-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2020-002
Product: Lexmark MX711de MFP
Manufacturer: Lexmark
Affected Version(s): LW75.TU.P278 and previous
Tested Version(s): LW73.TU.P034
Vulnerability Type: Cross-Site Scripting (CWE-79) 
Risk Level: High
Solution Status: Fixed
Manufacturer Notification: 2020-03-20
Solution Date: 2020-06-26
Public Disclosure: 2020-07-28
CVE Reference: CVE-2020-13481
Author of Advisory: Daniel Reutter, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Lexmark MX711de is a multi-function printer for copying, scanning, 
printing and faxing.

The manufacturer describes the product as follows (see [1]):

"The Lexmark MX711de MFP with a customizable e-Task touch screen provides 
print, copy, fax, scan and email functions. Included are 650 sheets of 
standard input and 1GB of standard memory."

The printer's web interface is vulnerable to a persistent cross-site
scripting vulnerability.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The web interface of the Lexmark MX711de is vulnerable to a persistent 
cross-site scripting weakness, since file names which are stored 
on the printer are not sanitized.

The vulnerability can be used to run JavaScript code in the context of 
an authenticated user if such a file exists on the internal hard drive 
of the printer and the user navigates to the print directory.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1. Upload a file with a name containing JavaScript, for instance, 
"<img src=x onerror=alert('XSS')>", to the internal hard drive 
of the MFP. This can be achieved by using PostScript commands via the 
tool PRET (see [4]).

2. Navigate to the print directory, located at: 
http://<printer>/cgi-bin/dynamic/printer/config/reports/printdirectory.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Update to firmware version LW75.TU.P279 or later [5]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2019-11-20: Vulnerability discovered
2020-03-20: Vulnerability reported to manufacturer
2020-03-24: Vulnerability confirmed by the manufacturer
2020-06-26: Patch released by manufacturer
2020-07-28: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product Website for Lexmark MX711de MFP
    https://www.lexmark.com/en_us/printer/7744/Lexmark-MX711de
[2] SySS Security Advisory SYSS-2020-002
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-002.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/
[4] PRET - Printer Exploitation Toolkit
    https://github.com/RUB-NDS/PRET
[5] Lexmark Security Advisory
	http://support.lexmark.com/index?page=content&id=TE940&locale=EN&userlocale=EN_US

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Daniel Reutter of SySS GmbH.

E-Mail: daniel.reutter@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Daniel_Reutter.asc
Key ID: 0xD571C92FC7054703
Key Fingerprint: 0C7F 36C4 68D1 AF5A 9100 AFB1 D571 C92F C705 4703

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEDH82xGjRr1qRAK+x1XHJL8cFRwMFAl8f5V4ACgkQ1XHJL8cF
RwOsiQ//QIFfC7nm1d11ey98q5LX04T5mxnVz1fIap9umqDdQ2FLUSf7gomGIpK4
7qzIoq2FWXomHcfDNhgt0bhThHUZ6AB2OlKC5KOHNwssOYWgqx2bbGz2yrhnntWz
+3uEqr6QBYT2y72DQq5d/xuZ3iQt1AYmoyoH3T4kUoeCPuqsDY1cZpI5ocNBQpv+
3Im2bOZtWh5KabUoNI4IaEbygohQt55g3hakyIK7NFxL+RZG2e+fTVTk9fZkwKg4
VqJFl/5tbPlbjdCB9YR7zkOd6rytcVukSzFJL7TkC1DpU8+qYvGmUQkG4ktQXmHF
Ritm6fPZ6DCQhOEySuaHEJGlgmiEaMTTUUyI/9fno1U77QXcZpb5YcZOhyWCZrLS
hzAGFl1gR/sl+2uYL/o3JYQ4+FvIvooeP3TPJrhny9+212WmkU5x7bKrwxFJS0le
Nrjiw3ZeI8h4JupCo02tPSyueQSAMsF+T5IuDbgghttwuSB60mxNXZn94Ya75ckg
Hbti4r52z6FRZ4ZV2adYn/zBiI21Ozi0UU4qMNGQnJqHI9Vawup1T8sek4Tw2wov
yBnYqLwbZr6CtIssl5FOL7MuzA9lCWAnoC5AAqYGNEQLJvSrMiHIAQpaJXx3q4pU
C8wAFmk9Ej//t3mGVIXM2ej54optic4Y7JUBhpd1RJvTTz8Dp8E=
=7DG0
-----END PGP SIGNATURE-----