Dell 2335dn Password Disclosure

During a recent pentest, I encountered a Dell 2335dn printer which did not have any admin credentials set (the default). After authenticating with the username “admin” I began to poke around to see if there was an ldap server or smtp server configured that I could exploit (See: https://hackinparis.com/data/slides/2014/DeralHeilandandPeterArzamendi.pdf for some good info on printer exploitation)

 

What I found was much simpler than that. Right click and “view source” shows the configured smtp and (presumably) ldap credentials in plain-text. This device was running the following firmware versions, and I have not tested it with other versions, but I suspect that they are vulnerable as well.

 

  • Printer Firmware Version:2.70.05.02
  • Engine Firmware Version:1.10.65
  • Network Firmware Version:V4.02.15(2335dn MFP) 11-22-2010

 

Dell 2335dn management interface

Dell 2335dn management interface

 

Dell 2335dn "view source"

Dell 2335dn “view-source”

 

Super-l33t hack, right? I mean, Taviso is probably jealous. Either way, I felt it was at least important to point out…another good reason to make sure your printer admin interfaces are secured.

 

I contacted Dell Vulnerability Research and provided the information to them. They indicated that this will not be remediated, since the 2335dn is end-of-support as of May 2018.

 

Timeline:

  • Initial contact to Dell Vulnerability Research: May 2, 2018
  • May 16th, 2018 Follow up from Dell: “Our engineering team is still assessing this and working the 3rd party suppliers who provide us the required updates.”
  • Follow up email to Dell: August 1, 2018
  • August 2, 2018 Follow up from Dell: “2335dn has End Of Support Life on May-2018. The replacement printer for the above would be B2375dnf (Falcon) or H815dw (Gyrfalcon C).”
  • Follow up email to Dell, advising them I would be posting this write up: August 21, 2018.

 

No further response from Dell. This has tentatively been assigned CVE-2018-15748.