Researcher Details Lexmark Printer “Zero-Day” Vulnerability

Details have emerged about a now-unpatched security flaw in the Lexmark printer that could be exploited by an attacker to fully compromise the device. Also, the researcher released a proof-of-concept exploit for this Lexmark Printer “0-day” vulnerability.

Blasty shared a Github page hosting a proof-of-concept (PoC) exploit for the 4 vulnerabilities that allow an attacker to take control of the affected device.

Lexmark International, Inc. is a privately held American company that manufactures laser printers and imaging products. The company is headquartered in Lexington, Kentucky.

The researcher discovered that the product is affected by two vulnerabilities that can be exploited by an attacker to copy file data from a source path to a destination path and induce the server-side application to make requests to an unintended location. Experts said the printer is also impacted by two issues that allow an authenticated hacker to upload arbitrary files and execute code with elevated privileges.

According to the researcher, four weaknesses can be combined to conduct an attack that results in the device getting compromised.

The PoC exploit has successfully been tested against Lexmark ‘MC3224adwe‘ printer with the latest firmware CXLBL.081.225, “but is reported to work against other printers/copiers as well.”

How to a full compromise and privilege escalation of the system:

• We use the arbitrary file upload bug to write a privilege escalation payload to the filesystem
• We send two HTTP requests with the correct SOAP bodies to TCP port 65002
• This triggers an SSRF condition that will send an HTTP request to the internal TCP port 12039
• Because the daemon on the TCP port 12039 uses a line-based protocol, the HTTP request stanza is ignored until it reaches our controlled input that was being smuggled as part of the path in our callback URI.
• Multiple ‘copy file’ commands are being executed by the SSRF trigger which preserves our LPE payload and triggers the execution of commands by writing malicious input to /run/svcerr/auto_fwdebug_pipe
• The auto-fwdebugd daemon picks up this malicious input and ends up executing an arbitrary command (that is limited in length, but sufficiently long enough to stage to a bigger payload)
• Code execution as the root user is achieved.

Lexmark has not resolved the vulnerability in its printer products.