Details of VAR-201403-0045

ID

VAR-201403-0045

CVE

CVE-2013-2670

TITLE

Brother MFC-9970CDW Cross-site scripting vulnerability in printer firmware

Trust: 0.8

sources: JVNDB: JVNDB-2013-006193

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the Brother MFC-9970CDW printer with firmware G (1.03) and L (1.10) allows remote attackers to inject arbitrary web script or HTML via an arbitrary parameter name (QUERY_STRING) to admin/admin_main.html, a different vulnerability than CVE-2013-2507 and CVE-2013-2671. The Brother MFC-9970CDW is a color laser printer device that supports wireless network printing. The /admin/admin_main.html script included with the Brother MFC-9970CDW incorrectly filters data submitted by users to the 'signedpdf' and 'websettings' parameters, allowing remote attackers to exploit vulnerabilities for cross-site scripting attacks, to obtain sensitive information or to hijack user sessions. A remote attacker can exploit a vulnerability to gain sensitive information or hijack a user's session. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Brother MFC-9970CDW version 1.10 firmware G and firmware L are vulnerable; other versions may also be affected. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ========================================= Brother MFC-9970CDW Firmware 0D Date: Jan. 13, 2013 URL: http://www.cloudscan.me/2013/05/xss-javascript-injection-brother-mfc.html ========================================= Keywords ========================================= XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit, Zero Day, Brother MFC-9970 CDW CVE-2013-2507, CVE-2013-2670, CVE-2013-2671, CVE-2013-2672, CVE-2013-2673, CVE-2013-2674, CVE-2013-2675, CVE-2013-2676 ========================================= Summary ========================================= A Reflected XSS Bug in the Brother MFC-9970CDW Printer was discovered in January 2013. This document will introduce and discuss the vulnerability and provide Proof-of-Concept (PoC) Zero Day (0D) code examples for Firmware L Version 1.10 Released on July 9, 2012, and prior versions. ========================================= Overview ========================================= Brother Industries, Ltd. is a multinational electronics and electrical equipment company headquartered in Nagoya, Japan. Its products include printers, multifunction printers, sewing machines, large machine tools, label printers, typewriters, fax machines, and other computer-related electronics. Brother distributes its products both under its own name and under OEM agreements with other companies. It produces high-impact color output at impressive print and copy speeds of up to 30ppm and offers flexible connectivity with wireless, Ethernet and USB interfaces. It features a 5" Color Touch Screen display for easy navigation and menu selection. Also, this flagship model offers automatic duplex print/copy/scan/fax and optional high yield toner cartridges to help lower your operating costs \x96 making this all-in-one a smart choice for a business or workgroup. ========================================= The Bug ========================================= Reflected Cross Site Scripting, CWE-79 ========================================= Vulnerable Parameters = id , val, kind + Query String Signature = "><script>alert(1)</script> ========================================= Version Identification ========================================= Brother MFC-9970CDW - Version Identification - Firmware \x93L\x94 Version 1.10 Brother MFC-9970CDW - Version Identification - Firmware \x93G\x94 ========================================= PoC ========================================= PoC URL http://my.vulnerable.printer/admin/admin_main.html?id=websettings"><script> alert(1)</script> ========================================= CVE Information ========================================= CVE-2013-2507 is specific to Firmware G. XSS at: admin/admin_main.html name of an arbitrarily assigned URL parameter CVE-2013-2671 is for the XSS issues that are only present in Firmware L. CVEs for Firmware L: Cleartext submission of password CVE-2013-2672 Password field with autocomplete enabled CVE-2013-2673 Cross-domain Referer leakage CVE-2013-2674 Frameable response (Clickjacking) CVE-2013-2675 Private IP addresses disclosed CVE-2013-2676 CVSS 2 Score = 4.5 Timeline Attempt contact via e-mail in January 2013. Call the Toll Free Support Line in March 2013. Callback from Vendor in April 2013. E-mail sent to Vendor in April 2013. VENDOR UNRESPONSIVE Published May 3, 2013 Hoyt LLC Research Public Domain Report http://xss.cx/ ========================================= END ========================================= -----BEGIN PGP SIGNATURE----- Version: 10.2.0.2526 wsBVAwUBUYkKz3z+WcLIygj0AQiVegf/VFskxkdQkqUcqzKXHbTvnHLkkTA8fSgx 1orNQQwxahmpX2f5Jce4zuUz2g+35McwWCKR4kMnOio/9FnWl/w+zqiwmzFqfuHv AIQAD0XXP+vKY/vSF0Bjtg9bUVlkNC4ilmyYVwWS9ycM0HOff3nwXxaZmpkr1Ibb 4Bn4ZeILFYaZYYfj3kM4JSsIuI+gisGmTDg6jMYfZhFDIps5nXeq2vDm34E7Sgx8 nSEOiS9FIq7YSh+ZIWCJE3Olcsx0DUiZuZXVIR4pT8mubB0f6Fx6wOVNQyiT5qNG VQNG1QARkNQFxxuSZD11NtO8mszE+sC8ZBP4VfRjkvJ3c8DecyB5Mg== =Ua1o -----END PGP SIGNATURE-----

Trust: 2.61

sources: NVD: CVE-2013-2670 // JVNDB: JVNDB-2013-006193 // CNVD: CNVD-2013-05291 // BID: 59720 // VULHUB: VHN-62672 // PACKETSTORM: 121553

