Samsung SyncThruWeb SMB Hash Disclosure

vendor:

SyncThruWeb

by:

Shad Malloy

7,5

CVSS

HIGH

Credential Disclosure

200

CWE

Product Name: SyncThruWeb

Affected Version From: Samsung SCX-5835_5935 Series Printer Main Firmware Version : 2.01.00.26, Samsung SCX-5635 Series Printer Main Firmware Version : 2.01.01.18 12-08-2009

Affected Version To: Samsung SCX-5835_5935 Series Printer Network Firmware Version : V4.01.05(SCX-5835/5935) 12-22-2008, Samsung SCX-5635 Series Network Firmware Version : V4.01.16(SCX-5635) 12-04-2009

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux, Mac

2015

Samsung SyncThruWeb SMB Hash Disclosure

Using the default username and password (admin/admin), it is possible to obtain all credentials used for SMB file transfer. To obtain the file access http://<printer url>/smb_serverList.csv. The UserName and Password fields are in plain text.

Mitigation:

Change the default username and password, and restrict access to the printer URL.

Source

Exploit-DB raw data:

# Exploit Title: Samsung SyncThruWeb SMB Hash Disclosure

# Date: 8/28/15

# Exploit Author: Shad Malloy

# Contact: http://twitter.com/SecureNM

# Website: https://securenetworkmanagement.com

# Vendor Homepage: http://www.samsung.com 

# Software Link:
http://www.samsung.com/hk_en/consumer/solutions/type/SyncThruWebService.html

# Version: Known Vulnerable versions   Samsung SCX-5835_5935 Series Printer
Main Firmware Version : 2.01.00.26  

Samsung SCX-5635 Series Printer Main Firmware Version : 2.01.01.18
12-08-2009 

 

# Tested on: 

  Samsung SCX-5835_5935 Series Printer

                Main Firmware Version :  2.01.00.26  

                Network Firmware Version :  V4.01.05(SCX-5835/5935)
12-22-2008  

                Engine Firmware Version :  1.20.73  

                UI Firmware Version :  V1.03.01.55 07-13-2009  

                Finisher Firmware Version :  Not Installed  

                PCL5E Firmware Version : PCL5e 5.87 11-07-2008  

                 PCL6 Firmware Version : PCL6 5.86 10-28-2008  

                PostScript Firmware Version : PS3 V1.93.06 12-19-2008  

                SPL Firmware Version : SPL 5.32 01-03-2008  

                TIFF Firmware Version : TIFF 0.91.00 10-07-2008

Samsung SCX-5635 Series

                   Main Firmware Version :           2.01.01.18 12-08-2009 

                Network Firmware Version :       V4.01.16(SCX-5635)
12-04-2009 

                Engine Firmware Version :           1.31.32 

                PCL5E Firmware Version :             PCL5e 5.92 02-12-2009


                PCL6 Firmware Version :               PCL6 5.93 03-21-2009


                PostScript Firmware Version :    PS3 1.94.06 12-22-2008 

                TIFF Firmware Version : TIFF 0.91.00 10-07-2008

 

Proof of Concept

1.            Using the default username and password (admin/admin), it is
possible to obtain all credentials used for SMB file transfer. To obtain the
file access http://<printer url>/smb_serverList.csv.

2.            The UserName and UserPassword fields are unencrypted and
visible using any text editor.

 

Relevant Patches

http://downloadcenter.samsung.com/content/FM/201508/20150825111208555/SCX563
5_V2.01.01.28_0401113_1.00.zip

http://downloadcenter.samsung.com/content/FM/201508/20150825112233867/SCX583
5_5935_V2.01.00.56_0401113_1.01.zip

 

Shad Malloy

Secure Network Management, LLC