Vulnerability Description: CWE-400: Denial of Service
Software Version: Firmware 2XD_S000.002.271
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-25343
CVSv3: 7.5
Severity: High
Credits: Mattia Campanelli, Luca Carbone, Massimiliano Brolli
An issue was discovered on Olivetti d-COLOR MF3555 2XD_S000.002.271 devices. The Web Application is affected by Denial of Service. An unauthenticated attacker, who can send POST requests to the /download/set.cgi page by manipulating the failhtmfile variable, is able to cause interruption of the service provided by the Web Application.
NOTE: This vulnerability has been fixed in the available firmware version 2XD_S000.002.703 from January 17th, 2022 and later versions.
Step-by-step instructions and PoC
The vulnerability is an unauthenticated POST request to the page /download/set.cgi. The web application get on system error by manipulating the variable failhtmfile and adding a relative path to a non-existent file, with most of the common path traversal payloads:
- .;%2f.;%2f.;%2f.;%2f.;%2f.;%2fetc%2fpasswd
- ..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
…and so on.
After that, all the resources of the Web Application will answer 404 Not Found, until the printer is restarted.
Affected Endpoints
- URL: /download/set.cgi
- HTTP Parameter: failhtmfile
Below are the evidences with the vulnerability details and the payloads used.
