HP Printer security flaw allows hackers to extract passwords

HP Printer security flawOwners of certain HP LaserJet Pro printers are being advised to protect themselves against a security vulnerability “as soon as possible”, after researchers found it was possible to remotely access admin passwords and other information.

The vulnerability, dubbed CVE-2013-4807, was discovered by Michał Sajdak of Securitum.pl who described how hackers could extract plaintext admin passwords via hidden URLs hardcoded into the printers’ hardware.

Sajdak discovered that if you access vulnerable LaserJet printers via a URL like this:

http://IP_ADDRESS/dev/save_restore.xml

you are not required to authenticate yourself, and a number of parameters are easily accessible.

For instance, in his example, Sajdak found a hex representation of the admin password:

HP printer reveals password in hexadecimal

In this case, 0x746573746f7765 is the hex equivalent to “testowe”.

Furthermore, Sajdak found that WiFi-enabled printers could leak the network’s WPS PIN:

http://IP_ADDRESS:8080/IoMgmt/Adapters/wifi0/WPS/Pin

HP printer reveals WPS PIN

The good news is that the security vulnerability was disclosed responsibly to Hewlett-Packard, and firmware updates for affected printers are available for users to download.

The bad news is that many printer owners probably aren’t aware that the security issue exists, or simply won’t bother to apply the firmware update.

HP Security advisory

According to the security advisory published by Hewlett-Packard, a patch for the vulnerability is available the following printers: HP LaserJet Pro P1102w, HP LaserJet Pro P1606dn, HP LaserJet Pro M1212nf MFP, HP LaserJet Pro M1213nf MFP, HP LaserJet Pro M1214nfh MFP, HP LaserJet Pro M1216nfh MFP, HP LaserJet Pro M1217nfw MFP, HP LaserJet Pro M1218nfs MFP, and HP LaserJet Pro CP1025nw.

Tags: , , , , , ,

, , , , , ,

One Response

  1. Carson August 7, 2013 at 1:34 pm #

    I dont quite get it. This does not seem like it was done by accident; in fact it is rather obvious that these URLs were there for a reason. How could one think that storing a root password or WPS pin in plain text/hex is acceptable? Why the software developer did this I have no clue.

Leave a Reply

XSLT by CarLake