Lucene search
K

Xerox DocuCentre / WorkCentre Postscript Interpreter Traversal (XRX05-001)

🗓️ 16 May 2005 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 11 Views

The Xerox Document Centre or WorkCentre PostScript interpreter allows unauthorized access to directory structur

Refs
Code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(18266);
  script_version("1.18");
  script_cvs_date("Date: 2018/11/15 20:50:24");

  script_bugtraq_id(12335);

  script_name(english:"Xerox DocuCentre / WorkCentre Postscript Interpreter Traversal (XRX05-001)");
  script_summary(english:"Checks model number / software version");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server is prone to a directory traversal attack.");
  script_set_attribute(
    attribute:"description",
    value:
"According to its model number and software versions, the remote host
is a Xerox Document Centre or WorkCentre device in which the
PostScript interpreter may allow unauthorized access to the underlying
directory structure.  Using a specially crafted PostScript file, an
attacker could exploit this flaw and gain access to sensitive files on
the affected device, including its encrypted password file."
  );
  # https://www.xerox.com/downloads/usa/en/c/CERT_Xerox_Security_XRX05_001.pdf
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?cf08de37");
  script_set_attribute(attribute:"see_also", value:"https://www.xerox.com/downloads/usa/en/c/CERT_Xerox_Security_XRX04-10.pdf");
  script_set_attribute(attribute:"see_also", value:"https://www.xerox.com/downloads/usa/en/c/CERT_Xerox_Security_XRX04-05.pdf");
  script_set_attribute(attribute:"see_also", value:"https://www.xerox.com/downloads/usa/en/c/CERT_Xerox_Security_XRX04-03.pdf");
  script_set_attribute(
    attribute:"solution",
    value:
"Apply the appropriate patches as described in the Xerox security
bulletins."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2005/01/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2005/05/16");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:xerox:workcentre");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:xerox:document_centre");

  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");

  script_dependencies("xerox_document_centre_detect.nasl", "xerox_workcentre_detect.nasl");
  script_require_ports("www/xerox_document_centre", "www/xerox_workcentre");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

# This function returns TRUE if the version string ver lies in
# the range [low, high].
function ver_inrange(ver, low, high)
{
  local_var ver_parts, low_parts, high_parts, i, p, low_p, high_p;

  if (isnull(ver) || isnull(low) || isnull(high)) return FALSE;

  # Split levels into parts.
  ver_parts = split(ver, sep:".", keep:0);
  low_parts = split(low, sep:".", keep:0);
  high_parts = split(high, sep:".", keep:0);

  # Compare each part.
  i = 0;
  while (ver_parts[i] != NULL)
  {
    p = int(ver_parts[i]);
    low_p = int(low_parts[i]);
    if (low_p == NULL) low_p = 0;
    high_p = int(high_parts[i]);
    if (high_p == NULL) high_p = 0;

    if (p > low_p && p < high_p) return TRUE;
    if (p < low_p || p > high_p) return FALSE;
    ++i;
  }
  return TRUE;
}


# Check whether the device is vulnerable.
#
# - Document Centre devices.
if (get_kb_item("www/xerox_document_centre"))
{
  model = get_kb_item_or_exit("www/xerox_document_centre/model");
  ess = get_kb_item_or_exit("www/xerox_document_centre/ess");

  # No need to check further if ESS has ".P9" or ".P12" since these
  # indicate the patch has already been applied.
  if (ess && ess =~ "\.P(9|12)[^0-9]?") audit(AUDIT_HOST_NOT, "affected");

  # Test model number and ESS level against those in Xerox's
  # Security Bulletin XRX04-005.
  if (
    # nb: models 535/545/555 with ESS 19.10.047.1 - 19.12.19.1
    (model =~ "5[345]5" && ver_inrange(ver:ess, low:"19.10.047.1", high:"19.12.19.1")) ||

    # nb: models 460/470/480/490 with ESS <= 19.05.519 or 19.5.902 - 19.5.912.
    (
      model =~ "4[6-9]0" &&
      (
        ver_inrange(ver:ess, low:"0", high:"19.05.519") ||
        ver_inrange(ver:ess, low:"19.5.902", high:"19.5.912")
      )
    ) ||

    # nb: models 420/432/440 with ESS 2.1.2 - 2.3.19
    (model =~ "4(20|32|40)" && ver_inrange(ver:ess, low:"2.1.2", high:"2.3.19")) ||

    # nb: models 425/432/440 with ESS 3.0.5.4 - 3.2.29
    (model =~ "4(25|32|40)" && ver_inrange(ver:ess, low:"3.0.5.4", high:"3.2.29")) ||

    # nb: model 430 with ESS 3.3.24 - 3.3.29
    (model =~ "430" && ver_inrange(ver:ess, low:"3.3.24", high:"3.3.29")) ||

    # nb: models 240/255/265 with ESS 17.4.10 - 17.9.34 or 18.6.05 - 18.6.96
    (
      model =~ "2(40|55|65)" &&
      (
        # nb: there's no patch for 17.4.10 - 17.9.34.
        ver_inrange(ver:ess, low:"17.4.10", high:"17.9.34") ||
        ver_inrange(ver:ess, low:"18.6.05", high:"18.6.96")
      )
    ) ||

    # nb: models 220/230/332/340 with ESS 1.12.08 - 1.12.85
    (model =~ "(2[23]0|3(32|40))" && ver_inrange(ver:ess, low:"1.12.08", high:"1.12.85"))
  )
  security_hole(0);
  exit(0);
}

# - WorkCentre devices.
if (get_kb_item("www/xerox_workcentre"))
{
  model = get_kb_item_or_exit("www/xerox_workcentre/model");
  ssw = get_kb_item_or_exit("www/xerox_workcentre/ssw");
  ess = get_kb_item_or_exit("www/xerox_workcentre/ess");

  # No need to check further if ESS has ".P5", ".P18", or ".P19" since
  # these indicate the patch has already been applied.
  if (ess && ess =~ "\.P(5|18|19)[^0-9]?") audit(AUDIT_HOST_NOT, "affected");

  # Test model number and software version against those in Xerox's
  # Security Bulletins XRX04-003, XRX04-010, and XRX05-001.
  if (
    # nb: models M35/M45/M55 or Pro 35/45/55 with ESS 1.01.108.1 - 1.02.358.3 or SSW 2.28.11.000 - 4.97.20.025
    (
      model =~ "(M|Pro )[345]5" &&
      (
        ver_inrange(ver:ess, low:"1.01.108.1", high:"1.02.358.3") ||
        ver_inrange(ver:ssw, low:"2.28.11.000", high:"4.97.20.025")
      )
    ) ||

    # nb: models 65/75/90 with ESS 1.00.60.3 - 1.02.055.2 or SSW 01.001.00.060 - 01.001.02.082
    (
      model =~ "(65|75|90)" &&
      (
        ver_inrange(ver:ess, low:"1.00.60.3", high:"1.02.055.2") ||
        ver_inrange(ver:ssw, low:"01.001.00.060", high:"01.001.02.082")
      )
    ) ||

    # nb: models 32/40 Color with ESS 01.00.060 - 01.02.058.4
    (model =~ "(32|40)C" && ver_inrange(ver:ess, low:"01.00.060", high:"01.02.058.4")) ||

    # nb: models Pro 32/40 Color with SSW 01.00.060 - 01.02.083
    (model =~ "Pro (32|40)C" && ver_inrange(ver:ssw, low:"01.00.060", high:"01.02.083"))
  )
  security_hole(0);
  exit(0);
}
audit(AUDIT_HOST_NOT, "affected");

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation