Monday, April 23, 2012

XSS on HP printer web interface

Yesterday I was watching a Defcon 19 talk about multi-function printer security which was pretty fun. So this give me an idea : what about mine ? For sure, I have not a professional printer which can be connected to an LDAP or whatever, but my printer (HP Deskjet 3070A) has network access too :)

According to Nmap, lots of TCP port seem opened :

Starting Nmap 5.21 ( ) at 2012-04-22 21:16 CEST
Nmap scan report for HP7D7AA8 (
Host is up (0.28s latency).
Not shown: 65520 closed ports
80/tcp   open  http
443/tcp  open  https
631/tcp  open  ipp
3910/tcp open  unknown
3911/tcp open  unknown
6839/tcp open  unknown
7435/tcp open  unknown
8080/tcp open  http-proxy
9100/tcp open  jetdirect
9101/tcp open  jetdirect
9102/tcp open  jetdirect
9110/tcp open  unknown
9111/tcp open  DragonIDSConsole
9112/tcp open  unknown
9220/tcp open  unknown
9290/tcp open  unknown
MAC Address: 2C:76:8A:7D:7A:A8 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 855.57 seconds

Ok cool, let's see the HTTP server and the Web interface ...

Printer's HTTP server name is too verbose, it looks like :

HP HTTP Server; HP Deskjet 3070 B611 series - 012345; Serial Number: 0123456789ABCD; Munich_mp1 Built:Thu Apr 28, 2011 03:49:36PM {0123456789ABC, ASIC id 0x00340100}

Yes we can get the serial number from the HTTP Server header :)

Now if we take a look on the web interface, we can found a fun XSS. As this printer is Wifi capable, we can configure Wifi using this interface. But what about a cool SSID like "<script> alert('owned?') </script>" ? 

I let you setup your AP with aforementioned SSID. Note than you can use an Android phone, it's easy and quick to configure :)

As soon as this Wifi AP is setup, you can configure you printer to use it : Network > Wireless Setup Wizard (https://<IP>/#hId-setupPage).

Click on "Start Wizard" :

We can see our new AP :

Now if we select it and click on "Next", we get our XSS :D