keyboard A keyboard has to be attached to the printer to breakout of the terminal's sandbox and get access to the operating system. This can be done directly via the USB port available on all printers. Step 6 – Access Chromium Developer Console Most of the shortcuts available on a normal Linux operating system are blocked or crash the printer terminal, but it was still possible to get full access to the system by pressing the key F12, which opened up the Chromium developer console. This can be seen in "step6.jpg". Step 7 – Accessing the file system The tab sources in the Chromium developer tools can be used to get full file system access. Arbitrary folders can be added and read by clicking on "Add folder to workspace". For example, the folder /var/log/nginx/html/ got added to Chromium, which revealed a lot of interesting files. The probably most interesting one is the file called "ADMINPASS" containing the printer's administrator account password in cleartext. 2) Terminal UI/Chromium running as root (CVE-2022-29587) Files such as /etc/shadow can be accessed with the root user's permissions. 3) Passwords stored in clear text on the file system (CVE-2022-29588) The following files containing clear text passwords were identified on the printer's file system: 3.1) /etc/shadow The shadow file contained the password of the user ORDBMS. No passwords were set for other users. 3.2) /var/log/nginx/html/ADMINPASS This file contains the password for the printer's web interface. Another file with sensitive content was found in /var/log/nginx/html. The "ADMINPASS" file contained the administrator's password for the printer's terminal/web interface in clear text. Vulnerable / tested versions: ----------------------------- According to Konica Minolta, 46 bizhub MFP models are affected. The number of affected devices in the field are in the hundreds of thousands worldwide according to the vendor. These devices are also re-branded and sold by other companies. The vulnerabilities have been tested on the following devices: * C3350i * C3300i Konica Minolta provided the following list of affected models / versions: Model name Affected FW version CVE-ID -------------------------------------------------------------------------------------- bizhub 227, 287, 367, 308, 368, 458, | | 558, 758, 808, 958, PRO958, 308e, 368e, | | 458e, 558e, 658e, 4752, 4052, C227, C287, | G00-U8 or later | CVE-2022-29586 C258, C308, C368, C458, C558, C658, C659, | | CVE-2022-29587 C759, C3351, C3851, C3851FS | | --------------------------------------------------------------------| bizhub C450i, C550i, C650i | G00-73 or later | --------------------------------------------------------------------| bizhub C250i, C300i, C360i, C4050i, C3350i, | G00-73 or later | C4000i, C3300i | --------------------|------------------ | Gxx-4A or prior | CVE-2022-29586 --------------------------------------------------------------------| CVE-2022-29587 bizhub 306i, 226i, 246i, 266i, C3320i | Gxx-4A or prior | CVE-2022-29588 -------------------------------------------------------------------------------------- Vendor contact timeline: ------------------------ 2020-01-16: Contacting vendor through "KONICA MINOLTA PSIRT Vulnerability Report Form" 2020-01-16: Vendor responds with GPG public key for psirt@...icaminolta.com 2020-01-16: Forwarding encrypted advisory to Konica Minolta PSIRT 2020-01-29: Update from Konica Minolta PSIRT - The reported vulnerabilities were successfully reviewed and will be patched in a future firmware release. The release date will be provided soon. 2020-2022: Postponing release multiple times as the remote service platform for remote firmware updates has not been rolled out for most devices yet and hundreds of thousands of printers have to be patched manually on-site during the COVID-19 pandemic. 2022-04-13: Requesting status update from Konica Minolta PSIRT. 2022-04-14: Konica Minolta PSIRT responds by stating that all devices directly affected have already been patched. 2022-04-25: Sending security advisory draft to vendor for review. 2022-05-09: Konica Minolta provides a list of affected models and feedback. 2022-05-10: Receiving further feedback, adjusting advisory. 2022-05-12: Coordinated release of security advisory Solution: --------- Konica Minolta already provided a patch of the firmware and operating system at the start of the year 2020 that must be applied by service technicians manually on-site at all of their customer locations. Most affected devices don't have a remote service platform for remote firmware updates yet. If your service technician hasn't patched your system yet, schedule an appointment. It has to be noted that Konica Minolta tried to patch most of their printers as soon as possible, which is not an easy task due to the large amount of affected printers and their manual procedure during the COVID-19 pandemic with multiple lockdowns. Konica Minolta provided the following list of models with fixed FW versions: Model name Fixed FW version ----------------------------------------------------------------- bizhub 227, 287, 367, 308, 368, 458, 558, | 758, 808, 958, PRO958, 308e, 368e, 458e, | 558e, 658e, 4752, 4052, C227, C287, C258, | GC2-X4 or later C308, C368, C458, C558, C658, C659, C759, | C3351, C3851, C3851FS | ----------------------------------------------------------------- bizhub C550i, C650i | G00-2B or later ----------------------------------------------------------------- bizhub C250i, C450i, C300i, C360i, C4050i, | C3350i, C4000i, C3300i | G00-7B or later ----------------------------------------------------------------- bizhub C3320i | G00-4D or later ----------------------------------------------------------------- bizhub 306i, 226i, 246i, 266i | G00-4F or later ----------------------------------------------------------------- Workaround: ----------- The following hardening/workaround is available and was provided directly from Konica Minolta. - Disable the use of the external USB keyboard by "Customer Administrator" setting. - In addition, it is strongly recommended to change the Customer Admin password to a new one. Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF W. Schober, J. Kruchem / @2022 Download attachment "step3.jpg" of type "image/jpeg" (152230 bytes) Download attachment "step1.jpg" of type "image/jpeg" (139843 bytes) Download attachment "step2.jpg" of type "image/jpeg" (180202 bytes) Download attachment "step6.jpg" of type "image/jpeg" (183795 bytes) Download attachment "step4.jpg" of type "image/jpeg" (82648 bytes) _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists