Today Digital Defense, Inc. is publishing two zero-day vulnerabilities found in the Lexmark Markvision Enterprise application that our Vulnerability Research Team discovered and brought to the attention of Lexmark. Lexmark has worked diligently with Digital Defense to understand, resolve and verify the fixes for these security issues. Lexmark has released fixes. To obtain Markvision Enterprise v2.4.1 visit: https://www.lexmark.com/markvision Clients who currently use Digital Defense's Frontline™ Vulnerability Manager can scan for the presence of these issues by performing a full vulnerability assessment.
Details of the vulnerabilities are as follows:
Vendor: Lexmark Product: Markvision Enterprise Versions: 2.3.0 Link: https://www.lexmark.com/markvision Brief product description: Lexmark Markvision Enterprise Network is printer management software with the ability to manage up to 20,000 printers from multiple vendors.
Summary:
- DDI-VRT-2016- 73: Unauthenticated XML External Entity Injection via Crafted AMF Message (Critical)
- DDI-VRT-2016- 74: Authenticated Arbitrary File Upload Remote Code Execution via Crafted AMF Message (requires authentication)
Details:
Vulnerability: Unauthenticated XML External Entity Injection via Crafted AMF Message (CVE-2015-3269, Apache Flex BlazeDS library, blazeds-core-4.6.0.23207.jar)
Impact: Arbitrary file retrieval with SYSTEM privileges, denial of service and full compromise of the Markvision application and host operating system.
Details: No authentication is required to exploit this vulnerability. The Markvision Enterprise web application uses the blazeds-core-4.6.0.23207.jar to provide server side support for the Flash based web application. The version of this library used by the Markvision Enterprise application does not prevent the use of XML external entities which allows an attacker to retrieve arbitrary text files from the system hosting the application with SYSTEM privileges. This vulnerability can be exploited by sending an HTTP POST with the crafted AMF message to retrieve the encrypted, and Base64 encoded, admin credentials stored in a text file. The credentials can be easily decrypted as they are encrypted using a static key “rivet” and algorithm from the Jasypt Java library.
Vulnerability: Authenticated Arbitrary File Upload via Crafted AMF Message
Impact: Remote code execution with SYSTEM privileges.
Details: Authentication is required to exploit this vulnerability. Authenticated users are able to import assets into the Markvision Enterprise application by uploading a CSV file containing the asset information, such as IP address and hostname. When the file is uploaded, the application appends the current time in milliseconds and the ".csv" extension to the filename (original filename of the uploaded file) before storing it. By appending a single null byte to the original filename, the file will be stored with its original filename without appending the time in milliseconds or the ".csv" extension. Additionally, by prepending the filename with one or more "../" (dot dot slashes) and then an arbitrary path, the attacker can write the uploaded file to anywhere on the filesystem with SYSTEM privileges. By appending the null byte to the filename and using the directory traversal sequence, an attacker can write a web shell into the Markvision Enterprise web application's root directory, giving the attacker shell access to the hosting OS with SYSTEM privileges. None of the uploadFile methods attempt to sanitize the attacker controlled filename or file content, other than attempting to control part of the filename and the file extension which is easily bypassed.