× Cookies are disabled! This site requires cookies to be enabled to work properly
    Hard-coded ftp and shell user account password in certain Xerox ColorQube and WorkCenter devices

    20 August 2013 - Discovery
    24 August 2013 - Vendor notified
    26 August 2013 - Vendor responds and starts confirmation process
    30 August 2013 - Vendor acknowledges existance of issue in several product families
    21 October 2013 - Vendor issues patches and XRX13_008 Xerox Security Bulletin
    03 November 2013 - CVE@Mitre assigns CVE-2013-6362
    Andrei Costin of "FIRMWARE.RE" project
    Vulnerability discovered using "FIRMWARE.RE" platform/service

Security advisory numbering:


    Xerox ColorCube 9201/9202/9203
    Xerox WorkCenter 6400/7525/7530/7535/7545/7556/7755/7765/7775
    Please see XRX13_008

Product version(s) affected:
    Please see XRX13_008

CWE categories:
    CWE-798: Use of Hard-coded Credentials
    CWE-259: Use of Hard-coded Password

Vulnerability details:
    The affected products/firmware versions contain an "internal FTP account" whose username is "intFTP".

    It appears to apply at least to ColorQube 92xx series.

    One particular firmware file example is "Xerox_ColorQube_upgrade_file_30823.zip/ColorQube_9201-9203_system-sw#06005000930823#.DLM".

    It is intended to upgrade "ColorQube from versions,, or to version"

    The corresponding "/etc/passwd" entry of "intFTP" account is as folows:
        intFTP:x:51:51:Internal FTP (cc<->nc):/:/bin/bash
    The corresponding "/etc/shadow" entry of "intFTP" account is as folows:

    The account is active (it's shell is "/bin/bash" and not "/bin/false" nor "/bin/login")

    The account password hash "$1$BbR.S$t22VMWcrVUOoTPoZwMlza." could not be cracked via bruteforce or known-dictionaries using tools such as "John the Ripper".
    This shows that the password used is not necessarily a weak one. A security-check verifying password strength would pass this test.

    However, FIRMWARE.RE automated platform could find the corresponding password hardcoded in the firmware as "t2ZG95En"

    FIRMWARE.RE platform traced back the password "t2ZG95En" appearing in the files "/upgrade/upgrade_funcs" and "/upgrade/ftpHelper.sh"

    As far as post-discovery manual analysis was done, the files "/upgrade/upgrade_funcs" and "/upgrade/ftpHelper.sh" are used to transfer upgrade/boot images
    between CC (copy-controller?) and NC (network-controller?) components/domains of the affected devices.

    FIRMWARE.RE platform suggests, inline with NIST and CWE-798 and CWE-259, not to hardcode any credentials within the devices/firmware, as well as allowing 
    easy change/update of such credentials in case it is really necessary by design to store them in the device/firmware.

Vendor details:
    ColorQube 92xx CBC: http://www.xerox.com/downloads/usa/en/c/cert_061.050.223.04800.zip (broken!)
    ColorQube 92xx SBC: http://www.xerox.com/downloads/usa/en/c/cert_061.080.223.05100.zip (broken!)
    WorkCentre 6400: http://www.xerox.com/downloads/usa/en/c/cert_061.070.100.24201.zip (broken!)
    WorkCentre 75xx: http://www.xerox.com/downloads/usa/en/c/cert_061.121.222.06508.zip (broken!)
    WorkCentre 77xx: http://www.xerox.com/downloads/usa/en/c/cert_061.090.223.21400.zip (broken!)

About the author/project:
    Firmware.RE is part of the Firmware Genome Project.        
    Firmware.RE is a free online service that:
        - unpacks, scans and analyzes almost any firmware package and facilitates the quick detection of vulnerabilities, backdoors and all kinds of embedded malware.
        - facilitates firmware mounting, modification, loading and emulation.
        - facilitates firmware vulnerability and backdoor discovery.
        - helps secure your embedded and internet-of-things devices.