lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4B70B66DA655F144855183C68062EE89138AB4@trexchange.csnc.ch>
Date: Thu, 17 Jan 2008 21:02:52 +0100
From: "Adrian Leuenberger" <adrian.leuenberger@...c.ch>
To: <bugtraq@...urityfocus.com>
Subject: [CSNC] OKI C5510MFP Printer Password Disclosure

#############################################################
#
# COMPASS SECURITY ADVISORY               http://www.csnc.ch/
#
#############################################################
#
# Product:      OKI C5510MFP Printer
# Vendor:       OKI Printing Solutions
(http://www.okiprintingsolutions.com/)
# Subject:      Printer Reveals Password / 
#               Password and the configuration can be altered without
authentication
# Risk:         High
# Effect:       Remotely exploitable
# Author:       Adrian Leuenberger (adrian.leuenberger (at) csnc (dot)
ch)
# Date:         01/17/2008
#
#############################################################


Introduction:
-------------
The OKI C5510MFP printer offers a web interface for the configuration.
Certain pages require higher privileges for making changes. However, the
password required for accessing these pages is sent to the client in
clear text by the printer. Furthermore, the password can be set without
prior authentication. Consequently, the whole configuration can be
changed without knowing the password.


Vulnerable:
-----------
The tested model is an OKI C5510MFP (Printer CU Version: H2.15 / Printer
PU Version: 01.03.01 / System F/W Version: 1.01 / Web Page Version:
1.00). However, it is likely that other printers are affected as well.


Remediation:
------------
Currenty, there is no workaround on the printer itself. A solution would
be to implement ACLs in the network infrastructure level / firewall and
block communication with ports that are not needed for printing.


Vulnerability Management:
-------------------------
09/26/2007: Vendor notified
10/04/2007: Vendor receipt
01/16/2008: According to our contact at OKI, the information will be
used for further development and there will be no patched firmware for
the affected printers.


Patches:
--------
None


Description:
------------
Basically, the vulnerability comes from a design flaw. There are two
methods for configuring the printer:

1) Via Browser
When requesting the webpage, a Java applet is downloaded and started.
The applet creates a connection to TCP port 5548 on the printer and
receives the configuration in clear text including the current
administration password.

2) Via OKIMFP Network Setup Tool
The client running on the PC creates a connection to TCP port 7777 and
receives the configuration in clear text including the current
administration password.


References:
-----------
http://www.csnc.ch/en/downloads/advisories.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