

This process takes approximately two minutes. The printer’s non-volatile memory will be cleared and a reboot is initiated. If the checkboxes are ticked as shown, the process can be initiated through the Start button. Erase all shortcuts and shortcut settings There are several options to choose from when performing that action: Sanitize all information on nonvolatile memory It can be found under Settings -> Device -> Maintenance. One of these is Sanitize all information on nonvolatile memory. In this state, unauthenticated users can still trigger a vast amount of actions through the web interface.
#Easy cat outline password
Thus, we expected the administrator password to be set to an unknown value. It was assumed that the printer would be in a default configuration during the contest and that the setup wizard on the printer had been completed. With our firmware decryption tool at hand, we were finally able to peek into the firmware.
#Easy cat outline code
While the writeup did not include code or cryptographic keys, it was elaborate enough that we were able to quickly reproduce it and write our own decrypter. Luckily, a detailed writeup on the encryption scheme had been published in September 2020. fls file in a custom binary format containing encrypted data. It quickly turned out that the firmware is shipped as an. Step #1: Increasing Attack Surface via Authentication Resetīefore we could start our analysis, we first had to obtain a copy of the firmware. Https//publications.lexmarkcom/publications/security-alerts/CVE-2021-44736.pdf Https//publications.lexmarkcom/publications/security-alerts/CVE-2021-44735.pdf Unauthenticated Remote Code Execution (RCE) as root Note: Users must implement a workaround to address CVE-2021-44736, see Lexmark Security AlertĪuthentication Bypass, Shell Command Injection, Insecure SUID Binary In this blog post, we outline the vulnerabilities we discovered and used to compromise the Lexmark printer. By successfully exploiting both devices, we won $20,000 USD, which CrowdStrike donated to several charitable organizations chosen by our researchers. Fortunately, we were luckier than last year and were able to participate in the contest for the first time. If successful, the researchers are rewarded with a cash prize, and the leveraged vulnerabilities are responsibly disclosed to the respective vendors so they can improve the security of their products.Īfter reviewing the list of devices, we decided to target the Cisco RV340 router and the Lexmark MC3224i printer, and we managed to identify several vulnerabilities in both of them. The Pwn2Own contest encourages security researchers to demonstrate remote zero-day exploits against a list of specified devices. In August 2021, ZDI announced Pwn2Own Austin 2021, a security contest focusing on phones, printers, NAS devices and smart speakers, among other things.
