SATO CLN4X label printer default credentials VT

Here’s another one for the default credentials family. In order to make this one work, you have to do an HTTP POST. The target is login.lua and it returns valid json if the login is successful. Can you all review it and give feedback on it? I’d like to include it in the community VT feed if possible.

I’m sure it needs a LOT of cleanup/modification, but it works. In order to get it to run from command line, I had to use the --kb=“Transports/TCP/443=2” option like the following:

openvas-nasl -X -B -d -i /var/lib/openvas/plugins/ -t <target IP address> gb_sato_default_credentials.nasl --kb="Transports/TCP/443=2"
###############################################################################
#  OpenVAS Vulnerability Test 
#
# Copyright:
# Copyright (C) 2020 Greenbone Networks GmbH
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.300004");
  script_version("2020-04-20T16:28:43+0000");
  script_tag(name:"cvss_base", value:"7.5");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_tag(name:"last_modification", value:"2020-04-20 16:28:43 +0000 (Mon, 20 Apr 2020)");
  script_tag(name:"creation_date", value:"2020-04-20 16:28:43 +0000 (Mon, 20 Apr 2020)");
  script_name("SATO CLN4X Label Printer Default Credentials Vulnerability");
  script_category(ACT_ATTACK);
  script_family("Default Credentials");
  script_copyright("Copyright (C) 2020 Greenbone Networks GmbH");
  script_require_ports("Services/www", 443);

  script_tag(name:"impact", value:"Exploiting this vulnerability would allow an attacker to obtain potentially sensitive information from vulnerable devices or allow an attacker to change the configuration of the printer. This may aid in further attacks.");

  script_tag(name:"vuldetect", value:"Send an HTTP POST request with the default, documented credentials and see if the printer responds in the affirmative");

  script_tag(name:"insight", value:"The remote SATO printer is configured with default credentials. The passwords for 'settings' and 'service' default to either '0310' or '6677'.");

  script_tag(name:"solution", value:"Set the passwords for the 'settings' and 'service' user to a non-default value.");

  script_tag(name:"summary", value:"SATO CLN4X printers are shipped with default credentials for the 'settings' and 'service' user.");

  script_tag(name:"affected", value:"CLN4X. Other devices and models might be affected as well.");

  script_tag(name:"solution_type", value:"Mitigation");
  script_tag(name:"qod_type", value:"remote_vul");

  exit(0);
}

include("host_details.inc");
include("global_settings.inc");
include("http_func.inc");

https_port = 443;

login_url = '/WebConfig/lua/auth.lua';
creds = make_array('settings', '0310', 'service', '6677');

vulnerable = 0;

foreach user ( keys (creds) ) {
	pw = creds[user];
	req = http_post_put_req(port:https_port,
				url:login_url,
				data:'pw=' + pw + '&group=' + user,
				accept_header: "application/json",
				add_headers: make_array( "Content-Type", "application/x-www-form-urlencoded; charset=UTF-8", "Cookie", "web=true" ) );

	buf = http_send_recv(	port:https_port,
				data:req,
				bodyonly:FALSE);

	if("level1" >< buf) {
		report = 'It was possible to login using the following credentials:
\n' + user + ':' + pw;
		security_message( port:https_port, data:report );
		vulnerable = 1;
	}
}


if (vulnerable == 1) {
	exit(0);
}

exit(99);
3 Likes

It’s been a while since I’ve been able to focus on any of this. Has anyone looked it over? Can it be included in the community feeds?