Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: High Risk Vulnerability in Lexmark Printer Sharing Service

from [KF (lists)] Network Security [Permanent Link]
Subject: Re: High Risk Vulnerability in Lexmark Printer Sharing Service
Date: Tue, 07 Feb 2006 13:44:14 -0500
Here is a lexmark related local Security issue... I never got anywhere with regard to disclosure... enjoy

Lexmark skins code execution.

Either LEXBCES.exe, LXBKPSWX.exe, LXBKJSWX.exe, or LEXPPS.exe allows interaction from the user while running as SYSTEM. This interaction can lead to CMD.exe running as NT AUTHORITY\SYSTEM. I can not figure out which is the cause yet.

This information was tested on Lexmark X1185 all in one printer . Other printers and Dell versions of the Lexmark printer line may also be affected. Due to the lack of access to the specified devices I can not verify this information further.

Print any document. Wait for the voice to come through your speakers and say "Printing started". Click the "Appearance" icon on the window that has popped up near your systray. Once the next window pops up click "Additional styles (skins) are available on the Lexmark web site."

You should now have a browser running as SYSTEM.

Navigate to c:\windows\system32\ right click on cmd.exe and click execute.

This can obviously be automated via shatter style messaging ala SendMessage() and PostMessage().


-KF

NGSSoftware Insight Security Research wrote:

Peter Winter-Smith of NGSSoftware has discovered a high risk vulnerability
in the Lexmark Printer Sharing service which could allow a remote,
unauthenticated attacker to execute arbitrary code on a Lexmark printer
user's computer system with Local System privileges.

There is no known official patch or workaround for this issue, as Lexmark
have proven unresponsive throughout the investigation and have failed
to provide us with a response to our queries on many occasions.

Communications between NGS and Lexmark to date are summed up in the
following time-line:

[28/09/2005] Initial email to support@lexmark.com
[28/09/2005] Automated reply from support@lexmark.com
[29/09/2005] Re-sent email to csupportuk@lexmark.co.uk .. No response
[03/10/2005] Mass mail to secure@lexmark.com, security@lexmark.com,
security-alert@lexmark.com, info@lexmark.com .. No response
[04/10/2005] First response from Lexmark's 'Task ID IE THIRD LEVEL
ESCALATIONS' thanking NGS for the email dated the 28th Sept.
asking for further details.
[04/10/2005] Details of the vulnerability provided to Lexmark .. No response
[11/10/2005] Follow-up email to Lexmark .. No response
[18/10/2005] Follow-up email to Lexmark .. No response
[24/10/2005] Follow-up email to Lexmark .. No response
[08/11/2005] Follow-up email to Lexmark .. No response
[30/12/2005] Follow-up email to Lexmark .. No response
[07/01/2006] Informing Lexmark of this advisory .. No response

From our tests it seems that the following workaround will prevent the

vulnerability from being present by removing the vulnerable service so that
it cannot start. This should not prevent the printer from working in normal
operations, however if a user is depending on the Lexmark Printer Sharing
services for network printing this workaround may impact that level of
functionality.

NGS do not take any responsibility for the following information being
correct or for any of the results which may occur as a result of taking the
following actions.

Workaround:

1. Launch the Services console by taking the following actions:
- Click the 'Start' menu.
- Select 'Run'.
- In the 'Run' command text area type 'services.msc' and click 'Ok'.
2. Find and right click the 'LexBce Server' entry. From the right click menu
select the 'Stop' item. Confirm that you wish to stop the service and all
dependencies.
3. Open the '%systemroot%\system32' folder by taking the following actions:
- Click the 'Start' menu.
- Select 'Run'.
- In the 'Run' command text area type '%systemroot%\system32' and click
'Ok'.
4. Locate the file named 'LexPPS.EXE'. Right click this file and select
'Rename'. Enter a new name for the file, I recommend 'LexPPS.EXE.vuln'.
5. In the Services console, locate and right click the 'LexBce Server' and
select 'Start'.
6. In the Services console, locate and right click the 'Print Spooler' and
select 'Start'.

This disclosure was made in accordance with the NGS responsible disclosure
policy which can be viewed online at:

http://www.ngssoftware.com/disclosure.pdf

NGSSoftware will withhold technical details of this flaw for at least one
month. Full technical details will be published on or after the 7th March
2006.

NGSSoftware Insight Security Research
http://www.ngssoftware.com
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070





[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [VulnWatch] [ Secuobs - Advisory ] Bluetooth : DoS on hcidump 1.29 + PoC, Research Infratech
Next by Date:  [VulnWatch] [ Secuobs - Tools release ] BSS (Bluetooth Stack Smasher) fuzzer, Research Infratech
Previous by Thread:  High Risk Vulnerability in Lexmark Printer Sharing Service, NGSSoftware Insight Security Research
Next by Thread:  [VulnWatch] [ Secuobs - Advisory ] Bluetooth : DoS on Sony/Ericsson cell phones, Research Infratech
Indexes:  [Date] [Thread] [Top] [All Lists]