Details of VAR-201403-0065

ID

VAR-201403-0065

CVE

CVE-2013-2507

TITLE

Brother MFC-9970CDW Cross-site scripting vulnerability in printer firmware

Trust: 0.8

sources: JVNDB: JVNDB-2013-006192

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in the Brother MFC-9970CDW printer with firmware G (1.03) allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/log_to_net.html or (2) kind parameter to fax/copy_settings.html, a different vulnerability than CVE-2013-2670 and CVE-2013-2671. Brother MFC-9970CDW The printer firmware contains a cross-site scripting vulnerability. The Brother MFC-9970CDW is a color laser printer device that supports wireless network printing. A remote attacker can exploit a vulnerability to gain sensitive information or hijack a user's session. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ========================================= Brother MFC-9970CDW Firmware 0D Date: Jan. 13, 2013 URL: http://www.cloudscan.me/2013/05/xss-javascript-injection-brother-mfc.html ========================================= Keywords ========================================= XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit, Zero Day, Brother MFC-9970 CDW CVE-2013-2507, CVE-2013-2670, CVE-2013-2671, CVE-2013-2672, CVE-2013-2673, CVE-2013-2674, CVE-2013-2675, CVE-2013-2676 ========================================= Summary ========================================= A Reflected XSS Bug in the Brother MFC-9970CDW Printer was discovered in January 2013. This document will introduce and discuss the vulnerability and provide Proof-of-Concept (PoC) Zero Day (0D) code examples for Firmware L Version 1.10 Released on July 9, 2012, and prior versions. ========================================= Overview ========================================= Brother Industries, Ltd. is a multinational electronics and electrical equipment company headquartered in Nagoya, Japan. Its products include printers, multifunction printers, sewing machines, large machine tools, label printers, typewriters, fax machines, and other computer-related electronics. Brother distributes its products both under its own name and under OEM agreements with other companies. It produces high-impact color output at impressive print and copy speeds of up to 30ppm and offers flexible connectivity with wireless, Ethernet and USB interfaces. It features a 5" Color Touch Screen display for easy navigation and menu selection. Also, this flagship model offers automatic duplex print/copy/scan/fax and optional high yield toner cartridges to help lower your operating costs \x96 making this all-in-one a smart choice for a business or workgroup. ========================================= The Bug ========================================= Reflected Cross Site Scripting, CWE-79 ========================================= Vulnerable Parameters = id , val, kind + Query String Signature = "><script>alert(1)</script> ========================================= Version Identification ========================================= Brother MFC-9970CDW - Version Identification - Firmware \x93L\x94 Version 1.10 Brother MFC-9970CDW - Version Identification - Firmware \x93G\x94 ========================================= PoC ========================================= PoC URL http://my.vulnerable.printer/admin/admin_main.html?id=websettings"><script> alert(1)</script> ========================================= CVE Information ========================================= CVE-2013-2507 is specific to Firmware G. XSS at: admin/log_to_net.html id parameter fax/copy_settings.html kind parameter CVE-2013-2670 is for the issue that is present in both the Firmware G report and Firmware L. XSS at: admin/admin_main.html name of an arbitrarily assigned URL parameter CVE-2013-2671 is for the XSS issues that are only present in Firmware L. CVEs for Firmware L: Cleartext submission of password CVE-2013-2672 Password field with autocomplete enabled CVE-2013-2673 Cross-domain Referer leakage CVE-2013-2674 Frameable response (Clickjacking) CVE-2013-2675 Private IP addresses disclosed CVE-2013-2676 CVSS 2 Score = 4.5 Timeline Attempt contact via e-mail in January 2013. Call the Toll Free Support Line in March 2013. Callback from Vendor in April 2013. E-mail sent to Vendor in April 2013. VENDOR UNRESPONSIVE Published May 3, 2013 Hoyt LLC Research Public Domain Report http://xss.cx/ ========================================= END ========================================= -----BEGIN PGP SIGNATURE----- Version: 10.2.0.2526 wsBVAwUBUYkKz3z+WcLIygj0AQiVegf/VFskxkdQkqUcqzKXHbTvnHLkkTA8fSgx 1orNQQwxahmpX2f5Jce4zuUz2g+35McwWCKR4kMnOio/9FnWl/w+zqiwmzFqfuHv AIQAD0XXP+vKY/vSF0Bjtg9bUVlkNC4ilmyYVwWS9ycM0HOff3nwXxaZmpkr1Ibb 4Bn4ZeILFYaZYYfj3kM4JSsIuI+gisGmTDg6jMYfZhFDIps5nXeq2vDm34E7Sgx8 nSEOiS9FIq7YSh+ZIWCJE3Olcsx0DUiZuZXVIR4pT8mubB0f6Fx6wOVNQyiT5qNG VQNG1QARkNQFxxuSZD11NtO8mszE+sC8ZBP4VfRjkvJ3c8DecyB5Mg== =Ua1o -----END PGP SIGNATURE-----

Trust: 2.61

sources: NVD: CVE-2013-2507 // JVNDB: JVNDB-2013-006192 // CNVD: CNVD-2013-05290 // BID: 59719 // VULHUB: VHN-62509 // PACKETSTORM: 121553

