Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22385
HistoryAug 27, 2009 - 12:00 a.m.

Xerox WorkCentre multiple models Denial of Service

2009-08-2700:00:00
vulners.com
13
JSON
      Louhi Networks Information Security Research
                   Security Advisory


 Advisory: Xerox WorkCentre multiple models Denial of Service

Release Date: 2009/08/25
Last Modified: 2009/08/25
Authors: Juho Ranta
[[email protected]]
Henri Lindberg, CISA
[[email protected]]

Application: Xerox WorkCentre
Verified: Controller+PS ROM Version 1.202.1 and 1.202.5
Devices: Xerox WorkCentre 7132,
WC7232/7242, WC7328/7335/7345/7346 and
WC7425/28/35
Attack type: Denial of Service
Risk: Low
Vendor Status: Patch available for WC7232/7242
References: http://www.louhinetworks.fi/advisory/xerox_0908.txt

http://www.cert.fi/haavoittuvuudet/2009/haavoittuvuus-2009-081.html

http://www.support.xerox.com/go/results.asp?Xtype=download&prodID=WC7232_WC7242&Xlang=en_US&Xcntry=USA

Overview

Quote from http://www.xerox.com/
"The Xerox WorkCentre 7132 multifunction is the affordable transition
to the next level of productivity for your office. One easy-to-use
device offers powerful printing, copying, scanning, and faxing. The
WorkCentre 7132 also gives you color when you need it, for critical
documents and for added impact. Robust functions, straightforward
operation, and color within your budget . that should keep everyone
smiling and productive."

During a brief assessment performed for Xerox WorkCentre 7132 it was
discovered that LPD daemon implementation contains a weakness
related  to robustness of LPD protocol handling. Attacker can crash
the whole device with a relatively simple attack. Recovering from
the denial-of-service condition requires power cycling the device.

Details

Device freezes when it is flooded with LPD requests having oversized
queue name length AND other features of the device are accessed
during the attack.

The LPD daemon terminates the connection when it receives a request
with an oversized queue name. The required minimum length for this
seems to vary. Our proof-of-concept attack sends ASCII character
blocks to the LPD daemon until connection is closed, while sending
HTTP requests to the web administration interface.

By flooding the device with these invalid LPD requests and accessing
other features at the same time, the device can be crashed. This was
verified with two different firmware versions (1.202.1 and 1.202.5).

It must be noted that successful denial-of-service attack requires
the steps described above. Sending requests with oversized queue
names does crash the device by itself.

Due to the black box nature of the performed attack against a
production device, we were not able to determine the exact root
cause for the crash. According to vendor this is caused by a memory
leak, but further exploitability or memory corruption has neither
been confirmed nor denied.

Vulnerability was detected with an LPD protocol implementation
written for Sulley Fuzzing Framework.

Preconditions

*LPD daemon is enabled.
*Attacker has network access to the LPD daemon
*Attacker has network access to other features OR
*Valid user uses the device on location

Symptoms of successful attack

One or more of the following:
 *Control panel lights are blinking, no response to pushing buttons
 *LCD panel displays error message
 *LCD panel displays a halted progress bar
 *Switching power off from on/off button takes more than 10 seconds

Proof of Concept:

Python code available at:
http://www.louhinetworks.fi/advisory/xerox/exploit.py
http://www.louhinetworks.fi/advisory/xerox/webInterface.py

Pictures of a crashed control panel (Finnish language):
http://www.louhinetworks.fi/advisory/xerox/error1.jpg
http://www.louhinetworks.fi/advisory/xerox/freeze1.jpg

Web interface requests are performed with a separate Python
process/script in order to achieve more reliable exploitation under
Windows.

Mitigation:

Preventive
 *Install patch from vendor
 *Configure IPS signature for LPD requests with oversized queue
  names
 *Allow only trusted users to access LPD daemon
 *Disable LPD daemon

Detective
 *Configure IDS signature for LPD requests with oversized queue
  names

Disclosure Timeline (selected dates):

   X         2008    - Vulnerability discovered
  1. September 2008 - Contacted CERT-FI by email describing the
    issue with Xerox WC 7132
  2. November 2008 - CERT-FI confirms vendor has been notified
  3. January 2009 - Vendor is unable to reproduce the issue,
    but continues trying
  4. January 2009 - Vulnerability reproduced, vendor investigates
    other devices. Apologizes slow response.
  5. June 2009 - Vendor has identified vulnerable devices,
    patch due in July.
  6. August 2009 - Patch available for download (only
    WC7232/7242)
  7. August 2009 - Advisory released

A Big Thank You to CERT-FI's Vulnerability Coordination for persistent
coordination effort.

Copyright 2009 Louhi Networks Oy. All rights reserved. No warranties,
no liabilities, information provided 'as is' for educational purposes.
Reproduction allowed as long as credit is given. Information wants to
be free.

JSON