lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 28 Mar 2014 18:26:35 -0400
From: Matt Andreko <mandreko@...il.com>
To: Taylor Hornby <havoc@...use.ca>, fulldisclosure@...lists.org
Subject: Re: [FD] Canon Printer Exposes WiFi Password

I found the same issue and more (even a DoS) in the Canon web UI:
https://www.mattandreko.com/2013/06/18/canon-y-u-no-security/

Unfortunately, Canon's response seems less than impressive. They apparently
don't really care as long as the product sells. Their response is pretty
much, "Nobody would be stupid enough to put it on a public IP", yet there
are hundreds on ShodanHQ. I saw some for big universities' libraries.
Imagine the fun a bad-guy could have DoS'ing the printer during finals-week.

I was trying to reverse the firmware, to find more bugs, but didn't have a
lot of luck, as that's not really my thing. However, I'm guessing someone
that does it regularly could have a hay-day.



On Fri, Mar 28, 2014 at 5:20 PM, Taylor Hornby <havoc@...use.ca> wrote:

> Affects: Canon PIXMA MX722 Printer (and probably other Canon printers).
>
> After typing my WPA2 WiFi password into the printer (through the
> built-in hardware keypad), it exposes the cleartext password to the LAN
> through an admin page that isn't password protected:
>
> https://twitter.com/DefuseSec/status/419910112442982401/photo/1
>
> You can enable password protection of that page, but:
>
> 1) There is no password protection by default. It silently exposes your
>    password, and you'll never know unless you go looking for it.
>
> 2) There's no need to embed the actual password in the HTML form anyway.
>    They could have used placeholder text instead of the real password.
>
> Regards,
> --
> Taylor Hornby
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists