Skip to content
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 

Xerox Phaser 4622 Vulnerability

This vulnerability lies in the time utility which influences the lastest version of Xerox Phaser 4622. The lastest version of this product is Phaser 4622 Firmware Release V35.013.01.000, according to their official website.

Vulnerability description

There is a stack buffer overflow vulnerability in function sub_3226AC, which is call by time function, as show in the figure below.

2

The function sub_3226AC uses strcpy to copy the string pointed by TIMEZONE into a stack buffer pointed by v30. The TIMEZONE variable is a environment vaiable of the same name, which is accuired by function getenv_.

1

Any user can set any environment variable using the provided setenv to set any variable to any value, given that the <key>=<value> does not exceed 0x100, according the the function logic. See some decompiled code snippet below.

4 3

A string of length 0x100 can of course smash the stack of sub_3226AC.

So by first setting the TIMEZONE and then invoking the command line utility time, the attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data.

POC

TIMEZONE=zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz

Timeline

  • 2021.07.18 report to Xerox, CVE and CNVD
  • 2021.08.31 CNVD ID assigned: CNVD-2021-57348
  • 2022.02.16 CVE ID assigned: CVE-2021-37354

Acknowledgment

Credit to @Ainevsia, @peanuts and @cpegg from Shanghai Jiao Tong University and TIANGONG Team of Legendsec at Qi'anxin Group.