CVE-2022-25343

Vulnerability Description: CWE-400: Denial of Service
Software Version: Firmware 2XD_S000.002.271
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-25343
CVSv3: 7.5
Severity: High
Credits: Mattia Campanelli, Luca Carbone, Massimiliano Brolli

An issue was discovered on Olivetti d-COLOR MF3555 2XD_S000.002.271 devices. The Web Application is affected by Denial of Service. An unauthenticated attacker, who can send POST requests to the /download/set.cgi page by manipulating the failhtmfile variable, is able to cause interruption of the service provided by the Web Application.

NOTE: This vulnerability has been fixed in the available firmware version 2XD_S000.002.703 from January 17th, 2022 and later versions.

Step-by-step instructions and PoC

The vulnerability is an unauthenticated POST request to the page /download/set.cgi. The web application get on system error by manipulating the variable failhtmfile and adding a relative path to a non-existent file, with most of the common path traversal payloads:

• .;%2f.;%2f.;%2f.;%2f.;%2f.;%2fetc%2fpasswd
• ..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

…and so on.

After that, all the resources of the Web Application will answer 404 Not Found, until the printer is restarted.

Affected Endpoints

• URL: /download/set.cgi
• HTTP Parameter: failhtmfile

Below are the evidences with the vulnerability details and the payloads used.