# Exploit Title: Samsung SyncThruWeb SMB Hash Disclosure # Date: 8/28/15 # Exploit Author: Shad Malloy # Contact: http://twitter.com/SecureNM # Website: https://securenetworkmanagement.com # Vendor Homepage: http://www.samsung.com # Software Link: http://www.samsung.com/hk_en/consumer/solutions/type/SyncThruWebService.html # Version: Known Vulnerable versions Samsung SCX-5835_5935 Series Printer Main Firmware Version : 2.01.00.26 Samsung SCX-5635 Series Printer Main Firmware Version : 2.01.01.18 12-08-2009 # Tested on: Samsung SCX-5835_5935 Series Printer Main Firmware Version : 2.01.00.26 Network Firmware Version : V4.01.05(SCX-5835/5935) 12-22-2008 Engine Firmware Version : 1.20.73 UI Firmware Version : V1.03.01.55 07-13-2009 Finisher Firmware Version : Not Installed PCL5E Firmware Version : PCL5e 5.87 11-07-2008 PCL6 Firmware Version : PCL6 5.86 10-28-2008 PostScript Firmware Version : PS3 V1.93.06 12-19-2008 SPL Firmware Version : SPL 5.32 01-03-2008 TIFF Firmware Version : TIFF 0.91.00 10-07-2008 Samsung SCX-5635 Series Main Firmware Version : 2.01.01.18 12-08-2009 Network Firmware Version : V4.01.16(SCX-5635) 12-04-2009 Engine Firmware Version : 1.31.32 PCL5E Firmware Version : PCL5e 5.92 02-12-2009 PCL6 Firmware Version : PCL6 5.93 03-21-2009 PostScript Firmware Version : PS3 1.94.06 12-22-2008 TIFF Firmware Version : TIFF 0.91.00 10-07-2008 Proof of Concept 1. Using the default username and password (admin/admin), it is possible to obtain all credentials used for SMB file transfer. To obtain the file access http://<printer url>/smb_serverList.csv. 2. The UserName and UserPassword fields are unencrypted and visible using any text editor. Relevant Patches http://downloadcenter.samsung.com/content/FM/201508/20150825111208555/SCX563 5_V2.01.01.28_0401113_1.00.zip http://downloadcenter.samsung.com/content/FM/201508/20150825112233867/SCX583 5_5935_V2.01.00.56_0401113_1.01.zip Shad Malloy Secure Network Management, LLC