Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Brother MFC-9970CDW Firmware 0D Cross Site Scripting

Related Vulnerabilities: CVE-2013-2507   CVE-2013-2670   CVE-2013-2671   CVE-2013-2672   CVE-2013-2673   CVE-2013-2674   CVE-2013-2675   CVE-2013-2676  
Publish Date: 08 May 2013
Author: sqlhacker
Source 
                							

                -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=========================================

Brother MFC-9970CDW Firmware 0D

Date: Jan. 13, 2013

URL:
http://www.cloudscan.me/2013/05/xss-javascript-injection-brother-mfc.html

=========================================

Keywords

=========================================

XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit,
Zero Day, Brother MFC-9970 CDW

CVE-2013-2507, CVE-2013-2670, CVE-2013-2671, CVE-2013-2672, CVE-2013-2673,
CVE-2013-2674, CVE-2013-2675, CVE-2013-2676

=========================================

Summary

=========================================

A Reflected XSS Bug in the Brother MFC-9970CDW Printer was discovered in
January 2013. This document will introduce and discuss the vulnerability
and provide Proof-of-Concept (PoC) Zero Day (0D) code examples for Firmware
L Version 1.10 Released on July 9, 2012, and prior versions.

=========================================

Overview

=========================================

Brother Industries, Ltd. is a multinational electronics and electrical
equipment company headquartered in Nagoya, Japan. Its products include
printers, multifunction printers, sewing machines, large machine tools,
label printers, typewriters, fax machines, and other computer-related
electronics. Brother distributes its products both under its own name and
under OEM agreements with other companies.



The MFC-9970cdw Color Laser All-in-One combines print, copy, scan and fax
in one powerful device. It produces high-impact color output at impressive
print and copy speeds of up to 30ppm and offers flexible connectivity with
wireless, Ethernet and USB interfaces. It features a 5" Color Touch Screen
display for easy navigation and menu selection. Also, this flagship model
offers automatic duplex print/copy/scan/fax and optional high yield toner
cartridges to help lower your operating costs – making this all-in-one a
smart choice for a business or workgroup.

=========================================

The Bug

=========================================

Reflected Cross Site Scripting, CWE-79

=========================================

Vulnerable Parameters = id , val, kind + Query String

Signature = "><script>alert(1)</script>

=========================================

Version Identification

=========================================

Brother MFC-9970CDW - Version Identification - Firmware “L” Version
1.10

Brother MFC-9970CDW - Version Identification - Firmware “G”

=========================================

PoC

=========================================

PoC URL

http://my.vulnerable.printer/admin/admin_main.html?id=websettings"><script>
alert(1)</script>

=========================================

CVE Information

=========================================

CVE-2013-2507 is specific to Firmware G.

XSS at:

  admin/log_to_net.html  id parameter

  fax/copy_settings.html kind parameter

CVE-2013-2670 is for the issue that is present in both the Firmware G
report and Firmware L.

XSS at:

  admin/admin_main.html  name of an arbitrarily assigned URL parameter

CVE-2013-2671 is for the XSS issues that are only present in Firmware L.

CVEs for Firmware L:

Cleartext submission of password CVE-2013-2672

Password field with autocomplete enabled CVE-2013-2673

Cross-domain Referer leakage CVE-2013-2674

Frameable response (Clickjacking) CVE-2013-2675

Private IP addresses disclosed CVE-2013-2676

CVSS 2 Score = 4.5

Timeline

Attempt contact via e-mail in January 2013.

Call the Toll Free Support Line in March 2013.

Callback from Vendor in April 2013.

E-mail sent to Vendor in April 2013.

VENDOR UNRESPONSIVE

Published May 3, 2013

Hoyt LLC Research                                        Public Domain
Report

http://xss.cx/

=========================================

END

=========================================



-----BEGIN PGP SIGNATURE-----
Version: 10.2.0.2526

wsBVAwUBUYkKz3z+WcLIygj0AQiVegf/VFskxkdQkqUcqzKXHbTvnHLkkTA8fSgx
1orNQQwxahmpX2f5Jce4zuUz2g+35McwWCKR4kMnOio/9FnWl/w+zqiwmzFqfuHv
AIQAD0XXP+vKY/vSF0Bjtg9bUVlkNC4ilmyYVwWS9ycM0HOff3nwXxaZmpkr1Ibb
4Bn4ZeILFYaZYYfj3kM4JSsIuI+gisGmTDg6jMYfZhFDIps5nXeq2vDm34E7Sgx8
nSEOiS9FIq7YSh+ZIWCJE3Olcsx0DUiZuZXVIR4pT8mubB0f6Fx6wOVNQyiT5qNG
VQNG1QARkNQFxxuSZD11NtO8mszE+sC8ZBP4VfRjkvJ3c8DecyB5Mg==
=Ua1o
-----END PGP SIGNATURE-----
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started