Bugtraq mailing list archives

foofus.net security advisory - Lexmark Multifunction Printer Information Leakage

From: percx () foofus net
Date: Mon, 7 Nov 2011 15:32:47 GMT

============================================================================
Foofus.net Security Advisory: foofus-20111107
============================================================================
Title:          Lexmark Multifunction Printer Information exposure
Version:        X656de
Vendor:         Lexmark 
Release Date:   08/05/2011
============================================================================

1. Summary:

Lexmark multifunction printer device found to be vulnerable to an information leakage
vulnerability.  

============================================================================

2. Description:

Passwords can be extracted in plan text from the settings export file.
http://hostname-IP_Address/cgi-bin/exportfile/printer/config/secure/settingfile.ucf

============================================================================

3. Impact:

Exploiting this allows an adversary to extract passwords that can be used to gain
access to other critical systems.

============================================================================

4. Affected Products:
Lexmark X656de multifunction printer (Kernel=FPR.APS.F184-0, Base=LR.MN.P224a-0)
Other Lexmark and Dell branded Multifunction printers may also be vulnerable


============================================================================

5. Solution:

   Insure that a complex password is set on printer.

============================================================================

6) Time Table:

08/05/2011 Vulnerability Disclosed.
11/07/2011 Publishes Advisory

============================================================================

7) Credits: Discovered by Deral Heiland PercX 

============================================================================

8. Reference:
 http://www.foofus.net/?page_id=483
 http://www.foofus.net
 http://praeda.foofus.net


============================================================================
 
The Foofus.Net team is an assortment of security professionals located 
through out the United States. http://www.foofus.net
Follow percX on Twitter @Percent_X

============================================================================

Current thread:

foofus.net security advisory - Lexmark Multifunction Printer Information Leakage percx (Nov 08)
- Re: foofus.net security advisory - Lexmark Multifunction Printer Information Leakage Sergio Gelato (Nov 10)
- <Possible follow-ups>
- Re: Re: foofus.net security advisory - Lexmark Multifunction Printer Information Leakage percx (Nov 14)