Kyocera Command Center RX ECOSYS M2035dn Directory Traversal Vulnerability Allowing Unauthenticated File Disclosure

A directory traversal vulnerability has been identified in the Kyocera Command Center RX application for the ECOSYS M2035dn model. This vulnerability allows unauthenticated attackers to read sensitive system files by manipulating file paths under the '/js/' directory. Exploitation involves sending crafted requests that traverse the directory structure, appending a null byte to bypass file type restrictions, and accessing critical files such as '/etc/passwd' and '/etc/shadow'.

Impact

Exploitation of this vulnerability leads to unauthorized access and disclosure of sensitive system files, including password and shadow files, which can be used for further attacks or privilege escalation.

Reproduction

The vulnerability can be reproduced by sending a GET request to the '/js/' directory with a crafted file path that includes directory traversal sequences (such as '../../..') to navigate up the directory structure. Appending a null byte and a file extension (like '.jpg') can bypass certain file type restrictions, allowing access to sensitive files like '/etc/passwd' and '/etc/shadow'.