Yesterday I was watching a Defcon 19 talk about multi-function printer security which was pretty fun. So this give me an idea : what about mine ? For sure, I have not a professional printer which can be connected to an LDAP or whatever, but my printer (HP Deskjet 3070A) has network access too :)
Starting Nmap 5.21 ( http://nmap.org ) at 2012-04-22 21:16 CEST
Nmap scan report for HP7D7AA8 (192.168.1.23)
Host is up (0.28s latency).
Not shown: 65520 closed ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
631/tcp open ipp
3910/tcp open unknown
3911/tcp open unknown
6839/tcp open unknown
7435/tcp open unknown
8080/tcp open http-proxy
9100/tcp open jetdirect
9101/tcp open jetdirect
9102/tcp open jetdirect
9110/tcp open unknown
9111/tcp open DragonIDSConsole
9112/tcp open unknown
9220/tcp open unknown
9290/tcp open unknown
MAC Address: 2C:76:8A:7D:7A:A8 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 855.57 seconds
Ok cool, let's see the HTTP server and the Web interface ...
Printer's HTTP server name is too verbose, it looks like :
HP HTTP Server; HP Deskjet 3070 B611 series - 012345; Serial Number: 0123456789ABCD; Munich_mp1 Built:Thu Apr 28, 2011 03:49:36PM {0123456789ABC, ASIC id 0x00340100}
Yes we can get the serial number from the HTTP Server header :)
Now if we take a look on the web interface, we can found a fun XSS. As this printer is Wifi capable, we can configure Wifi using this interface. But what about a cool SSID like "<script>
alert('owned?')
</script>" ?
I let you setup your AP with aforementioned SSID. Note than you can use an Android phone, it's easy and quick to configure :)
As soon as this Wifi AP is setup, you can configure you printer to use it : Network > Wireless Setup Wizard (https://<IP>/#hId-setupPage).
Click on "Start Wizard" :
We can see our new AP :
Now if we select it and click on "Next", we get our XSS :D
Thumbs Up ! :)
ReplyDelete