[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [FD] Canon Printer Exposes WiFi Password
From: Matt Andreko <mandreko () gmail ! com>
Date: 2014-03-28 22:26:35
Message-ID: CAPeaunUKE2Q=nJuj3JSCUTTV0O+J4j0H0pP2U6PXjFsnM3MXVA () mail ! gmail ! com
[Download RAW message or body]
I found the same issue and more (even a DoS) in the Canon web UI:
https://www.mattandreko.com/2013/06/18/canon-y-u-no-security/
Unfortunately, Canon's response seems less than impressive. They apparently
don't really care as long as the product sells. Their response is pretty
much, "Nobody would be stupid enough to put it on a public IP", yet there
are hundreds on ShodanHQ. I saw some for big universities' libraries.
Imagine the fun a bad-guy could have DoS'ing the printer during finals-week.
I was trying to reverse the firmware, to find more bugs, but didn't have a
lot of luck, as that's not really my thing. However, I'm guessing someone
that does it regularly could have a hay-day.
On Fri, Mar 28, 2014 at 5:20 PM, Taylor Hornby <havoc@defuse.ca> wrote:
> Affects: Canon PIXMA MX722 Printer (and probably other Canon printers).
>
> After typing my WPA2 WiFi password into the printer (through the
> built-in hardware keypad), it exposes the cleartext password to the LAN
> through an admin page that isn't password protected:
>
> https://twitter.com/DefuseSec/status/419910112442982401/photo/1
>
> You can enable password protection of that page, but:
>
> 1) There is no password protection by default. It silently exposes your
> password, and you'll never know unless you go looking for it.
>
> 2) There's no need to embed the actual password in the HTML form anyway.
> They could have used placeholder text instead of the real password.
>
> Regards,
> --
> Taylor Hornby
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic