HP JetDirect Device SNMP Request Cleartext Admin Credential Disclosure

2003-03-0400:00:00

www.tenable.com

176

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

AI Score

6.8

Confidence

Low

EPSS

0.08

Percentile

94.3%

JSON

It is possible to obtain the password of the remote HP JetDirect web server by sending SNMP requests.

An attacker may use this information to gain administrative access to the remote printer.

#TRUSTED 3c1a327d7af63a2181ee9bcc68353640fff36d7e2cfdb6b48e9826e5626bb87ea8f24a6337367b2362015c0231cee7464fb8bdaafb840b010754a34be7b2f75daa6881c616c423dd5634c5c3d06e36062a2b52b101d4071e3cba6e9e4de8fdbc4afb7534927953e756e21fa1d55224178cc15aeef58e7243881d5c871eb6f2b1915e0cb85d6e5aa7336fd345eb53a21fac54c53be4b8a1793f81df2871e22491f17fbc59dade89aed1856804b0c25e8d3d850647b13c1b414bb9964b4e3f032893963566a77ae5432865e780b6b00aeacf87153933f91a3e534608be6b67d8d9564d1d7fe10c93b3a23f62cfd4a9dccd320281f3480e60ae6fd7423557d60f131fb2fe78c619475f4e758cda36a5eaf9804d333d89e210804475251a25c922a746e90a3459cc91c6d55b1454c67ea5adac6c5f5438d064d795f3d585c8b36ad3fdb193e58168de44abadb335d2bd3d08d698752c9c166cd8b765d38c5bab5e6c254d0cbb8f9ba339ab5cf4e0794febf8905c6d7d38c26faed90521ffe80b25336f3ca81b10f0053239b30f9fac4c83193b01b09f334b84055cc07c825b49821ab9a3029f5413a283bb584b19b96000f1d4181b47066e0e3afa6a0c844c18afd91588ce1e5c73eb81bd3b9dc5556455ba0c325dd0945f39cf649b23755fd80aa9a916de0077ec0475cc7e86cbaeae6ca6028d37eae7c9a8c94ded44466005ddb0
#TRUST-RSA-SHA256 3b7e3c15396aa24d83042ea17d91c4e409ee86c9a8561c2ba4e454d6e371d466ee8c20ade8439d4354db302eddcf8178501d3340841524bd478b17313d7857f3b4e146e8d22452d26ce0347c6b0347508e4d7f778d5912f046e7ab5ae1637cb006d4481562d4c7679fb94d6359d4c95d66302ef82e2401eecf024a640b8adef6a215bb453d90c31fa1be14e595bdb95ce0802438fa50ff28611a59bdef8838be007d1089ca0cc2e3996b3fc7b4bd980b2484afb867c300d667799daa80dc4aac93b8d51f3a45ef2f758679e1667eff608fe19dc6878d05b9ec0c4f300ac3879eef365d747ec1aa68b45838838e94a139374574c6cd8a2fb99486600c3fa7ed4022a477b9fd03668c7d05ccc8fe5288abd5c151e48c69c79264e89ec721cc4abd7e0f94e008aa82b1a2716d4f322315571255218b26a7132498986151da0bf23adf996274873e3f1d8636f97191fd830fc508244baaf34fe964195d8fa088e9d832739c934c2eb9db3d99f45294e341750cdcd2d3a7886d98e1696984a9373759aceec879a8f35d6e6830eeb42a1695a3ae9f4f00c45ad1e03ad002d300e972b9ac4ae76beb4a2e8ad43e134cbab2ceba099f5380052d1cf9d36b0eb70ac9333d680f51fab2c1519f274e11b8fe4edcf1eeb9fa3841cea2b8d4fe450421aa054be40ee9f283cde70fe6ce61ae01a3bc5ef30252b783ad56237d8397e30cce25b3
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if(description)
{
 script_id(11317);
 script_version("1.32");
 script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/08");
 script_cve_id("CVE-2002-1048");
 script_bugtraq_id(5331, 7001);

 script_name(english:"HP JetDirect Device SNMP Request Cleartext Admin Credential Disclosure");
 
 script_set_attribute(attribute:"synopsis", value:
"The administrative password of the remote HP JetDirect printer can be obtained
using SNMP." );
 script_set_attribute(attribute:"description", value:
"It is possible to obtain the password of the remote HP JetDirect
web server by sending SNMP requests.

An attacker may use this information to gain administrative access
to the remote printer." );
 script_set_attribute(attribute:"solution", value:
"Disable the SNMP service on the remote host if you do not use it,
or filter incoming UDP packets going to this port.

http://www.securityfocus.com/archive/1/313714/2003-03-01/2003-03-07/0" );
 script_set_attribute(attribute:"risk_factor", value:"High");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"plugin_publication_date", value: "2003/03/04");
 script_set_attribute(attribute:"vuln_publication_date", value: "2002/07/27");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_summary(english:"Enumerates password of JetDirect Web Server via SNMP");
 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2003-2023 Tenable Network Security, Inc.");
 script_family(english:"SNMP");
 script_dependencies("snmp_sysDesc.nasl");
 script_require_keys("SNMP/OID", "SNMP/community");
 exit(0);
}

include ("snmp_func.inc");
include ("misc_func.inc");


oid = get_kb_item("SNMP/OID");
if (!oid)
  exit (0);

# exit if not HP
if (!is_valid_snmp_product(manufacturer:"1.3.6.1.4.1.11", oid:oid))
  exit (0);


community = get_kb_item("SNMP/community");
if(!community)exit(0);

port = get_kb_item("SNMP/port");
if(!port)port = 161;
if (! get_udp_port_state(port)) exit(0, "UDP port "+port+" is not open.");

soc = open_sock_udp(port);
if (!soc)
  exit (0);

pass = snmp_request_next (socket:soc, community:community, oid:"1.3.6.1.4.1.11.2.3.9.1.1.13");
if (isnull(pass) || (pass[0] != "1.3.6.1.4.1.11.2.3.9.1.1.13.0"))
  exit (0);

hexpass = hexstr(pass[1]);
if (hexpass == "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000") exit(0);

if (strlen(pass[1]) <= 0 || pass[1] =~ "^ *$" )
  exit(0);
else
  password = 'Remote printer password is : ' + pass[1];

security_hole(port:port, extra: password, protocol:"udp");