Skip to content

Instantly share code, notes, and snippets.

Last active March 22, 2023 11:00
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save smidtbx10/f8ff1c4977b7f54886c6a52e9ef4e816 to your computer and use it in GitHub Desktop.
Save smidtbx10/f8ff1c4977b7f54886c6a52e9ef4e816 to your computer and use it in GitHub Desktop.



For proof of concept purposes, the MyQ Print Server is installed on a local virtual machine. The software can be downloaded at the following URL. At the time of writing, the current version is MyQ Print Server 8.2 (Patch 28).

Pasted image 20230125171339

Our environment consists of an administrator account and two users without privileges. One of the user accounts will be used as the attacker and the other user account acts as a victim. In MyQ, a user can have a pin or password. For the victim account we set both in order to better demonstrate the impact of the attack.





The vulnerability exists in the runReport function, where poor access control is implemented. The function is invoked when using the "Export" functionality, that is offered on multiple points across the web interface. In particular, this feature is seen in the user menu, where an export can be generated. This menu is only available in the Web GUI for administrator accounts: Pasted image 20230125172832

The exported CSV file contains informations about registered users, including the unsalted MD5 hashes of PINs and passwords. Note that it does not contain an entry for the *admin account.

Pasted image 20230126103909

The report is generated by calling runReport, which is accessed as a fragment in the web interface. The runReport function takes an id parameter, specifying which report to generate. Additionally, a file format and filters can be chosen. To generate the user report, the URL fragment #{"r":"runReport","id":-49,"format":"csv"} is accessed.


User Export for Account Takeover

The greatest impact of the vulnerability can be seen in the user export. The user menu and export functionality is not accessible to non-administrator users in the web interface. They can however generate the same report as above by directly accessing the URL https://HOST:PORT/en-us/#{%22r%22:%22runReport%22,%22id%22:-49,%22format%22:%22csv%22}

As a proof of concept, a default account "attacker", with no access to the user menu has been created. Pasted image 20230125195818

After accessing the URL, the same document can be downloaded from the server.

Pasted image 20230125200020

In the default configuration, the PINs consists of 6 digits, so that cracking their MD5 hash is trivial. Since the passwords are hashed using unsalted MD5, weak passwords can be efficiently bruteforced offline as well. This can allow an attacker to take over any user account that uses a PIN or weak password.

Other Exports

The same approach can be used by non-administrator accounts to export other information that should only be accessible to administrators. By exchanging the id parameter in the runReport endpoint, other reports can be downloaded. It was found that the id -53 corresponds to an "Audit Log", which contains information about created users, changed settings and similar events.

Pasted image 20230125205530

Following is an excerpt of the generated document from the URL http://HOST:PORT/en-us/app/#{%22r%22:%22runReport%22,%22id%22:-53,%22format%22:%22csv%22,%22filter%22:{}}:

Created;Description;Context;User;Subsystem;Attribute;Old value;New value
01/25/2023 2:18:46 AM;Addition;;Administrator (*admin);WebUI;;;
01/25/2023 2:18:46 AM;Addition;attacker;Administrator (*admin);WebUI;;;
01/25/2023 2:18:23 AM;Addition;;Administrator (*admin);WebUI;;;
01/25/2023 2:18:23 AM;Addition;Regular User;Administrator (*admin);WebUI;;;
01/25/2023 1:56:03 AM;Change;;System (*system);CLI;Full name;Unauthenticated user;User not authenticated by MyQ
01/25/2023 1:56:03 AM;Change;;System (*system);CLI;Name;All Users;All users

Finally, it was found that the id -51 generates a report over installed printers: http://HOST:PORT/en-us/app/#{%22r%22:%22runReport%22,%22id%22:-51,%22format%22:%22csv%22} Since no printers are installed in the local setup, the generated report contained no entries. The columns of the CSV are as follows:

printer;location;IPAddress;scannerIP;terminalID;slaveTerminalID;enforcedModel;assetNumber;contact;purchaseDate;Model ;Serial number;MAC;B&W print;Color print;B&W copies;Color copies;Scans;Fax;C;M;Y;K;A4 paper;A3 paper;A5 paper;B4 paper;B5 paper;Other paper;Folio paper;Ledger paper;Legal paper;Letter paper;Statement paper;Rest of paper;Print color pages (L1);Print color pages (L2);Print color pages (L3);Copy color pages (L1);Copy color pages (L2);Copy color pages (L3)


Discovered by:

  • Benjamin Schmidt
  • Tristan Ebert

At Spike Reply GmbH

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment