Overview
Research by Obsrva identified an unauthenticated stored-cross site scripting vulnerability in the HP OfficeJet 4630 e-All-in-One Printer. The vulnerability enables remote unauthenticated attackers to introduce arbitrary JavaScript via the printer name and printer location fields due to improper sanitization via AirPrint settings.
Disclosure Timeline
- 10 January 2021: Vulnerability discovered, HP’s PSRT Team is contacted
- 4 February 2021: HP PSRT assigns case number PSR-2021-0006
- 4 February 2021: HP PSRT states product is EOL and declines CVE
- 4 February 2021: Mitre contacted as root CNA
- 27 April 2021: Mitre escalates to CNA Coordination Team
- 8 Jun 2021: HP PSRT Team states a CVE will be issued
- 20 August 2021: HP publishes CVE-2021-3441 and Security Bulletin
Scope
The scope of this disclosure is defined as the vendor, product, and model which were found to be vulnerable by the researcher. At present, only the HP Inc, HP Officejet 4630 e-All-in-One Printer series model number B4L03A, and firmware version MYM1FN2025AR were tested for this 0-day vulnerability. The offending component, AirPrint, is used in other HP products; according to Apple, there are over 1,000 models of HP printers capable of AirPrint. Other models of HP printers that share this same vulnerable component are likely to be vulnerable as well but have not been assessed.
Identified Vulnerabilities
Unauthenticated Cross-site Scripting (XSS) – Stored CWE-79
The HP Officejet 4630 e-All-in-One Printer series uses an embedded web server (EWS) to allow users to conduct services wirelessly such as document scanning and faxing. The EWS serves as the management console for these features. Broadcasting its own network SSID, users can connect to the printer to start services, configure settings, update firmware, etc. One of these feature settings, AirPrint, was found to have a component vulnerable to XSS in the table airprint-statusTbl.
Specifically, user supplied input in the printer location and printer name fields of the airprint- statusTbl is vulnerable to stored cross-site scripting due to a vulnerability in the implementation of Airprint, located in the resource /webApps/AirPrint/AirPrint.js. Input in this field is stored in the resource /DevMgmt/ProductConfigDyn.xml or /DevMgmt/NetAppsDyn.xml paths respectively and sent via an HTTP PUT request. It is interpreted back to the user un-sanitized on the /#hId- pgAirPrint page. Attackers can manually input a payload string up to 32 characters long through the web browser or send a specially crafted PUT request with a longer payload. The payload can be placed in the body of the PUT request between the open and closing dd:DeviceLocation tags for the printer location input or the dd:ApplicationServiceName tags for the Printer Name input.
Of course, any number of more malicious payloads could be used such as <script>alert(document.cookie);</script> .When injected and reloaded, the client browser will open an alert with the contents of the current users’ cookies.
The two aforementioned fields were the only user input found to be vulnerable to such an attack. Mitigations were found to be in place in other areas of the application. For example, using the plaintext tag payload in the host name field of the Networking tab on the Network settings page results in an error message, “Host Name: Invalid input”. Similar behavior is observed in other areas of the application.
Proof of Concept
To demonstrate how a remote attacker could exploit this vulnerability, a simple proof of concept exploit was developed. The exploit uses the bash curl command to send an HTTP PUT request to the target webserver using a small payload. The payload command uses the JavaScript window.location function to force the client browser to make a request to an attacker-owned machine hosted on the same network http://192.168.223.100. The request appends the cookies of the user who loads the page using the document.cookies function, thus sending the users session-id to the attacker. The attacker can then retrieve the session id from the server logs. This particular payload makes no attempt to hide the exploit from the end users, however the next section covers a more sophisticated URL-redirection attack that would be difficult for users to identify.
Figure 6 shows a local python webserver running and capturing the stored cookies when the victim browses the airprint settings page. Shown in the terminal window on the bottom, the victim’s cookies are appended to the end of the request.
Data Exfiltration via Content-Security Bypass:
The embedded web server implements a content-security policy (CSP), which typically prevents JavaScript functions from executing in malicious ways. In fact, several malicious payloads are prevented from running on the server because they are blocked by the policy. For example, payloads that load remote JavaScript files or images are blocked by the browser because of a CSP violation. This is not true for all XSS payloads as the CSP allows the use of ‘unsafe-inline’ in the default-src parameter. This means that injecting JavaScript functions like window.location can still be executed and redirect users to remote servers, as seen in the advanced PoC. The below image shows a report from csp-evaluatator which shows that current content-security-policies still enable XSS exploits.