CVE-2022-25342

Vulnerability Description: CWE-284: Improper Access Control
Software Version: Firmware 2XD_S000.002.271
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-25342
CVSv3: 8.1
Severity: High
Credits: Vincenzo Nigro, Massimiliano Brolli

An issue was discovered on Olivetti d-COLOR MF3555 2XD_S000.002.271 devices. The Web Application is affected by Broken Access Control. It does not properly validate requests for access to data and functionality under the /mngset/authset path. By not verifying permissions for access to resources, it allows a potential attacker to view pages that are not allowed.

NOTE: This vulnerability has been fixed in the available firmware version 2XD_S000.002.703 from January 17th, 2022 and later versions.

Step-by-step instructions and PoC
If you have access to the credentials of a user (non-administrator), with at least one system administrator permission (as shown in Figure 1), it is possible to modify the details of any user, even of an administrator, including the password: the following figure shows the permissions of testpt user.

Once you logged in as testpt user, you have to click on “Impostazioni di gestione” and then on “Riavvio/Reset” while intercepting the request using burpsuite.

At this point, by substituting the following URL is possible to spawn the admin panel with all the users of the system

• GET /mngset/authset/MngSet_Auth_NewUsrPrpty.htm?arg1=1&arg2=0&arg3=&arg4=1&arg5=1&arg6=&arg50=0 HTTP/1.1

By clicking on any user you can bring up the properties panel, where you can edit his information, including its password.

By clicking “Invia” POST request will be made, and the password of the user will be modified.

In this way you can be able to login in as Admin user with the new password and then you can create new accounts or edit all kind of settings.