R7-2017-28: Epson AirPrint XSS (CVE-2018-5550)

  • 0

R7-2017-28: Epson AirPrint XSS (CVE-2018-5550)

Category : Rapid7

The Epson AirPrint web configuration page is vulnerable to a reflected cross-site scripting (XSS) issue in the INPUTT_GEOLOCATION parameter in the web administration console. This issue could be leveraged by an attacker with network access to the web UI to the printer to trick the administrator of the printer into disclosing a session cookie, thus elevating the attacker’s privileges to that of a printer administrator.

Product Description

Epson AirPrint is shipped with a number of Epson home and small office printers, which all have many standard networking capabilities. Note that by default, the administrative web interface isn’t password protected, and the printer allows anyone to change settings without authentication. Thus, the only case where this reflective XSS issue would be effective for the attacker are those situations where someone already enabled password protection on the web UI.

Credit

This issue was discovered by Steven Campbell, a Rapid7 researcher.

Exploitation for Reflected XSS (CWE-79)

The web configuration page for AirPrint is vulnerable to reflected Cross-Site Scripting (XSS) due to lack of input filtering of the ‘INPUTT_GEOLOCATION’ parameter. This issue was discovered on a an Epson XP-440 printer, and the example URL is shown below:

http://192.168.1.217/PRESENTATION/BONJOUR?INPUTT_BSNAME=EPSON+XP-440+Series&INPUTT_BLOCATION=test&INPUTT_GEOLOCATION=0.000000%2c0.000000f0l9r"><script>alert('XSS')</script>&SEL_PPROTOCOL=Port9100&trigger=AirPrint_trg_set&tm=

Remediation

Users of Epson printers should check for an update using the vendor’s software updater, as described in the vendor’s advisory.

Absent a vendor patch, users should not allow untrusted users to access the printer’s web UI through network segmentation and network ACLs.

Disclosure Timeline

  • Mon, Nov 20, 2017: Initial disclosure attempt to the vendor
  • Tue, Dec 05, 2017: Details provided to vendor
  • Tue, Dec 05, 2017: Disclosed to CERT/CC, tracked as VRF#17-12-DSPVH
  • Wed, Jan 17, 2018: Reserved CVE-2018-5550
  • Fri, Jan 19, 2018: Vendor published an advisory detailing the issue and remediation guidance.
  • Thu, Feb 8, 2018: Public Disclosure of CVE-2018-5550

Source: https://blog.rapid7.com/2018/02/08/r7-2017-28-epson-airprint-xss-cve-2018-5550/

Author:  Tod Beardsley


Leave a Reply

Support