bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/webapps/45969.txt
Offensive Security a07949d1c7 DB: 2018-12-12 
21 changes to exploits/shellcodes

SmartFTP Client 9.0.2623.0 - Denial of Service (PoC)
LanSpy 2.0.1.159 - Local Buffer Overflow (PoC)
XNU - POSIX Shared Memory Mappings have Incorrect Maximum Protection
McAfee True Key - McAfee.TrueKey.Service Privilege Escalation

DomainMOD 4.11.01 - Cross-Site Scripting
DomainMOD 4.11.01 - 'raid' Cross-Site Scripting

Tourism Website Blog - Remote Code Execution / SQL Injection
Alumni Tracer SMS Notification - SQL Injection / Cross-Site Request Forgery
PrestaShop 1.6.x/1.7.x - Remote Code Execution
DomainMOD 4.11.01 - Cross-Site Scripting
PrinterOn Enterprise 4.1.4 - Arbitrary File Deletion
TP-Link wireless router Archer C1200 - Cross-Site Scripting
Huawei B315s-22 - Information Leak
ZTE ZXHN H168N - Improper Access Restrictions
Sitecore CMS 8.2 - Cross-Site Scripting / Arbitrary File Disclosure
IceWarp Mail Server 11.0.0.0 - Cross-Site Scripting
Apache OFBiz 16.11.05 - Cross-Site Scripting
HotelDruid 2.3.0 - 'id_utente_mod' SQL Injection
WordPress Plugin AutoSuggest 0.24 - 'wpas_keys' SQL Injection
ThinkPHP 5.0.23/5.1.31 - Remote Code Execution
Adobe ColdFusion 2018 - Arbitrary File Upload

Linux/x86 - execve(/usr/bin/ncat -lvp 1337 -e /bin/bash)+Null-Free Shellcode (95 bytes)
2018-12-12 05:01:43 +00:00

53 lines
No EOL
3 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Author: bzyo
# CVE: CVE-2018-19936
# Twitter: @bzyo_
# Exploit Title: PrinterOn Enterprise 4.1.4 - Arbitrary File Deletion
# Date: 12-07-18
# Vulnerable Software: PrinterOn Enterprise 4.1.4
# Vendor Homepage: https://www.printeron.com/
# Version: 4.1.4
Tested On
---------------------------------------------------------------------
PrinterOn Enterprise 4.1.4
Windows 2012 R2 Datacenter
Software running under User Account: PONservice (part of local administrators group)
Software Notes
---------------------------------------------------------------------
Per the PrinterOn Enterprise 4.1.4 Installation Guide on Page 10, a local administrator account is required to run the software.
On a default installation, the Post Print Option is to “Delete From Store”. Meaning, if you upload a file to print, this file is deleted immediately after it is printed.
When printing as a Guest or Authenticated user, you have the choice of either uploading a file to be printed or entering a Web Page. The file type you upload or supply via URI needs to be supported by the application in order for it to process and print. Per page 11 of the installation guide, under Recommended Software, its advised to install an application such as Microsoft Word to print .docx documents. There is also some additional configuration needed to be able to print specific file types otherwise you receive an error such as “This type of file cannot be processed by your service”.
Vulnerability
---------------------------------------------------------------------
When either printing as a Guest (when enabled) or as an Authenticated user via the CPS URL https://<hostname or ip>/cps, the user printing has the ability to delete any file on the host system that isnt currently in use by the system itself. The field to enter a web page does not properly check the URI being entered, as such the user can enter a system file path and delete a file on the system.
Exploit
---------------------------------------------------------------------
Login as either Guest or an Authenticated user to print
https://<hostname or ip>/cps
Choose any printer
Entering a system path to a file in the web page field
Examples:
C:\Users\Administrator\Desktop\DoNotDelete.txt
C:\Program Files (x86)\PrinterOn Corporation\Apache Tomcat\Conf\web.xml
Send the print job, an error will show
Check system, file is deleted
Impact
---------------------------------------------------------------------
By deleting specific files the application, and possibly the host system, can become unusable.
Timeline
---------------------------------------------------------------------
10-22-18: Vendor notified of vulnerability
10-22-18: Initial response from vendor
10-23-18: PoC submitted
10-25-18: Vendor to pass along to Product team
11-??-18: New version released
12-03-18: Tested and Confirmed with vendor vulnerability fixed in update
12-07-18: Submitted public disclosure
Reference in a new issue View git blame Copy permalink