Vulnerability CVE-2017-5671


Published: 2017-03-29

Description:
Honeywell Intermec PM23, PM42, PM43, PC23, PC43, PD43, and PC42 industrial printers before 10.11.013310 and 10.12.x before 10.12.013309 have /usr/bin/lua installed setuid to the itadmin account, which allows local users to conduct a BusyBox jailbreak attack and obtain root privileges by overwriting the /etc/shadow file.

See advisories in our WLB2 database:
Topic
Author
Date
High
Intermec Industrial Printers Local root with Busybox jailbreak
Bourbon Jean-Mar...
28.03.2017

Vendor: Honeywell
Product: Intermec pd43 firmware 
Version: 10.10.011406;
Product: Intermec pm23 firmware 
Version: 10.10.011406;
Product: Intermec pc23 firmware 
Version: 10.10.011406;
Product: Intermec pc43 firmware 
Version: 10.10.011406;
Product: Intermec pm42 firmware 
Version: 10.10.011406;
Product: Intermec pc42 firmware 
Version: 10.10.011406;
Product: Intermec pm43 firmware 
Version: 10.10.011406;

CVSS2 => (AV:L/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.2/10
10/10
3.9/10
Exploit range
Attack complexity
Authentication
Local
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
http://apps.intermec.com/downloads/eps_download/Firmware%20Release%20Notes%20x10_11_013310.pdf
http://www.securityfocus.com/bid/97236
https://akerva.com/blog/intermec-industrial-printers-local-root-with-busybox-jailbreak/
https://github.com/kmkz/exploit/blob/master/CVE-2017-5671-Credits.pdf

Related CVE
CVE-2018-14825
On Honeywell Mobile Computers (CT60 running Android OS 7.1, CN80 running Android OS 7.1, CT40 running Android OS 7.1, CK75 running Android OS 6.0, CN75 running Android OS 6.0, CN75e running Android OS 6.0, CT50 running Android OS 6.0, D75e running An...
CVE-2017-14263
Honeywell NVR devices allow remote attackers to create a user account in the admin group by leveraging access to a guest account to obtain a session ID, and then sending that session ID in a userManager.addUser request to the /RPC2 URI. The attacker ...
CVE-2017-5143
An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior. A user without authenticating can make a directory traversal attack by accessing a specific URL.
CVE-2017-5141
An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior. An attacker can establish a new user session, without invalidating any existing session identifier, which gives...
CVE-2017-5139
An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior. Any user is able to disclose a password by accessing a specific URL, because of Plaintext Storage of a Password...
CVE-2017-5140
An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior. Password is stored in clear text.
CVE-2017-5142
An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior. A user with low privileges is able to open and change the parameters by accessing a specific URL because of Imp...
CVE-2016-8344
An issue was discovered in Honeywell Experion Process Knowledge System (PKS) platform: Experion PKS, Release 3xx and prior, Experion PKS, Release 400, Experion PKS, Release 410, Experion PKS, Release 430, and Experion PKS, Release 431. Experion PKS d...

Copyright 2019, cxsecurity.com

 

Back to Top