La Sostenibilità per TIM

Il Report 2024 accoglie i principi della Corporate Sustainability Reporting Directive (CSRD) ed è incluso nella Relazione Finanziaria e di Sostenibilità. Approfondisci

Ultimi Comunicati Stampa

Redazione ufficio stampa

Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM. Leggi i comunicati

CVE-2022-25342

CVE-2022-25342 – Olivetti d-COLOR MF3555

Vulnerability Description: CWE-284: Improper Access Control
Software Version: Firmware 2XD_S000.002.271
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-25342
CVSv3: 8.1
Severity
: High
Credits:
 Vincenzo Nigro, Massimiliano Brolli

An issue was discovered on Olivetti d-COLOR MF3555 2XD_S000.002.271 devices. The Web Application is affected by Broken Access Control. It does not properly validate requests for access to data and functionality under the /mngset/authset path. By not verifying permissions for access to resources, it allows a potential attacker to view pages that are not allowed.

NOTE: This vulnerability has been fixed in the available firmware version 2XD_S000.002.703 from January 17th, 2022 and later versions.

Step-by-step instructions and PoC
If you have access to the credentials of a user (non-administrator), with at least one system administrator permission (as shown in Figure 1), it is possible to modify the details of any user, even of an administrator, including the password: the following figure shows the permissions of testpt user.

CVE-2022-25342-1

Figure 1: Permission needed to reproduce the attack

Click here to enlarge the image

Once you logged in as testpt user, you have to click on “Impostazioni di gestione” and then on “Riavvio/Reset” while intercepting the request using burpsuite.

CVE-2022-25342-2

Figure 2: Panel of testpt user

Click here to enlarge the image

CVE-2022-25342-3

Figure 3: HTTP request intercepted when clicking on “riavvio/reset”

Click here to enlarge the image

At this point, by substituting the following URL is possible to spawn the admin panel with all the users of the system

  • GET /mngset/authset/MngSet_Auth_NewUsrPrpty.htm?arg1=1&arg2=0&arg3=&arg4=1&arg5=1&arg6=&arg50=0 HTTP/1.1
CVE-2022-25342-4

Figure 4: Admin panel with all user settings, from the unprivileged account testpt

Click here to enlarge the image

By clicking on any user you can bring up the properties panel, where you can edit his information, including its password.

CVE-2022-25342-5

Figure 5: Properties panel of user Admin, from the unprivileged account testpt

Click here to enlarge the image

By clicking “Invia” POST request will be made, and the password of the user will be modified.

CVE-2022-25342-6

Figure 6: POST request to change Admin password

Click here to enlarge the image

In this way you can be able to login in as Admin user with the new password and then you can create new accounts or edit all kind of settings.