############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: WorkCentre 78XX Series # Vendor: Xerox # CSNC ID: CSNC-2021-002 # CVE ID: CVE-2021-27508 # Subject: Authenticated OS commmand injection (RCE) # Risk: High # Effect: Remotely exploitable # Author: Nicolas Heiniger # Date: 11.05.2021 # ############################################################# Introduction ------------ Xerox WorkCentre are multifunction devices to print, scan and copy documents. They can be managed via a web interface running on an integrated web server. During a Red Teaming engagement, Compass Security identified a shell injection vulnerability in the web interface of the device. Exploiting this vulnerability requires to be authenticated on the web UI. Affected -------- Vulnerable: * Firmware WorkCentre_7845-55-system-sw07504000101210.zip downloaded from [1] Patched version: * The security bulletin provides links for each model in the WorkCentre [2] Note: older versions of the firmware were not tested but are likely to be affected by the same issue. It was also confirmed by Xerox that other models are affected by this issue (WorkCentre and AltaLink product ranges). Technical Description --------------------- To find the vulnerability, the device's firmware was analyzed. Therefore, it was downloaded [1] and multiple layers needed to be unpacked. This was done using 7zip for each unpacking step. The first archive contains a second archive that contains a DLM file. DLM files are gzip archives with added headers, see [3]. This DLM file contains another file, which is a tar archive with compression. Once extracted, one can access the printer's file system, which is a linux system. The issue itself is found in the cloning page and can be accessed using "Properties > General Setup > Cloning" in the web interface (once authenticated). This page is used to clone the configuration of the printer as a backup or to install it onto another device. A parameter named "clone_group" is submitted with the form present on the Cloning page. This parameter is vulnerable to command injection. From the analysis of the libraries called by this feature, it was determined that no filtering or sanitization of the user input is performed. And at some point, this parameter is passed to the C "system()" function, directly executing an OS command using the user-provided parameter. Therefore, by crafting a specific value for this parameter, one can execute arbitrary commands directly within the printer's system. The commands are executed as the "nobody" user of the Apache web server. Workaround / Fix ---------------- Apply the firmware update provided by Xerox [2]. Change the default credentials on the printer's web interface. Timeline -------- 2021-02-07: Discovery by Nicolas Heiniger 2021-02-10: Initial vendor notification 2021-02-10: Initial vendor response 2021-02-10: Detailed information sent to the vendor 2021-02-17: Bug was reproduced and escalated to development & engineering 2021-03-04: Release of a first fix for one of the affected printers 2021-05-07: Patched versions available for all affected printers 2021-05-11: Coordinated public disclosure date References ---------- [1] Xerox Corporation, WorkCentre 7830/7835/7845/7855 Drivers & Downloads https://www.support.xerox.com/en-us/product/workcentre-7800-series/content/150523 [2] Xerox Corporation, security bulletin XRX21J https://securitydocs.business.xerox.com/wp-content/uploads/2021/05/cert_Security_Mini_Bulletin_XRX21J_for_ConnectKey_v1.0.pdf [3] D. Heiland, From Patched to Pwned http://h.foofus.net/goons/percx/Xerox_hack.pdf