Samsung Printer SNMP Hardcoded Community String Authentication Bypass Vulnerability

2012-11-2800:00:00

plugins.openvas.org

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.7 High

AI Score

Confidence

High

0.144 Low

EPSS

Percentile

95.8%

JSON

Samsung Printers are prone to an authentication bypass
vulnerability.

# Copyright (C) 2012 Greenbone Networks GmbH
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-or-later
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.902935");
  script_version("2022-04-27T12:01:52+0000");
  script_cve_id("CVE-2012-4964");
  script_tag(name:"cvss_base", value:"7.5");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_tag(name:"last_modification", value:"2022-04-27 12:01:52 +0000 (Wed, 27 Apr 2022)");
  script_tag(name:"creation_date", value:"2012-11-28 13:37:22 +0530 (Wed, 28 Nov 2012)");
  script_name("Samsung Printer SNMP Hardcoded Community String Authentication Bypass Vulnerability");
  script_category(ACT_ATTACK);
  script_copyright("Copyright (C) 2012 Greenbone Networks GmbH");
  script_family("SNMP");
  script_dependencies("snmp_detect.nasl");
  script_require_udp_ports("Services/udp/snmp", 161, 1118);
  script_mandatory_keys("SNMP/detected");

  script_xref(name:"URL", value:"http://www.kb.cert.org/vuls/id/281284");
  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/56692");
  script_xref(name:"URL", value:"http://seclists.org/fulldisclosure/2012/Nov/196");
  script_xref(name:"URL", value:"http://packetstormsecurity.org/files/118413/samsung-backdoor.txt");

  script_tag(name:"impact", value:"Successful exploitation will allow attackers to access an
  affected device with administrative privileges, make changes to the device configuration and
  access to sensitive information.");

  script_tag(name:"insight", value:"Samsung printers (as well as some Dell printers manufactured by
  Samsung) contain a hardcoded SNMP full read-write community string that remains active even when
  SNMP is disabled in the printer management utility.");

  script_tag(name:"solution", value:"Update to firmware version 20121031 or later.");

  script_tag(name:"summary", value:"Samsung Printers are prone to an authentication bypass
  vulnerability.");

  script_tag(name:"affected", value:"Samsung Printers with firmware version prior to 20121031.

  NOTE: Samsung has stated that models released after October 31, 2012 are not affected by this
  vulnerability. Samsung has also indicated that they will be releasing a patch tool later this
  year to address vulnerable devices.");

  script_tag(name:"solution_type", value:"VendorFix");
  script_tag(name:"qod_type", value:"remote_vul");

  exit(0);
}

include("dump.inc");
include("list_array_func.inc");
include("port_service_func.inc");

list = make_list_unique(161, 1118);
ports = service_get_ports(default_port_list:list, ipproto:"udp", proto:"snmp");

function parse_result(data) {

  if(strlen(data) < 8) return FALSE;

  for(v=0; v < strlen(data); v++) {

      if(ord(data[v]) == 43 && ord(data[v-1]) == 8) {
        ok = TRUE;
        break;
      }
      oid_len = ord(data[v]);
  }

  if(!ok || oid_len < 8)return FALSE;

  tmp = substr(data,(v+oid_len+2));

  if (!isprint (c:tmp[0])) {
    tmp = substr(tmp,1,strlen(tmp)-1);
  }
  return tmp;
}

function test(community,port) {

  local_var port, community;

  soc = open_sock_udp(port);
  if(!soc)return FALSE;

  SNMP_BASE = 31;
  COMMUNITY_SIZE = strlen(community);

  sz = COMMUNITY_SIZE % 256;

  len = SNMP_BASE + COMMUNITY_SIZE;
  len_hi = len / 256;
  len_lo = len % 256;

  for (i=0; i<3; i++) {

    sendata = raw_string(
                  0x30, 0x82, len_hi, len_lo,
                  0x02, 0x01, i, 0x04,
                  sz);


    sendata = sendata + community +
              raw_string(0xA1,0x18, 0x02,
                  0x01, 0x01, 0x02, 0x01,
                  0x00, 0x02, 0x01, 0x00,
                  0x30, 0x0D, 0x30, 0x82,
                  0x00, 0x09, 0x06, 0x05,
                  0x2B, 0x06, 0x01, 0x02,
                  0x01, 0x05, 0x00);

    send(socket:soc, data:sendata);
    result = recv(socket:soc, length:65535, timeout:1);
    close(soc);

    if(!result || ord(result[0]) != 48)return FALSE;

    if(res = parse_result(data:result)) {
      return res;
    }
  }
  return FALSE;
}

foreach port (ports) {

  if(!get_udp_port_state(port))continue;
  if(get_kb_item("SNMP/" + port + "/v12c/all_communities"))continue; # For devices which are accepting every random community

  res = test(community:'s!a@m#n$p%c', port:port);
  if(!res)continue;

  res = tolower(res);

  if("samsung" >< res || "dell" >< res) {
    security_message(port:port, proto:"udp");
    exit(0);
  }
}

exit(99);