ID
VAR-E-201305-0048
CVE
| cve_id: | CVE-2013-2673 | Trust: 0.8 |
| cve_id: | CVE-2013-2675 | Trust: 0.8 |
| cve_id: | CVE-2013-2507 | Trust: 0.5 |
| cve_id: | CVE-2013-2670 | Trust: 0.5 |
| cve_id: | CVE-2013-2671 | Trust: 0.5 |
| cve_id: | CVE-2013-2672 | Trust: 0.5 |
| cve_id: | CVE-2013-2674 | Trust: 0.5 |
| cve_id: | CVE-2013-2676 | Trust: 0.5 |
TITLE
Brother MFC-9970CDW Firmware 0D Cross Site Scripting
Trust: 0.5
DESCRIPTION
Brother MFC-9970CDW Firmware 0D suffers from multiple cross site scripting vulnerabilities.
Trust: 0.5
AFFECTED PRODUCTS
| vendor: | brother | model: | mfc-9970cdw 0d | scope: | - | version: | - | Trust: 0.5 |
| vendor: | brother | model: | mfc-9970cdw l | scope: | eq | version: | 1.10 | Trust: 0.3 |
| vendor: | brother | model: | mfc-9970cdw frimware l | scope: | eq | version: | 1.10 | Trust: 0.3 |
EXPLOIT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=========================================
Brother MFC-9970CDW Firmware 0D
Date: Jan. 13, 2013
URL:
http://www.cloudscan.me/2013/05/xss-javascript-injection-brother-mfc.html
=========================================
Keywords
=========================================
XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit,
Zero Day, Brother MFC-9970 CDW
CVE-2013-2507, CVE-2013-2670, CVE-2013-2671, CVE-2013-2672, CVE-2013-2673,
CVE-2013-2674, CVE-2013-2675, CVE-2013-2676
=========================================
Summary
=========================================
A Reflected XSS Bug in the Brother MFC-9970CDW Printer was discovered in
January 2013. This document will introduce and discuss the vulnerability
and provide Proof-of-Concept (PoC) Zero Day (0D) code examples for Firmware
L Version 1.10 Released on July 9, 2012, and prior versions.
=========================================
Overview
=========================================
Brother Industries, Ltd. is a multinational electronics and electrical
equipment company headquartered in Nagoya, Japan. Its products include
printers, multifunction printers, sewing machines, large machine tools,
label printers, typewriters, fax machines, and other computer-related
electronics. Brother distributes its products both under its own name and
under OEM agreements with other companies.
The MFC-9970cdw Color Laser All-in-One combines print, copy, scan and fax
in one powerful device. It produces high-impact color output at impressive
print and copy speeds of up to 30ppm and offers flexible connectivity with
wireless, Ethernet and USB interfaces. It features a 5" Color Touch Screen
display for easy navigation and menu selection. Also, this flagship model
offers automatic duplex print/copy/scan/fax and optional high yield toner
cartridges to help lower your operating costs \x96 making this all-in-one a
smart choice for a business or workgroup.
=========================================
The Bug
=========================================
Reflected Cross Site Scripting, CWE-79
=========================================
Vulnerable Parameters = id , val, kind + Query String
Signature = "><script>alert(1)</script>
=========================================
Version Identification
=========================================
Brother MFC-9970CDW - Version Identification - Firmware \x93L\x94 Version
1.10
Brother MFC-9970CDW - Version Identification - Firmware \x93G\x94
=========================================
PoC
=========================================
PoC URL
http://my.vulnerable.printer/admin/admin_main.html?id=websettings"><script>
alert(1)</script>
=========================================
CVE Information
=========================================
CVE-2013-2507 is specific to Firmware G.
XSS at:
admin/log_to_net.html id parameter
fax/copy_settings.html kind parameter
CVE-2013-2670 is for the issue that is present in both the Firmware G
report and Firmware L.
XSS at:
admin/admin_main.html name of an arbitrarily assigned URL parameter
CVE-2013-2671 is for the XSS issues that are only present in Firmware L.
CVEs for Firmware L:
Cleartext submission of password CVE-2013-2672
Password field with autocomplete enabled CVE-2013-2673
Cross-domain Referer leakage CVE-2013-2674
Frameable response (Clickjacking) CVE-2013-2675
Private IP addresses disclosed CVE-2013-2676
CVSS 2 Score = 4.5
Timeline
Attempt contact via e-mail in January 2013.
