samsung

All posts tagged samsung

About a year ago during a network penetration test I found an information disclosure vulnerability in a Samsung printer. The disclosure was fairly serious; NTLM hashes for any network accounts were stored in a CSV file. I’m not a web application penetration tester but luckily the connection was slow enough that I watched the page load briefly then redirect to the next page. This definitely highlights the importance of manually testing.

Because this has been responsibly disclosed and patched it isn’t technically an 0day.

The firmware fixing the vulnerability was released over six months ago and I didn’t want to publish any vulnerability information irresponsibly.  The following is the information submitted to Samsung and links to the updated firmware. Updating any Samsung printers is important. Equally important is adding printers and other peripheral devices to your patching program.


SyncThru Web SMB Password Disclosure

Known Vulnerable Versions
Samsung SCX-5835_5935 Series Printer
Main Firmware Version :  2.01.00.26
Network Firmware Version :  V4.01.05(SCX-5835/5935) 12-22-2008
Engine Firmware Version :  1.20.73
UI Firmware Version :  V1.03.01.55 07-13-2009
Finisher Firmware Version :  Not Installed
PCL5E Firmware Version : PCL5e 5.87 11-07-2008
PCL6 Firmware Version : PCL6 5.86 10-28-2008
PostScript Firmware Version : PS3 V1.93.06 12-19-2008
SPL Firmware Version : SPL 5.32 01-03-2008
TIFF Firmware Version : TIFF 0.91.00 10-07-2008
Samsung SCX-5635 Series
Main Firmware Version :     2.01.01.18 12-08-2009
Network Firmware Version :     V4.01.16(SCX-5635) 12-04-2009
Engine Firmware Version :     1.31.32
PCL5E Firmware Version :    PCL5e 5.92 02-12-2009
PCL6 Firmware Version :    PCL6 5.93 03-21-2009
PostScript Firmware Version :    PS3 1.94.06 12-22-2008
TIFF Firmware Version :    TIFF 0.91.00 10-07-2008

Proof of Concept

  1. This procedure does not seem to work using Internet Explorer 7 but behaves as expected with Firefox 4.0.1.
  2. Using the default username and password (admin/admin), it is possible to obtain all credentials used for SMB file transfer. To obtain the file access     http://<printer url>/smb_serverList.csv
  3. The UserName and UserPassword fields are unencrypted and visible using any text editor.

Links to Updated Firmware
http://downloadcenter.samsung.com/content/FM/201508/20150825111208555/SCX5635_V2.01.01.28_0401113_1.00.zip
http://downloadcenter.samsung.com/content/FM/201508/20150825112233867/SCX5835_5935_V2.01.00.56_0401113_1.01.zip

Acknowledgements
Samsung security and I had a few miscommunications and I chose to hold off on releasing this until I knew that a patch was available. When I inquired again they immediately rectified the situation.

Contact security@samsung.com if you happen to find any additional vulnerabilities.