I have been testing some of the local SMB fileshare issues on our Toshiba e-Studios in case these are used to store files instead of secured network shares. During this investigation I have come across a Toshiba eStudio Multifunction Printer Authentication Bypass from Jan 2011 that was still exploitable on some of our MFPs. (Our MFP’s are all now patched and secured)
eg. Exploit via
http://ip-address:8080/TopAccess//Administrator/Setup/ScanToFile/List.htm
It would appear that Toshiba has a firmware update that should fix the issue [4] (Note that the vendor advisory is in Japanese [5]).
Solution
Update to a fixed firmware version (please see the vendor’s advisory for details). [4]
The ‘How to respond’ translate from the Japanese bulletin;
By updating the “TopAccess” products covered by the patch program, we will resolve this vulnerability. Please contact the following contact desk, or you ask your dealer or service representative for program details and updates regarding the responsible. In addition, by updating the program, it does not affect the data or the like is input to the digital multifunction peripheral. [5]
Using this exploit, I managed to obtain both the user name and password details to access the fileserver used to store scanned files. This would suggest that the firmware updates need to be applied to the affected MFPs ASAP as this is a pretty large exposure.
From a quick/rough check it would appear if the printer web server responds
* http://ip-address/TopAccess/ – vulnerable
* http://ip-address/?MAIN=Setup – not vulnerable
If you are running e-Studio MFP’s double check that you are not affected.
LINKS:
[1] Toshiba eStudio Multifunction Printer Authentication Bypass (2011-Oct-16) [Foofus.Net Security Stuff]
[2] Toshiba eStudio Multifunction Printer Authentication Bypass (2011-Oct-16) [Foofus.Net Security Stuff]
[3] Toshiba E-Studio Multifunction Printers Management Interface Security Bypass Vulnerability (2011-Oct-24) [SecureList]
[4] Toshiba E-Studio Multifunction Printers Management Interface Security Bypass Vulnerability SA46408 [Secunia]
[5] Mounted on the part of the multifunction product manufactured by Toshiba Tec Corporation Vulnerability in Web-based administration utility (2012-Apr-05) [Toshiba]
( via Google Translate )
“But the attacker did break into the network printer, a Toshiba, and went on to check for passwords. “The administration password was in the HTML code,” said Gnesa. “And unfortunately, that password was also used on another machine.”
– http://www.networkworld.com/news/2012/103012-apt-gnesa-263813.html