Certain Lexmark devices are vulnerable to unverified password changes and stored cross-site scripting attacks.
Unverified Password Change – CVE-2013-6032
Certain models of Lexmark laser printers and MarkNet devices are vulnerable to an attack which allows a remote unauthenticated attacker to change the administrative password of the printer’s web administration interface. The interface does not perform sufficient validation of the vac.255.GENPASSWORD parameter in POST requests to the /cgi-bin/postpf/cgi-bin/dynamic/config/config.html page, allowing an unauthenticated remote attacker to reset the administrative password to an empty string.
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) – CVE-2013-6033
Certain models of Lexmark laser printers are vulnerable to stored cross-site scripting attacks. The printers’ administrative web interface does not perform sufficient validation of user input to the “Location” and “Contact Name” fields in the “General Settings” configuration page.
An attacker may be able to run arbitrary script in the context of a victim’s browser. The attacker may also be able to gain full administrative control of the printer.
Apply an Update
Lexmark advises users to update to the latest firmware version. A list of affected models and firmware versions, as well as accompanying fixes, can be found at Lexmark’s advisory page.
Vendor Information: http://support.lexmark.com/alerts/
Group Score Vector
Base 9.0 AV:N/AC:L/Au:N/C:P/I:P/A:C
Temporal 7.4 E:F/RL:OF/RC:C
Environmental 1.9 CDP:N/TD:L/CR:ND/IR:ND/AR:ND
The Micro Technology Services Inc. “Lynx Message Server 18.104.22.168″ and/or “LynxTCPService version 1.1.62″ web interface is vulnerable to SQL Injection, Cross-Site Scripting, and other security problems.
At Defcon 19 during my presentation we discussed a new attack method against printers. This attack method involved tricking the printer into passing LDAP or SMB credential back to attacker in plain text. We refer to this attack as a Pass-Back-Attack . So its been awhile, but we wanted to release a short tutorial discussing how this attack is performed. A PDF of the Tutorial can be downloaded from here
Wow this one was so simple I still cant stop laughing. This was originally released at Shmoocon on January 29 2011 Thought it was time to follow up with an advisory because most end users still do not know about this vulnerability. The authentication on Toshiba eStudio MFP devices is easily bypassed by adding an extra / in the URL after TopAccess.
Really easy as you can see. Iam looking for assistance to better map out devices with this issue. If you have a Toshiba eStudio please check out the request at http://praeda.foofus.net to give me a hand.
Attack #2 is more interesting because it can be remotely exploited via a SMS message.
When reporting this issue it did come into question the 160 character limitation of SMS technology and if this would to limit the attacker. In the proof of concept video, you can see exploitation was successful with 158 characters using the Browser Exploitation Framework BeEF!
Below are the steps that led up to the discovery of this low hanging fruit:
I first started by using tcpdump to capture traffic between the appliance and a workstation running the console software.
When using the console software to login, I noticed the authentication was done over port 5000. After I logged in, the console software started to load data over MySQL port 3306. What I found interesting was all the sql traffic was getting initated by the workstation. At this point I wanted to know how the workstation was able to login to the MySQL server on the appliance.
By using several sysinternal tools on the workstation, I was able to determine which binary files the console software was using when the sql connection got initiated.
I then used a combination of strings and IDA Pro to search through the binaries for the sql login and bingo found it!
This is a very interesting flaw that I came across in Symantec Antivirus Corporate edition in July 2009 while trying to recreate the XFR.EXE design flaw (CVE-2009-1431). At first I thought this was the same flaw, but while running a serious of test against multiple versions of SAVCE. I realized I had tested it against the latest patched 10.1.8 version of the product and the vulnerability was still there. Upon further investigation I discovered this flaw went against the Intel Alert Handler Service (hndlrsvc.exe) over TCP port 38292.
This isn’t really very cool, but it’s been exploited during assessments to great effect. So, why not share with everyone. If you’re on an assessment and find they’re running BMC Software’s Service Desk Express, then you can probably leverage this for great justice.