Xerox WorkCentre multiple models Denial of Service
Louhi Networks Information Security Research Security Advisory Advisory: Xerox WorkCentre multiple models Denial of Service Release Date: 2009/08/25 Last Modified: 2009/08/25 Authors: Juho Ranta [juho.ra...@louhi.fi] Henri Lindberg, CISA [henri.lindb...@louhi.fi] Application: Xerox WorkCentre Verified: Controller+PS ROM Version 1.202.1 and 1.202.5 Devices: Xerox WorkCentre 7132, WC7232/7242, WC7328/7335/7345/7346 and WC7425/28/35 Attack type: Denial of Service Risk: Low Vendor Status: Patch available for WC7232/7242 References: http://www.louhinetworks.fi/advisory/xerox_0908.txt http://www.cert.fi/haavoittuvuudet/2009/haavoittuvuus-2009-081.html http://www.support.xerox.com/go/results.asp?Xtype=download&prodID=WC7232_WC7242&Xlang=en_US&Xcntry=USA Overview Quote from http://www.xerox.com/ "The Xerox WorkCentre 7132 multifunction is the affordable transition to the next level of productivity for your office. One easy-to-use device offers powerful printing, copying, scanning, and faxing. The WorkCentre 7132 also gives you color when you need it, for critical documents and for added impact. Robust functions, straightforward operation, and color within your budget . that should keep everyone smiling and productive." During a brief assessment performed for Xerox WorkCentre 7132 it was discovered that LPD daemon implementation contains a weakness related to robustness of LPD protocol handling. Attacker can crash the whole device with a relatively simple attack. Recovering from the denial-of-service condition requires power cycling the device. Details Device freezes when it is flooded with LPD requests having oversized queue name length AND other features of the device are accessed during the attack. The LPD daemon terminates the connection when it receives a request with an oversized queue name. The required minimum length for this seems to vary. Our proof-of-concept attack sends ASCII character blocks to the LPD daemon until connection is closed, while sending HTTP requests to the web administration interface. By flooding the device with these invalid LPD requests and accessing other features at the same time, the device can be crashed. This was verified with two different firmware versions (1.202.1 and 1.202.5). It must be noted that successful denial-of-service attack requires the steps described above. Sending requests with oversized queue names does crash the device by itself. Due to the black box nature of the performed attack against a production device, we were not able to determine the exact root cause for the crash. According to vendor this is caused by a memory leak, but further exploitability or memory corruption has neither been confirmed nor denied. Vulnerability was detected with an LPD protocol implementation written for Sulley Fuzzing Framework. Preconditions *LPD daemon is enabled. *Attacker has network access to the LPD daemon *Attacker has network access to other features OR *Valid user uses the device on location Symptoms of successful attack One or more of the following: *Control panel lights are blinking, no response to pushing buttons *LCD panel displays error message *LCD panel displays a halted progress bar *Switching power off from on/off button takes more than 10 seconds Proof of Concept: Python code available at: http://www.louhinetworks.fi/advisory/xerox/exploit.py http://www.louhinetworks.fi/advisory/xerox/webInterface.py Pictures of a crashed control panel (Finnish language): http://www.louhinetworks.fi/advisory/xerox/error1.jpg http://www.louhinetworks.fi/advisory/xerox/freeze1.jpg Web interface requests are performed with a separate Python process/script in order to achieve more reliable exploitation under Windows. Mitigation: Preventive *Install patch from vendor *Configure IPS signature for LPD requests with oversized queue names *Allow only trusted users to access LPD daemon *Disable LPD daemon Detective *Configure IDS signature for LPD requests with oversized queue names Disclosure Timeline (selected dates): X 2008- Vulnerability discovered 3. September 2008- Contacted CERT-FI by email describing the issue with Xerox WC 7132 20. November 2008- CERT-FI confirms vendor has been notified 21. January 2009- Vendor is unable to reproduce the issue, but continues trying 22. January 2009- Vulnerability reproduced, vendor investigates other devices. Apologizes slow response. 17. June 2009- Vendor has identified vuln
