Vulnerabilities > CVE-2013-4807 - Information Disclosure vulnerability in Multiple HP LaserJet Pro Printers

CVSS 7.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

COMPLETE

Availability impact

NONE

network

low complexity

nessus

NVD

Published: 2013-08-05

Updated: 2017-08-29

Summary

Unspecified vulnerability on the HP LaserJet Pro P1102w, P1606dn, M1212nf MFP, M1213nf MFP, M1214nfh MFP, M1216nfh MFP, M1217nfw MFP, M1218nfs MFP, and CP1025nw with firmware before 2013-07-26 20130703 allows remote attackers to modify data via unknown vectors.

Vulnerable Configurations

Part	Description	Count
Hardware	Hp HP Laserjet PRO Cp1025Nw Firmware 20130703 HP Laserjet PRO Cp1025Nw Ce914A HP Laserjet PRO Cp1025Nw Ce918A HP Laserjet PRO M1214Nfh MFP Firmware 20130703 HP Laserjet PRO M1214Nfh MFP Ce842A HP Laserjet PRO P1606Dn Firmware 20130212 HP Laserjet PRO P1606Dn Ce749A HP Laserjet PRO M1216Nfh Multifunction Printer Firmware 20130703 HP Laserjet PRO M1216Nfh Multifunction Printer Ce843A HP Laserjet PRO M1213Nf MFP Firmware 20130703 HP Laserjet PRO M1213Nf MFP Ce845A HP Laserjet PRO M1212Nf MFP Firmware 20130703 HP Laserjet PRO M1212Nf MFP Ce841A HP Laserjet PRO M1217Nfw Multifunction Printer Firmware 20130703 HP Laserjet PRO M1217Nfw Multifunction Printer Ce844A HP Laserjet PRO P1102W Firmware 20130703 HP Laserjet PRO P1102W Ce657A HP Laserjet PRO P1102W Ce658A HP Hotspot Laserjet PRO M1218Nfs MFP Firmware 20130703 HP Hotspot Laserjet PRO M1218Nfs MFP B4K88A	20

Nessus

NASL family	CGI abuses
NASL id	HP_LASERJETPRO_SAVERESTORE_PWD_DISCLOSURE.NASL
description	The remote HP LaserJet Pro printer is affected by an information disclosure vulnerability. The file
last seen	2020-06-01
modified	2020-06-02
plugin id	69283
published	2013-08-09
reporter	This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/69283
title	HP LaserJet Pro /dev/save_restore.xml Administrative Password Disclosure
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(69283); script_version("1.6"); script_cvs_date("Date: 2019/11/27"); script_cve_id("CVE-2013-4807"); script_bugtraq_id(61565); script_xref(name:"IAVB", value:"2013-B-0080"); script_name(english:"HP LaserJet Pro /dev/save_restore.xml Administrative Password Disclosure"); script_summary(english:"Attempts to obtain administrative password"); script_set_attribute(attribute:"synopsis", value: "The remote printer is affected by an information disclosure vulnerability."); script_set_attribute(attribute:"description", value: "The remote HP LaserJet Pro printer is affected by an information disclosure vulnerability. The file '/dev/save_restore.xml' contains a hexadecimal representation of the administrative password. This information can be used by an attacker in further attacks."); # https://sekurak.pl/hp-laserjet-pro-printers-remote-admin-password-extraction/ script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6839c51c"); # http://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?docId=emr_na-c03825817-2&ac.admitted=1375460537894.876444892.199480143 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?08935147"); script_set_attribute(attribute:"solution", value: "Update the printer's firmware or disable file system access via the Postscript interface."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-4807"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/07/31"); script_set_attribute(attribute:"patch_publication_date", value:"2013/07/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/08/09"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/h:hp:laserjet"); script_set_attribute(attribute:"stig_severity", value:"II"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("hp_laserjet_detect.nasl"); script_require_keys("www/hp_laserjet/pname"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80, dont_break:TRUE, embedded:TRUE); url = '/dev/save_restore.xml'; res = http_send_recv3(method:"GET", item:url, port:port, exit_on_fail:TRUE); pwd_str = ""; if ( "<name>e_HttpPassword</name>" >!< res[2] && "<name>e_cloudPrinterID</name>" >!< res[2] && "<name>e_StatusLog</name>" >!< res[2] ) audit(AUDIT_WEB_APP_NOT_AFFECTED, "HP LaserJet Pro admin interface", build_url(port:port, qs:url)); variable_groups = split(res[2], sep:"</variable>", keep:FALSE); foreach variable_group (variable_groups) { if ("e_HttpPassword" >!< variable_group) continue; # We have the group which contains the pwd now marker = stridx(variable_group, "<value>"); if (marker < 0) continue; pwd_str = substr(variable_group, marker); break; } # Here pwd_str has structure: # <value> # hex-text representing password here (may contain NULLs) # </value> pieces = split(pwd_str); if (isnull(pieces[1])) audit(AUDIT_WEB_APP_NOT_AFFECTED, "HP LaserJet Pro admin interface", build_url(port:port, qs:url)); # Convert hex-text to ascii and clean NULLs pwd_raw = strip(chomp(pieces[1])); pwd_ascii = hex2raw(s:pwd_raw); len = strlen(pwd_ascii); for (i=0; i<len; i++) { if (pwd_ascii[i] != raw_string(0)) pwd_txt += pwd_ascii[i]; else break; } # Ensure we actually have something first if (isnull(pwd_txt)) audit(AUDIT_WEB_APP_NOT_AFFECTED, "HP LaserJet Pro admin interface", build_url(port:port, qs:url)); # Mask password len = strlen(pwd_txt); if (len > 4) clean_pwd = substr(pwd_txt,0,1) + crap(data:"", len - 4) + substr(pwd_txt, len - 2); else clean_pwd = substr(pwd_txt,0,0) + "*" + substr(pwd_txt, len - 1); if (report_verbosity > 0) { report = '\n' + '\nNessus was able to verify the issue and obtain the administrative password : ' + '\n\n' + '\n URL : ' + build_url(port:port, qs:url) + '\n Administrative password : ' + clean_pwd + '\n'; security_hole(port:port, extra:report); } else security_hole(port);

NASL family	CGI abuses
NASL id	HP_LASERJETPRO_IOMGMTADAPTERS_WPS_PIN_DISC.NASL
description	The remote HP LaserJet Pro printer is affected by an information disclosure vulnerability. The file
last seen	2020-06-01
modified	2020-06-02
plugin id	69282
published	2013-08-09
reporter	This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/69282
title	HP LaserJet Pro /IoMgmt/Adapters/wifi0/WPS/Pin WPS PIN Disclosure

The Hacker News

id	THN:C5083F6355E94037C2C5E53249062440
last seen	2017-01-08
modified	2013-08-06
published	2013-08-06
reporter	Mohit Kumar
source	http://thehackernews.com/2013/08/hacking-HP-printers-Vulnerability-wifi-password.html
title	HP LaserJet Pro Printers remotely exploitable to gain unauthorized access to Wi-Fi and Printer Data

Summary

Vulnerable Configurations

Nessus

The Hacker News

References