OSVDB ID: 28249

Title: Fuji Xerox Printing Systems (FXPS) Print Engine FTP PORT Command Bounce Attack

Info

Disclosure
Aug 24, 2006

Discovery
Apr 11, 2006

Dates

Exploit
Unknown

Solution
Unknown

Description

 Fuji Xerox Printing Systems (FXPS) Print Engine contains a flaw that may lead to an unauthorized information disclosure. The problem is that the FTP server does not validate IP addresses supplied via the PORT command. It is possible for a remote attacker to establish a connection between the server and an arbitrary port on another system to perform a portscan, which will disclose sensitiv system information resulting in a loss of confidentiality.

Classification

 Location: Remote / Network Access
Attack Type: Information Disclosure
Impact: Loss of Confidentiality
Exploit: Exploit Unknown
Disclosure: OSVDB Verified

Solution

 Upgrade the firmware to the latest version available from the vendor, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: disable FTP printing.

Products

Dell

3000cn

 A05
Unknown or Unspecified

3100cn

 A05
Unknown or Unspecified

5100cn

 A05
Unknown or Unspecified

3010cn

 A01
Unknown or Unspecified

3110cn

 A01
Unknown or Unspecified

5110cn

 A01
Unknown or Unspecified

References

Credit
  • Sean Krulewitch - Indiana University
  • Nate Johnson - Indiana University


Direct URL: http://osvdb.org/28249