CVSS 5.4 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N Base Score: 5.4
Multiple MFPs (multifunction printers) provided by FUJIFILM Business Innovation Corp. and Xerox Corporation provide a facility to export the contents of their Address Book encrypted, but the encryption strength is insufficient.
The affected devices and versions are listed here.
On an internal infrastructure test, I (@Root_Kunal) identified a Xerox multi-function Printer which I was trying to enumerate for common vulnerabilities like default credentials or easily guessable credentials for the admin interface etc. I could see there were entries in the Address Book, When looking at the Address Book, I could see that there were entries in there but when I clicked any of them, I was given a “You do not have permission to use this feature” error.
I decided to see what the request for these contacts looked like and noticed that nothing was being sent to the web server when clicking a contact name and receiving the error. This usually means that the data has been requested already and there is a JavaScript check to see if the user has permission to access the data. In other words, I could retrieve the contact information even though I seemingly did not have permission.
I navigated away from the Address Book section of the device and clicked it again. The request that was made looked like this:
The response was a SOAP XML document with embedded JSON data which includes all the entries that existed within the Address Book. It also included encrypted credentials for the SMB and FTP servers (if any) which the users’ scans could upload to. An entry from the Address Book in the JSON looked something like this:
KeyName and CipherValue definitely piqued my interest! I asked around internally if anyone could give me a hand at trying to find out:
My colleague had a look at the response and identified that the KeyName was a Base64 encoded SHA-1 hash and that the plaintext for this hash was an easily guessable value.
This led him to reverse engineering the firmware to identify how the CipherValue (AKA the password) was derived. Once the code for encryption was identified, the decryption process was just the reverse of this and it was as follows:
We’ve withheld a POC script for this for the moment to ensure that all devices have had an opportunity to be patched.
We then looked to Shodan to identify how widespread this issue was or if this was an isolated issue. We identified 1917 of these devices exposed on the internet. During some internal research, we also identified two other static keys in use.
There are configuration options across the devices which can prevent anonymous users from being able to request the Address Book from an unauthenticated perspective. These should be implemented to ensure that access to the Address Book is configured with the “Restrict” or “Locked” settings rather than the “Hide” setting (as we saw cases where it was hidden but it was possible to still request the Address ). Refer to your printer’s manual for instructions on how to perform this action as it varies from device to device.
An update has been released by FujiFilm and Xerox for these devices which will prevent the data being sent in the API:
<https://www.fujifilm.com/fbglobal/eng/company/news/notice/2023/1031_addressbook_announce.html>
Xerox have released their publication here:
<https://security.business.xerox.com/en-us/documents/bulletins/>
Japanese Vulnerability Notes have released their publication here:
<https://jvn.jp/en/vu/JVNVU96482726/>