https://github.com/t3l3machus/cve-2023-22960

This vulnerability allows an attacker to bypass the credentials brute-force prevention mechanism of the Embedded Web Server (interface) of more than 60 Lexmark printer models. This issue affects both username-password and PIN authentication.
https://github.com/t3l3machus/cve-2023-22960

bruteforce cve-2023-22960 hacking password-attack pentesting redteam

Last synced: 6 days ago
JSON representation

This vulnerability allows an attacker to bypass the credentials brute-force prevention mechanism of the Embedded Web Server (interface) of more than 60 Lexmark printer models. This issue affects both username-password and PIN authentication.

• Host: GitHub
• URL: https://github.com/t3l3machus/cve-2023-22960
• Owner: t3l3machus
• License: mit
• Created: 2023-01-24T08:33:19.000Z (almost 2 years ago)
• Default Branch: main
• Last Pushed: 2023-06-15T14:38:07.000Z (over 1 year ago)
• Last Synced: 2024-05-02T02:31:30.859Z (7 months ago)
• Topics: bruteforce, cve-2023-22960, hacking, password-attack, pentesting, redteam
• Language: Python
• Homepage:
• Size: 18.6 KB
• Stars: 80
• Watchers: 2
• Forks: 16
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# PoC for CVE-2023-22960 

[![Python](https://img.shields.io/badge/Python-%E2%89%A5%203.6-yellow.svg)](https://www.python.org/) 



[![License](https://img.shields.io/badge/license-MIT-red.svg)](https://github.com/t3l3machus/CVE-2023-22960/blob/main/LICENSE) 

## Details

PoC for CVE-2023-22960 that I discovered. This vulnerability allows an attacker to bypass the credentials brute-force prevention mechanism of the Embedded Web Server interface of all Lexmark printer models that have a firmware version released before 01/2023. This issue affects both username-password and PIN authentication.

**Official security advisory** -> https://publications.lexmark.com/publications/security-alerts/CVE-2023-22960.pdf

**PoC tested against**:

 - Lexmark MX622adhe 

 - Lexmark CX735adse 

 - Lexmark MX521ade

#### Video Presentation

In this video I demonstrate the issue as well as how to write an http(s) login bruteforce script with Python.  

https://www.youtube.com/watch?v=HuAqTScr_3s

## Preview

Without the brute-force prevention bypass:  

![image](https://user-images.githubusercontent.com/75489922/214288009-d0cda79b-e604-478a-9bbc-39175c20a6ab.png)

Applying the brute-force prevention bypass:  

![image](https://user-images.githubusercontent.com/75489922/214286428-fb2cc7b3-9c58-4aed-a343-2d66610ca407.png)