Call the Toll Free Support Line in March 2013.
Callback from Vendor in April 2013.
E-mail sent to Vendor in April 2013.
VENDOR UNRESPONSIVE
Published May 3, 2013
Hoyt LLC Research Public Domain
Report
http://xss.cx/
=========================================
END
=========================================
-----BEGIN PGP SIGNATURE-----
Version: 10.2.0.2526
wsBVAwUBUYkKz3z+WcLIygj0AQiVegf/VFskxkdQkqUcqzKXHbTvnHLkkTA8fSgx
1orNQQwxahmpX2f5Jce4zuUz2g+35McwWCKR4kMnOio/9FnWl/w+zqiwmzFqfuHv
AIQAD0XXP+vKY/vSF0Bjtg9bUVlkNC4ilmyYVwWS9ycM0HOff3nwXxaZmpkr1Ibb
4Bn4ZeILFYaZYYfj3kM4JSsIuI+gisGmTDg6jMYfZhFDIps5nXeq2vDm34E7Sgx8
nSEOiS9FIq7YSh+ZIWCJE3Olcsx0DUiZuZXVIR4pT8mubB0f6Fx6wOVNQyiT5qNG
VQNG1QARkNQFxxuSZD11NtO8mszE+sC8ZBP4VfRjkvJ3c8DecyB5Mg==
=Ua1o
-----END PGP SIGNATURE-----
Trust: 0.5
EXPLOIT HASH
LOCAL | SOURCE | ||||||||
|
|
Trust: 0.5
PRICE
free
Trust: 0.5
TYPE
xss
Trust: 0.5
TAGS
| tag: | exploit | Trust: 0.5 |
| tag: | vulnerability | Trust: 0.5 |
| tag: | xss | Trust: 0.5 |
CREDITS
sqlhacker
Trust: 0.5
EXTERNAL IDS
| db: | NVD | id: | CVE-2013-2673 | Trust: 0.8 |
| db: | NVD | id: | CVE-2013-2675 | Trust: 0.8 |
| db: | NVD | id: | CVE-2013-2674 | Trust: 0.5 |
| db: | NVD | id: | CVE-2013-2670 | Trust: 0.5 |
| db: | NVD | id: | CVE-2013-2507 | Trust: 0.5 |
| db: | NVD | id: | CVE-2013-2672 | Trust: 0.5 |
| db: | NVD | id: | CVE-2013-2676 | Trust: 0.5 |
| db: | NVD | id: | CVE-2013-2671 | Trust: 0.5 |
| db: | PACKETSTORM | id: | 121553 | Trust: 0.5 |
| db: | BID | id: | 59727 | Trust: 0.3 |
| db: | BID | id: | 59724 | Trust: 0.3 |
REFERENCES
| url: | http://www.cloudscan.me/2013/05/xss-javascript-injection-brother-mfc.html | Trust: 0.6 |
| url: | http://www.brother.com | Trust: 0.6 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2013-2674 | Trust: 0.5 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2013-2676 | Trust: 0.5 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2013-2507 | Trust: 0.5 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2013-2673 | Trust: 0.5 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2013-2675 | Trust: 0.5 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2013-2671 | Trust: 0.5 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2013-2670 | Trust: 0.5 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2013-2672 | Trust: 0.5 |
| url: | http://www.brother-usa.com/mfc/modeldetail/4/mfc9970cdw/overview#.uyobsuqdyit | Trust: 0.3 |
| url: | http://www.brother-usa.com/mfc/modeldetail/4/mfc9970cdw/overview#.uyoaxzdi1ch | Trust: 0.3 |
SOURCES
| db: | BID | id: | 59727 |
| db: | BID | id: | 59724 |
| db: | PACKETSTORM | id: | 121553 |
LAST UPDATE DATE
2022-07-27T09:18:56.059000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 59727 | date: | 2013-05-06T00:00:00 |
| db: | BID | id: | 59724 | date: | 2013-05-06T00:00:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 59727 | date: | 2013-05-06T00:00:00 |
| db: | BID | id: | 59724 | date: | 2013-05-06T00:00:00 |
| db: | PACKETSTORM | id: | 121553 | date: | 2013-05-08T02:27:54 |