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2013-05291

AFFECTED PRODUCTS

vendor:	brother	model:	mfc-9970cdw	scope:	eq	version:	g\(1.03\)	Trust: 1.6
vendor:	brother	model:	mfc-9970cdw	scope:	eq	version:	l\(1.10\)	Trust: 1.6
vendor:	brother	model:	mfc-9970cdw	scope:	eq	version:	-	Trust: 1.0
vendor:	brother	model:	mfc-9970cdw l	scope:	eq	version:	1.10	Trust: 0.9
vendor:	brother industry	model:	mfc-9970cdw	scope:	-	version:	-	Trust: 0.8
vendor:	brother industry	model:	mfc-9970cdw	scope:	eq	version:	g (1.03)	Trust: 0.8
vendor:	brother industry	model:	mfc-9970cdw	scope:	eq	version:	l (1.10)	Trust: 0.8
vendor:	brother	model:	mfc-9970cdw g	scope:	eq	version:	1.10	Trust: 0.3

sources: CNVD: CNVD-2013-05291 // BID: 59720 // JVNDB: JVNDB-2013-006193 // CNNVD: CNNVD-201305-203 // NVD: CVE-2013-2670

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-2670
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2013-2670
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2013-05291
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201305-203
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-62672
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2013-2670
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2013-05291
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-62672
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CNVD: CNVD-2013-05291 // VULHUB: VHN-62672 // JVNDB: JVNDB-2013-006193 // CNNVD: CNNVD-201305-203 // NVD: CVE-2013-2670

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-62672 // JVNDB: JVNDB-2013-006193 // NVD: CVE-2013-2670

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201305-203

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 121553 // CNNVD: CNNVD-201305-203

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-006193

PATCH

title:	Top Page	url:	http://www.brother.com	Trust: 0.8
title:	MFC-9970CDW	url:	http://brother.jp/product/printer/mfc/mfc9970cdw/index.htm	Trust: 0.8

sources: JVNDB: JVNDB-2013-006193

EXTERNAL IDS

db:	NVD	id:	CVE-2013-2670	Trust: 3.5
db:	PACKETSTORM	id:	121553	Trust: 2.6
db:	OSVDB	id:	93068	Trust: 2.5
db:	BID	id:	59720	Trust: 1.6
db:	XF	id:	84095	Trust: 1.4
db:	JVNDB	id:	JVNDB-2013-006193	Trust: 0.8
db:	CNNVD	id:	CNNVD-201305-203	Trust: 0.7
db:	CNVD	id:	CNVD-2013-05291	Trust: 0.6
db:	XF	id:	9970	Trust: 0.6
db:	VULHUB	id:	VHN-62672	Trust: 0.1

sources: CNVD: CNVD-2013-05291 // VULHUB: VHN-62672 // BID: 59720 // JVNDB: JVNDB-2013-006193 // PACKETSTORM: 121553 // CNNVD: CNNVD-201305-203 // NVD: CVE-2013-2670

REFERENCES

url:	http://www.cloudscan.me/2013/05/xss-javascript-injection-brother-mfc.html	Trust: 2.7
url:	http://packetstormsecurity.com/files/121553/brother-mfc-9970cdw-firmware-0d-cross-site-scripting.html	Trust: 2.5
url:	http://osvdb.org/93068	Trust: 2.5
url:	http://osvdb.org/ref/93/brother-mfc-9970cdw-firmware-g-v103-by-hoyt-03072013.html	Trust: 1.7
url:	http://osvdb.org/ref/93/brother-mfc9970cdw-firmware-l-110-hoytllc-report.html	Trust: 1.7
url:	http://xforce.iss.net/xforce/xfdb/84095	Trust: 1.4
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/84095	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-2670	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-2670	Trust: 0.8
url:	http://www.securityfocus.com/bid/59720	Trust: 0.6
url:	http://www.brother.com	Trust: 0.3
url:	http://www.brother-usa.com/mfc/modeldetail/4/mfc9970cdw/overview#.uyobsuqdyit	Trust: 0.3
url:	http://my.vulnerable.printer/admin/admin_main.html?id=websettings"><script>	Trust: 0.1
url:	http://xss.cx/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-2507	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-2671	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-2674	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-2670	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-2676	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-2672	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-2675	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-2673	Trust: 0.1

sources: CNVD: CNVD-2013-05291 // VULHUB: VHN-62672 // BID: 59720 // JVNDB: JVNDB-2013-006193 // PACKETSTORM: 121553 // CNNVD: CNNVD-201305-203 // NVD: CVE-2013-2670

CREDITS

Hoyt LLC

Trust: 0.9

sources: BID: 59720 // CNNVD: CNNVD-201305-203

SOURCES

db:	CNVD	id:	CNVD-2013-05291
db:	VULHUB	id:	VHN-62672
db:	BID	id:	59720
db:	JVNDB	id:	JVNDB-2013-006193
db:	PACKETSTORM	id:	121553
db:	CNNVD	id:	CNNVD-201305-203
db:	NVD	id:	CVE-2013-2670

LAST UPDATE DATE

2025-04-13T23:14:54.907000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2013-05291	date:	2013-05-14T00:00:00
db:	VULHUB	id:	VHN-62672	date:	2017-08-29T00:00:00
db:	BID	id:	59720	date:	2013-05-06T00:00:00
db:	JVNDB	id:	JVNDB-2013-006193	date:	2014-03-18T00:00:00
db:	CNNVD	id:	CNNVD-201305-203	date:	2014-03-18T00:00:00
db:	NVD	id:	CVE-2013-2670	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2013-05291	date:	2013-05-14T00:00:00
db:	VULHUB	id:	VHN-62672	date:	2014-03-14T00:00:00
db:	BID	id:	59720	date:	2013-05-06T00:00:00
db:	JVNDB	id:	JVNDB-2013-006193	date:	2014-03-18T00:00:00
db:	PACKETSTORM	id:	121553	date:	2013-05-08T02:27:54
db:	CNNVD	id:	CNNVD-201305-203	date:	2013-05-09T00:00:00
db:	NVD	id:	CVE-2013-2670	date:	2014-03-14T14:55:04.280