The vulnerability, dubbed CVE-2013-4807, was discovered by Michał Sajdak of Securitum.pl who described how hackers could extract plaintext admin passwords via hidden URLs hardcoded into the printers’ hardware.
Sajdak discovered that if you access vulnerable LaserJet printers via a URL like this:
http://IP_ADDRESS/dev/save_restore.xml
you are not required to authenticate yourself, and a number of parameters are easily accessible.
For instance, in his example, Sajdak found a hex representation of the admin password:
In this case, 0x746573746f7765 is the hex equivalent to “testowe”.
Furthermore, Sajdak found that WiFi-enabled printers could leak the network’s WPS PIN:
http://IP_ADDRESS:8080/IoMgmt/Adapters/wifi0/WPS/Pin
The good news is that the security vulnerability was disclosed responsibly to Hewlett-Packard, and firmware updates for affected printers are available for users to download.
The bad news is that many printer owners probably aren’t aware that the security issue exists, or simply won’t bother to apply the firmware update.
According to the security advisory published by Hewlett-Packard, a patch for the vulnerability is available the following printers: HP LaserJet Pro P1102w, HP LaserJet Pro P1606dn, HP LaserJet Pro M1212nf MFP, HP LaserJet Pro M1213nf MFP, HP LaserJet Pro M1214nfh MFP, HP LaserJet Pro M1216nfh MFP, HP LaserJet Pro M1217nfw MFP, HP LaserJet Pro M1218nfs MFP, and HP LaserJet Pro CP1025nw.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
I dont quite get it. This does not seem like it was done by accident; in fact it is rather obvious that these URLs were there for a reason. How could one think that storing a root password or WPS pin in plain text/hex is acceptable? Why the software developer did this I have no clue.
Think harder!