A security researcher dropped a zero-day remote code execution (RCE) chain of vulnerabilities affecting Lexmark printers after claiming the disclosure reward he was offered was “laughable”.
Independent researcher Peter Geissler (@bl4sty) said that public disclosure of the bug, a zero-day flaw at the time of release but now patched, was preferable to the report being sold “for peanuts”.
In a tweet dated January 10, Geissler published a link to a GitHub repository containing information on the vulnerability chain.
The exploit was tested against firmware version CXLBL.081.225, and while entered into Pwn2Own Toronto 2022 – ran by the Zero Day Initiative (ZDI) – the attack was unsuccessful during demonstrations.
‘Seemingly harmless’ functions
However, according to the researcher’s writeup, several isolated or “seemingly harmless” functions could be exploited to “eventually fully compromise the device”.
These functions included file upload and file copy primitives, alongside a daemon related to SOAP web services that could be abused to make an HTTP callback to an attacker’s selected endpoint, resulting in server-side request forgery (SSRF).
“When the callbacks are being made the software does not do any sanity-checking on the destination of the callbacks, thus it is possible to send callbacks to arbitrary hosts, including the printer itself,” Geissler explained.
Furthermore, a process called /auto-fwdebugd could be exploited due to a failure to sanitize inputs from a first-in, first-out system, causing a command injection bug.
By chaining the above, it was possible to achieve RCE.
Patch available
In a security advisory released on January 23, Lexmark said the issue, tracked as CVE-2023-23560 (CVSSv3 9.0) and released under one CVE assignment, impacts over 100 models but has now been patched.
The company said there is no evidence of malicious use in the wild. When approached for comment, Lexmark said: “Lexmark became aware of details of this vulnerability when it was publicly disclosed. We have provided a patch to our customers.
“We encourage anyone who identifies a vulnerability which may affect a Lexmark product to report it to Lexmark Security Advisories. This vulnerability management approach is one reason Lexmark is consistently named a leader in print security by industry analysts.”
Geissler says that while the exploit chain didn’t fully function during the competition – potentially due to different configurations on the test printer – ZDI did offer to purchase the security flaws. However, the amount was “laughable” and Geissler “promptly forgot about their offer”.
Speaking to The Daily Swig, Geissler explained that the amount offered by ZDI was a “small fraction” of the original reward as someone else during the competition successfully targeted the printer with a different chain of bugs.
When asked for his motivation beyond securing a payout to release his findings, Geissler commented: “If you sell to them you cannot publish anything until the bug(s) have been fixed by [the] vendor, afaik [as far as I know] that’s the only real (reasonable) restriction for publication.”
Disclosure
According to the researcher, Lexmark was not notified before the zero-day’s release for two reasons.
First, Geissler wished to highlight how the Pwn2Own contest is “broken” in some regards, as shown when low monetary rewards are offered for “something with a potentially big impact” – such as an exploit chain that can compromise over 100 printer models.
Furthermore, he said that official disclosure processes are often long-winded and arduous.
“In my experience, patching efforts by the vendor are greatly accelerated by publishing turnkey solutions in the public domain without any heads up whatsoever,” Geissler noted.
“Lexmark might reconsider partnering with similar competitions in the future and opt to launch their own vulnerability bounty/reward program.”
Source: https://portswigger.net/daily-swig/researcher-drops-lexmark-rce-zero-day-rather-than-sell-vuln-for-peanuts