CVE-2019–18203
So I got a CVE… this is a Proof of Concept and also my demystification of it all.
So at one of my Pentesting jobs I had a building of around 80 printers to test for vulnerabilities, all of them were from Ricoh and the network was pretty well prepared against attackers… I didn’t want to make noise and tried to be really stealthy. One way I found was to go through the printers.
I gained some access thorough Social Engineering which led me to the Administrative Panel of MP 501 Ricoh’s Printer Web Image Monitor.
Searching around CVE Details I found many vulnerabilities in other printers and thought “Why not test it against this one as well?”.
With not much effort (actually none at all) I wrote the basic HTML payload for entryNameIn parameter:
<h1>nutcake</h1>
and… Ta dá!
After this first successful attempt I got more excited to continue testing. I figured that it had a server limit of only 20 characters so I had to be creative. The following prints are just me playing around:
I started playing with Key Display entry as well…
The PoC ends here. Since I got this from Ismail Taşdelen, I tried to give him the oportunity to grab the CVE under his name. Tried to contact him in many ways, but no answer, so I decided to publish it anyways. Within one working day The Mitre Corporation answered me with the CVE number.
Pretty cool!! Got really excited, but them I started thinking…
The PoC ended here, like I said, so if you want you can just jump to Netflix, but I have some other words to say.
I can’t say how greatful I am to have The Mitre Corporation to bring to clarity many vulnerabilities found in the wild, like they say:
“For a variety of reasons, sharing information is more difficult within the cybersecurity community than it is for hackers. It takes much more work for an organization to protect its networks and fix all possible holes than it takes for a hacker to find a single vulnerability, exploit it, and compromise the network.”
And that is true, so true that makes me want to hug them!
However, some people misunderstood the hole thing and created a chaos in the cyber sec community. CVEs, Exploits, Certifications are not the ONLY truth about someone’s knwoledge. It is a logical path that someone testing for security holes on a daily basis might want to try for a certification or ends up finding some CVEs out there from time to time. But, it is not always like this and it is OK for a researcher to decide to try or not for a certification or a CVE or an exploit whatever, that does not take away his/her knowledge or invalidates their habilities. This CVE is just a result of free time, curiosity and a good cup of coffee. Many times playing CTF’s I had to craft really more complex payloads and didn’t have a CVE declared under my name. And guess what, that’s OK!!!
This final thoughts are only meant to demystify the hole “Certification, Exploit, CVE” combo and ask for those judging everybody else for their lack of “security badges” to fix their own lives before looking for trouble.
Thanks and happy hacking.
bye! ✧゚・:*⌒\(・‿・*)