IBM BladeCenter Advanced Management Module Multiple vulnerabilities
Louhi Networks Information Security Research Security Advisory Advisory: IBM BladeCenter Advanced Management Module Multiple vulnerabilities (XSS type 2 & 1, CSRF, Information Disclosure) Release Date: 2009-04-09 Last Modified: 2009-04-09 Authors: Henri Lindberg [henri.lindb...@louhi.fi], CISA Device: IBM BladeCenter H AMM Main application: BPET36H Released: 03-20-08 Rev: 54 Risk: Low - Moderate High if Web Access is in active use and access to login page is unrestricted Vendor Status: Vendor notified, patch available. References: http://www.louhinetworks.fi/advisory/ibm_090409.txt Affected devices (from vendor): IBM BladeCenter E (1881, 7967, 8677) IBM BladeCenter H (7989, 8852) IBM BladeCenter HT (8740, 8750) IBM BladeCenter S (1948, 8886) IBM BladeCenter T (8720, 8730) IBM BladeCenter JS12 (7998) IBM BladeCenter JS21 (7988, 8844) IBM BladeCenter JS22 (7998) IBM BladeCenter HC10 (7996) IBM BladeCenter HS12 (8014, 1916, 8028) IBM BladeCenter HS20 (1883, 8843) IBM BladeCenter HS21 (8853, 1885) IBM BladeCenter HS21 XM (7995, 1915) IBM BladeCenter LS20 (8850) IBM BladeCenter LS21 (7971) IBM BladeCenter LS41 (7972) IBM BladeCenter QS21 (0792) IBM BladeCenter QS22 (0793) Overview: Quotes from http://www-03.ibm.com/systems/bladecenter/hardware/chassis/bladeh/index.html "In today’s high-demand enterprise environment, organizations need a reliable infrastructure to run compute-intensive applications with minimal maintenance and downtime. IBM BladeCenter H is a powerful platform built with the enterprise customer in mind, providing industry-leading performance, innovative architecture and a solid foundation for virtualization." "Provides easy integration to promote innovation and help manage growth, complexity and risk" During a quick overview of BladeCenter AMM web access, it was discovered that web administration interface has multiple vulnerabilities regarding input and request validation. Details: Cross Site Scripting Type 2: --- Most serious issue discovered was the persistent XSS vulnerability on the event log page resulting from displaying unsanitized user input received from an invalid login attempt. This can be exploited without valid credentials or social engineering. Access to device administration IP address is needed and an administrator has to view event log at some point, however. Successful attack requires that an administrator visits event log page, thus enabling the attacker to control the chassis and blade configuration by running the injected content which is interpreted by the administrator's browser. For example, all blades can be shut down or new admnistrative users can be added, depending on administrator's access rights. Unsuccessful login attempts are displayed without HTML encoding or input sanitation in the event log. It is possible to inject a reference to a remote javascript file by using eg following username: Notes: If user input contains , dynamic javascript is spilled out on the page and it is quite easy to mess up formatting of the event log page. Log can be cleared by an authenticated administrator from URL: http://1.2.3.4/private/clearlog Event log javascript format: parent.LogEntryArray[i++] = new LogEntry( "1","2","Audit ","SN#420420313370","09/09/08","04:20:42","Remote login failed for user '' from Web at IP 1.2.3.4"); HTML-injection can be performed for example with following "username": Mallory This results in:Remote login failed for user ' Mallory' from Web at IP 1.2.3.4 Entries from event log are also displayed on the AMM Service Data page. Type 1: --- File manager displays user input on the page "as is". Successful exploitation requires social engineering an authenticated administrator to visit the hostile URL. Example URL: http://1.2.3.4/private/file_management.ssi? PATH=/etc">