Reading this? Then you can pop root shells on Markvision enterprises
Twin bug bombs perish with patch
Lexmark has patched two dangerous vulnerability in its Markvision enterprise IT analysis platform that grants remote attackers god-mode system access over the internet.
The platform is used by tech shops to manage thousands of devices.
Researchers with San Antonio based securtity consultancy Digital Defence reported the twin flaws in the platform.
The firm reported a critical unauthenticated XML external entity injection flaw and an authenticated arbitrary file upload remote code execution hole, both granting system level privileges resulting in total compromise.
The first allows anyone to pop the Markvision Enterprise web application thanks to a buggy blazeds-core-18.104.22.16807.jar library that fails to stop XML external entities.
Attackers can pull administrator credentials text files from the application by sending an HTTP POST with the crafted AMF message. The login is encrypted, and Base64 encoded, but use a static key rivet which can be "easily" decrypted.
With those credentials in hand, attackers can gain remote code execution with system privileges and upload a web shell to a root directory.
Researchers say it is gained by uploading a CSV file and appending a null byte or ../ to the filename, opening up directory traversal.
"None of the uploadFile methods attempt to sanitise the attacker controlled filename or file content, other than attempting to control part of the filename and the file extension which is easily bypassed," the researchers said.
Vulnerable enterprises should immediately update to version Markvision 2.4.1. ®