Document Title: =============== Authentication Bypass in Xerox Printers – It is not a bug! It is a legacy feature ;-)
Description: ============ Xerox enforces authentication before updating a firmware or install a configuration file (clone file) in recent firmware versions. That seems quite reasonable. Nevertheless you can still simply “print” them via port 631 without authentication. Xerox says: “The issue that you discovered is a legacy feature intended for the convenience of our customers. […] Xerox has begun adding a separate disable for the specific issue you discovered to our most recent products.” However, what could possibly go wrong? Even if it is not possible to execute arbitrary code in clone files [1,2,3] any more, clone files include an iptables configuration file. Possible threats are: - Denial of Service: Close all network ports - Steal Information: Forward all Print jobs to somewhere else Affected Product(s): ==================== Confirmed: Xerox Phaser 6700: - 081.140.107.11800 - 081.140.106.21800 Not confirmed: (They share the same DLM clone/update technique) - Xerox ColorQube 8700 - Xerox ColorQube 8900 - Xerox Phaser 7800 - Xerox WorkCentre 3655 - Xerox WorkCentre 58XX - Xerox WorkCentre 59XX - Xerox WorkCentre 6655 - Xerox WorkCentre 722X - Xerox WorkCentre 75XX - Xerox WorkCentre 78XX - Xerox WorkCentre 797X Vulnerability Disclosure Timeline: ================================== 2017-06-29: Notification and information exchange with Xerox. 2017-07-25: Xerox confirmed the issue 2017-08-28: Xerox claims the issue to be a legacy feature 2017-09-01: Public Disclosure. PoC: ==== Pre-Requirements: Clone files or Firmware updates must be enabled in printer’s configuration. Demo code: curl -s -F filename=@/CLONE_OR_FIRMWARE_UPDATE -X POST PRINTER_ADDRESS:631/upload/xerox.set -H Content-Type: multipart/form-data -F NextPage=/print/index.php?submitted=true -F job_type=print Solution - Fix & Patch: ======================= - Disable update and clone features. References (Source): ==================== [1] https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/xerox_phaser_6700_white_paper.pdf [2] http://seclists.org/fulldisclosure/2016/Apr/91 [3] http://h.foofus.net/~percX/Xerox_hack.pdf Credits & Authors: ================== Fraunhofer FKIE: Peter Weidenbach and Christopher Krah _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
