While performing penetration testing, however, a Trustwave researcher was able to intercept and modify the access request using a web interception proxy (Burp suite) or by sending the request directly to the application endpoint. This allowed UNC paths to be set as backup locations.
“Trustwave SpiderLab’s Senior Technical Specialist, Jordan Hedges, discovered an improper input validation for the “path” parameter accepted by the “/backup-restore-service/config/backup-path” endpoint which handles requests from the UI to set the database backup location,” Trustwave said in a blog post. “He submitted a backup path that would pass the UI validation and then intercepted the client request post-validation to alter the path parameter value to a UNC path under his control.”
While there is no workaround to this vulnerability, Kyocera has rolled out a security update with a patch that implements a validation function, that if a path is changed to an invalid path, the invalid path is ignored and the original valid path is still applied.
The affected devices include the ones running the unpatched latest version of Kyocera’s Device Manager that supports installation on Windows Server 2012/2016/2019/2022 and Windows 10 and Windows 11.
UNC authentication attempts can allow credential relaying
Attempting to set the UNC path for the backup location triggers the device manager to initiate authenticating the share through NTLM (NT LAN Manager) protocols which, depending on a certain system configuration, allows credentials leakage.
Credentials leakage here refers to the capture or relay of Active Directory hashed credentials if the “Restrict NTLM: Outgoing NTLM traffic to remote servers” security policy is not enabled, according to the post.