For proof of concept purposes, the MyQ Print Server is installed on a local virtual machine. The software can be downloaded at the following URL. At the time of writing, the current version is MyQ Print Server 8.2 (Patch 28).
https://smart.myq-solution.com/
Our environment consists of an administrator account and two users without privileges. One of the user accounts will be used as the attacker and the other user account acts as a victim. In MyQ, a user can have a pin or password. For the victim account we set both in order to better demonstrate the impact of the attack.
admin
user:*admin
password:admin
user
user:attacker
pin:1234
password:Helloworld
user
user:user1
pin:6044
The vulnerability exists in the runReport function, where poor access control is implemented. The function is invoked when using the "Export" functionality, that is offered on multiple points across the web interface.
In particular, this feature is seen in the user menu, where an export can be generated. This menu is only available in the Web GUI for administrator accounts:
The exported CSV file contains informations about registered users, including the unsalted MD5 hashes of PINs and passwords. Note that it does not contain an entry for the *admin account.
The report is generated by calling runReport, which is accessed as a fragment in the web interface. The runReport function takes an id parameter, specifying which report to generate. Additionally, a file format and filters can be chosen. To generate the user report, the URL fragment #{"r":"runReport","id":-49,"format":"csv"} is accessed.
The greatest impact of the vulnerability can be seen in the user export. The user menu and export functionality is not accessible to non-administrator users in the web interface. They can however generate the same report as above by directly accessing the URL https://HOST:PORT/en-us/#{%22r%22:%22runReport%22,%22id%22:-49,%22format%22:%22csv%22}
As a proof of concept, a default account "attacker", with no access to the user menu has been created.
After accessing the URL, the same document can be downloaded from the server.
In the default configuration, the PINs consists of 6 digits, so that cracking their MD5 hash is trivial. Since the passwords are hashed using unsalted MD5, weak passwords can be efficiently bruteforced offline as well. This can allow an attacker to take over any user account that uses a PIN or weak password.
The same approach can be used by non-administrator accounts to export other information that should only be accessible to administrators. By exchanging the id parameter in the runReport endpoint, other reports can be downloaded. It was found that the id -53 corresponds to an "Audit Log", which contains information about created users, changed settings and similar events.
Following is an excerpt of the generated document from the URL http://HOST:PORT/en-us/app/#{%22r%22:%22runReport%22,%22id%22:-53,%22format%22:%22csv%22,%22filter%22:{}}:
Created;Description;Context;User;Subsystem;Attribute;Old value;New value
01/25/2023 2:18:46 AM;Addition;;Administrator (*admin);WebUI;;;
01/25/2023 2:18:46 AM;Addition;attacker;Administrator (*admin);WebUI;;;
01/25/2023 2:18:23 AM;Addition;;Administrator (*admin);WebUI;;;
01/25/2023 2:18:23 AM;Addition;Regular User;Administrator (*admin);WebUI;;;
01/25/2023 1:56:03 AM;Change;;System (*system);CLI;Full name;Unauthenticated user;User not authenticated by MyQ
01/25/2023 1:56:03 AM;Change;;System (*system);CLI;Name;All Users;All users
[...]
Finally, it was found that the id -51 generates a report over installed printers: http://HOST:PORT/en-us/app/#{%22r%22:%22runReport%22,%22id%22:-51,%22format%22:%22csv%22}
Since no printers are installed in the local setup, the generated report contained no entries. The columns of the CSV are as follows:
printer;location;IPAddress;scannerIP;terminalID;slaveTerminalID;enforcedModel;assetNumber;contact;purchaseDate;Model ;Serial number;MAC;B&W print;Color print;B&W copies;Color copies;Scans;Fax;C;M;Y;K;A4 paper;A3 paper;A5 paper;B4 paper;B5 paper;Other paper;Folio paper;Ledger paper;Legal paper;Letter paper;Statement paper;Rest of paper;Print color pages (L1);Print color pages (L2);Print color pages (L3);Copy color pages (L1);Copy color pages (L2);Copy color pages (L3)
Discovered by:
- Benjamin Schmidt
- Tristan Ebert
At Spike Reply GmbH