[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Lantronix xPrintServer Code execution and CSRF vulnerability

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Lantronix xPrintServer Code execution and CSRF vulnerability
From: Jim Bauwens <jimbauwens@xxxxxxxxx>
Date: Tue, 11 Nov 2014 15:28:36 +0100

Hi,

The Lantronix xPrintServer is a small Linux powered print server for iOS. Main 
configuration happens through a web interface.

The problem is that the configuration happens through some ‘RPC’ interface; the 
web interfaces uses AJAX requests to talk to a CGI script that simply executes 
shell commands given to it. Take a look at the following screenshot:

http://i.imgur.com/gjbZhXZ.png

So.. that’s not really so secure. Launching a request to 
http://myip/ips?OP=rpc&c=whoami&a=0 tells me that everything is running as 
root. 

To make matters worse:
- The CGI script is accessible without needing to use credentials 
- The devices uses bonjour that by defaults registers itself as 
xprintserver.local in the local network
- The device has no CSRF protection

Example code that allows any website to fetch the Linux version.
<script 
src="http://xprintserver.local/ips?OP=rpc&c=echo%20var%20version=%27%22%27%20$(uname%20-a)%27%22%27&a=0”></script>
 

This vulnerability is not reported to the vendor yet (because I need to 
register talk to their support).

Greetings,
Jim

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] Piwigo <= v2.6.0 - Blind SQL Injection
Next by Date: [FD] [ESNC-2039348] Multiple Critical Security Vulnerabilities in SAP Governance, Risk and Compliance (SAP GRC)
Previous by thread: [FD] Piwigo <= v2.6.0 - Blind SQL Injection
Next by thread: [FD] [ESNC-2039348] Multiple Critical Security Vulnerabilities in SAP Governance, Risk and Compliance (SAP GRC)
Index(es):
- Date
- Thread