lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <201308051015.r75AFbUM003676@sf01web3.securityfocus.com>
Date: Mon, 5 Aug 2013 10:15:37 GMT
From: michal.sajdak@...uritum.pl
To: bugtraq@...urityfocus.com
Subject: HP LaserJet Pro printers remote admin password extraction

Some of the networked HP LaserJet printers have hidden URLs hardcoded in the firmware. The URLs are not authenticated and can be used to extract admin password in plaintext – among other information like WiFi settings (including WPS PIN).

Models affected:

HP LaserJet Pro P1102w, HP LaserJet Pro P1606dn, HP LaserJet Pro CP1025nw, HP LaserJet Pro M1212nf MFP, HP LaserJet Pro M1213nf MFP, HP LaserJet Pro M1214nfh MFP, HP LaserJet Pro M1216nfh MFP, HP LaserJet Pro M1217nfw MFP, HP LaserJet Pro M1218nfs MFP, Possibly others(?)

URLs details:

Here are at least two interesting URLs, which can be accessed without authentication:

http://IP_ADDRESS/dev/save_restore.xml
(gives admin password/configuration parameters in plaintext)

http://IP_ADDRESS:8080/IoMgmt/Adapters/wifi0/WPS/Pin
(gives WPS PIN in plaintext)

Original disclosure:
http://sekurak.pl/hp-laserjet-pro-printers-remote-admin-password-extraction/

Original information from HP:
https://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken&javax.portlet.prp_ba847bafb2a2d782fcbb0710b053ce01=wsrp-navigationalState%3DdocId%253Demr_na-c03825817-1%257CdocLocale%253D%257CcalledBy%253D&javax.portlet.tpst=ba847bafb2a2d782fcbb0710b053ce01&ac.admitted=1375697666155.876444892.199480143

History

19.04.2013 vendor notified
19.04.2013 initial vendor response received
24.04.2013 issue confirmed
26.07.2013 new firmwares released
31.07.2013 issues summary published by vendor
02.08.2013 disclosure

--
Michal Sajdak, Securitum

Powered by blists - more mailing lists