Samsung SyncThruWeb SMB Hash Disclosure

2015-08-31T00:00:00
ID PACKETSTORM:133383
Type packetstorm
Reporter Shad Malloy
Modified 2015-08-31T00:00:00

Description

                                        
                                            `# Exploit Title: Samsung SyncThruWeb SMB Hash Disclosure  
  
# Date: 8/28/15  
  
# Exploit Author: Shad Malloy  
  
# Contact: http://twitter.com/SecureNM  
  
# Website: https://securenetworkmanagement.com  
  
# Vendor Homepage: http://www.samsung.com   
  
# Software Link:  
http://www.samsung.com/hk_en/consumer/solutions/type/SyncThruWebService.html  
  
# Version: Known Vulnerable versions Samsung SCX-5835_5935 Series Printer  
Main Firmware Version : 2.01.00.26   
  
Samsung SCX-5635 Series Printer Main Firmware Version : 2.01.01.18  
12-08-2009   
  
  
  
# Tested on:   
  
Samsung SCX-5835_5935 Series Printer  
  
Main Firmware Version : 2.01.00.26   
  
Network Firmware Version : V4.01.05(SCX-5835/5935)  
12-22-2008   
  
Engine Firmware Version : 1.20.73   
  
UI Firmware Version : V1.03.01.55 07-13-2009   
  
Finisher Firmware Version : Not Installed   
  
PCL5E Firmware Version : PCL5e 5.87 11-07-2008   
  
PCL6 Firmware Version : PCL6 5.86 10-28-2008   
  
PostScript Firmware Version : PS3 V1.93.06 12-19-2008   
  
SPL Firmware Version : SPL 5.32 01-03-2008   
  
TIFF Firmware Version : TIFF 0.91.00 10-07-2008  
  
Samsung SCX-5635 Series  
  
Main Firmware Version : 2.01.01.18 12-08-2009   
  
Network Firmware Version : V4.01.16(SCX-5635)  
12-04-2009   
  
Engine Firmware Version : 1.31.32   
  
PCL5E Firmware Version : PCL5e 5.92 02-12-2009  
  
  
PCL6 Firmware Version : PCL6 5.93 03-21-2009  
  
  
PostScript Firmware Version : PS3 1.94.06 12-22-2008   
  
TIFF Firmware Version : TIFF 0.91.00 10-07-2008  
  
  
  
Proof of Concept  
  
1. Using the default username and password (admin/admin), it is  
possible to obtain all credentials used for SMB file transfer. To obtain the  
file access http://<printer url>/smb_serverList.csv.  
  
2. The UserName and UserPassword fields are unencrypted and  
visible using any text editor.  
  
  
  
Relevant Patches  
  
http://downloadcenter.samsung.com/content/FM/201508/20150825111208555/SCX563  
5_V2.01.01.28_0401113_1.00.zip  
  
http://downloadcenter.samsung.com/content/FM/201508/20150825112233867/SCX583  
5_5935_V2.01.00.56_0401113_1.01.zip  
  
  
  
Shad Malloy  
  
Secure Network Management, LLC  
  
  
`