SEC-1 LTD
                              www.sec-1.com

                             Security Advisory

Advisory Name:  HP Colour LaserJet 2500 and 4600 Toolbox Directory 
      Traversal Vulnerability

 Release Date:  04/04/2006
  Application:   HP Colour LaserJet 2500 and 4600 Toolbox
     Platform:   Microsoft Windows (all supported versions)
     Severity:   Remote Arbitrary File Access
       Author:   Richard Horsman
Vendor Status:   Fixed
CVE Candidate:   Pending
    Reference:    http://www.sec-1.com


Overview: 

The HP Colour LaserJet 2500 and 4600 Toolbox provides links to printer
status 
information, help information and tools for diagnosing and solving
problems. 


Vulnerability Details: 

Sec-1 has identified a security vulnerability within the HP Colour
LaserJet 
2500 and 4600 Toolbox software which could allow unauthorised access to
the 
file system.

The vulnerable process hosts a HTTP interface on TCP port 5225 and is 
susceptible to directory traversal. An attacker would have access to any
file
the logged on user has access to within the affected file system.


Exploit:

To exploit this issue:

The following request would attempt to retrieve the c:\boot.ini file via

a standard web browser.

http://<target>:5225/../../../boot.ini

This will retrieve the boot.ini file from the affected host.

Vendor Response:

HP has made the "HP Colour LaserJet 2500/4600 Software Update" 
version 3.1 available to resolve the issue.

The software update can be downloaded as follows:

For the HP Colour LaserJet 2500

   1. Browse to

      http://www.hp.com/go/clj2500_software
   2. Select ">>Download Drivers and Software"
   3. Under "Select your product" choose the printer model.
   4. Under "Select operating system" choose the operating system.
   5. Download the "HP Colour LaserJet 2500/4600 Software Update"
      version 3.1
   6. Follow the download instructions presented on the "HP Colour
      LaserJet 2500/4600 Software Update" download page to run
      the update.

For the HP Colour LaserJet 4600

   1. Browse to

      http://www.hp.com/go/clj4600_software
   2. Under "Select your product" choose the printer model.
   3. Under "Select operating system" choose the operating system.
   4. Download the "HP Colour LaserJet 2500/4600 Software Update"
      version 3.1
   5. Follow the download instructions presented on the "HP Colour
      LaserJet 2500/4600 Software Update" download page to run the 
  update.

Sec-1 specialises in the provision of network security solutions. For more information on products and services we offer visit www.sec-1.com or call 0113 257 8955.