what you don't know can hurt you

Brother MFC-9970CDW Firmware 0D Cross Site Scripting

Brother MFC-9970CDW Firmware 0D Cross Site Scripting
Posted May 8, 2013
Authored by sqlhacker

Brother MFC-9970CDW Firmware 0D suffers from multiple cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
advisories | CVE-2013-2507, CVE-2013-2670, CVE-2013-2671, CVE-2013-2672, CVE-2013-2673, CVE-2013-2674, CVE-2013-2675, CVE-2013-2676
MD5 | 0d8bdb968553b01ecc76058a81ce535c

Brother MFC-9970CDW Firmware 0D Cross Site Scripting

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=========================================

Brother MFC-9970CDW Firmware 0D

Date: Jan. 13, 2013

URL:
http://www.cloudscan.me/2013/05/xss-javascript-injection-brother-mfc.html

=========================================

Keywords

=========================================

XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit,
Zero Day, Brother MFC-9970 CDW

CVE-2013-2507, CVE-2013-2670, CVE-2013-2671, CVE-2013-2672, CVE-2013-2673,
CVE-2013-2674, CVE-2013-2675, CVE-2013-2676

=========================================

Summary

=========================================

A Reflected XSS Bug in the Brother MFC-9970CDW Printer was discovered in
January 2013. This document will introduce and discuss the vulnerability
and provide Proof-of-Concept (PoC) Zero Day (0D) code examples for Firmware
L Version 1.10 Released on July 9, 2012, and prior versions.

=========================================

Overview

=========================================

Brother Industries, Ltd. is a multinational electronics and electrical
equipment company headquartered in Nagoya, Japan. Its products include
printers, multifunction printers, sewing machines, large machine tools,
label printers, typewriters, fax machines, and other computer-related
electronics. Brother distributes its products both under its own name and
under OEM agreements with other companies.



The MFC-9970cdw Color Laser All-in-One combines print, copy, scan and fax
in one powerful device. It produces high-impact color output at impressive
print and copy speeds of up to 30ppm and offers flexible connectivity with
wireless, Ethernet and USB interfaces. It features a 5" Color Touch Screen
display for easy navigation and menu selection. Also, this flagship model
offers automatic duplex print/copy/scan/fax and optional high yield toner
cartridges to help lower your operating costs – making this all-in-one a
smart choice for a business or workgroup.

=========================================

The Bug

=========================================

Reflected Cross Site Scripting, CWE-79

=========================================

Vulnerable Parameters = id , val, kind + Query String

Signature = "><script>alert(1)</script>

=========================================

Version Identification

=========================================

Brother MFC-9970CDW - Version Identification - Firmware “L” Version
1.10

Brother MFC-9970CDW - Version Identification - Firmware “G”

=========================================

PoC

=========================================

PoC URL

http://my.vulnerable.printer/admin/admin_main.html?id=websettings"><script>
alert(1)</script>

=========================================

CVE Information

=========================================

CVE-2013-2507 is specific to Firmware G.

XSS at:

admin/log_to_net.html id parameter

fax/copy_settings.html kind parameter

CVE-2013-2670 is for the issue that is present in both the Firmware G
report and Firmware L.

XSS at:

admin/admin_main.html name of an arbitrarily assigned URL parameter

CVE-2013-2671 is for the XSS issues that are only present in Firmware L.

CVEs for Firmware L:

Cleartext submission of password CVE-2013-2672

Password field with autocomplete enabled CVE-2013-2673

Cross-domain Referer leakage CVE-2013-2674

Frameable response (Clickjacking) CVE-2013-2675

Private IP addresses disclosed CVE-2013-2676

CVSS 2 Score = 4.5

Timeline

Attempt contact via e-mail in January 2013.

Call the Toll Free Support Line in March 2013.

Callback from Vendor in April 2013.

E-mail sent to Vendor in April 2013.

VENDOR UNRESPONSIVE

Published May 3, 2013

Hoyt LLC Research Public Domain
Report

http://xss.cx/

=========================================

END

=========================================



-----BEGIN PGP SIGNATURE-----
Version: 10.2.0.2526

wsBVAwUBUYkKz3z+WcLIygj0AQiVegf/VFskxkdQkqUcqzKXHbTvnHLkkTA8fSgx
1orNQQwxahmpX2f5Jce4zuUz2g+35McwWCKR4kMnOio/9FnWl/w+zqiwmzFqfuHv
AIQAD0XXP+vKY/vSF0Bjtg9bUVlkNC4ilmyYVwWS9ycM0HOff3nwXxaZmpkr1Ibb
4Bn4ZeILFYaZYYfj3kM4JSsIuI+gisGmTDg6jMYfZhFDIps5nXeq2vDm34E7Sgx8
nSEOiS9FIq7YSh+ZIWCJE3Olcsx0DUiZuZXVIR4pT8mubB0f6Fx6wOVNQyiT5qNG
VQNG1QARkNQFxxuSZD11NtO8mszE+sC8ZBP4VfRjkvJ3c8DecyB5Mg==
=Ua1o
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

August 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    3 Files
  • 2
    Aug 2nd
    2 Files
  • 3
    Aug 3rd
    32 Files
  • 4
    Aug 4th
    22 Files
  • 5
    Aug 5th
    0 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    0 Files
  • 9
    Aug 9th
    0 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close