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2013-05290

AFFECTED PRODUCTS

vendor:	brother	model:	mfc-9970cdw	scope:	eq	version:	g\(1.03\)	Trust: 1.6
vendor:	brother	model:	mfc-9970cdw	scope:	eq	version:	-	Trust: 1.0
vendor:	brother industry	model:	mfc-9970cdw	scope:	-	version:	-	Trust: 0.8
vendor:	brother industry	model:	mfc-9970cdw	scope:	eq	version:	g (1.03)	Trust: 0.8
vendor:	brother	model:	mfc-9970cdw l	scope:	eq	version:	1.10	Trust: 0.6
vendor:	brother	model:	mfc-9970cdw frimware g	scope:	-	version:	-	Trust: 0.3

sources: CNVD: CNVD-2013-05290 // BID: 59719 // JVNDB: JVNDB-2013-006192 // CNNVD: CNNVD-201305-204 // NVD: CVE-2013-2507

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-2507
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2013-2507
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2013-05290
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201305-204
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-62509
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2013-2507
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2013-05290
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-62509
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CNVD: CNVD-2013-05290 // VULHUB: VHN-62509 // JVNDB: JVNDB-2013-006192 // CNNVD: CNNVD-201305-204 // NVD: CVE-2013-2507

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-62509 // JVNDB: JVNDB-2013-006192 // NVD: CVE-2013-2507

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201305-204

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 121553 // CNNVD: CNNVD-201305-204

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-006192

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-62509

PATCH

title:

Top Page

url:

http://brother.jp/product/printer/mfc/mfc9970cdw/index.htm

Trust: 1.6

sources: JVNDB: JVNDB-2013-006192

EXTERNAL IDS

db:	NVD	id:	CVE-2013-2507	Trust: 3.5
db:	PACKETSTORM	id:	121553	Trust: 2.6
db:	OSVDB	id:	93066	Trust: 2.5
db:	OSVDB	id:	93067	Trust: 2.5
db:	BID	id:	59719	Trust: 1.6
db:	XF	id:	84096	Trust: 1.4
db:	JVNDB	id:	JVNDB-2013-006192	Trust: 0.8
db:	CNNVD	id:	CNNVD-201305-204	Trust: 0.7
db:	CNVD	id:	CNVD-2013-05290	Trust: 0.6
db:	XF	id:	9970	Trust: 0.6
db:	VULHUB	id:	VHN-62509	Trust: 0.1

sources: CNVD: CNVD-2013-05290 // VULHUB: VHN-62509 // BID: 59719 // JVNDB: JVNDB-2013-006192 // PACKETSTORM: 121553 // CNNVD: CNNVD-201305-204 // NVD: CVE-2013-2507

REFERENCES

url:	http://www.cloudscan.me/2013/05/xss-javascript-injection-brother-mfc.html	Trust: 2.7
url:	http://packetstormsecurity.com/files/121553/brother-mfc-9970cdw-firmware-0d-cross-site-scripting.html	Trust: 2.5
url:	http://osvdb.org/93066	Trust: 2.5
url:	http://osvdb.org/93067	Trust: 2.5
url:	http://osvdb.org/ref/93/brother-mfc-9970cdw-firmware-g-v103-by-hoyt-03072013.html	Trust: 1.7
url:	http://xforce.iss.net/xforce/xfdb/84096	Trust: 1.4
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/84096	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-2507	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-2507	Trust: 0.8
url:	http://www.securityfocus.com/bid/59719	Trust: 0.6
url:	http://www.brother.com	Trust: 0.3
url:	http://www.brother-usa.com/mfc/modeldetail/4/mfc9970cdw/overview#.uyoaxzdi1ch	Trust: 0.3
url:	http://my.vulnerable.printer/admin/admin_main.html?id=websettings"><script>	Trust: 0.1
url:	http://xss.cx/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-2507	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-2671	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-2674	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-2670	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-2676	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-2672	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-2675	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-2673	Trust: 0.1

sources: CNVD: CNVD-2013-05290 // VULHUB: VHN-62509 // BID: 59719 // JVNDB: JVNDB-2013-006192 // PACKETSTORM: 121553 // CNNVD: CNNVD-201305-204 // NVD: CVE-2013-2507

CREDITS

Hoyt LLC Research

Trust: 0.9

sources: BID: 59719 // CNNVD: CNNVD-201305-204

SOURCES

db:	CNVD	id:	CNVD-2013-05290
db:	VULHUB	id:	VHN-62509
db:	BID	id:	59719
db:	JVNDB	id:	JVNDB-2013-006192
db:	PACKETSTORM	id:	121553
db:	CNNVD	id:	CNNVD-201305-204
db:	NVD	id:	CVE-2013-2507

LAST UPDATE DATE

2025-04-13T23:14:54.868000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2013-05290	date:	2013-05-14T00:00:00
db:	VULHUB	id:	VHN-62509	date:	2017-08-29T00:00:00
db:	BID	id:	59719	date:	2013-05-06T00:00:00
db:	JVNDB	id:	JVNDB-2013-006192	date:	2014-03-18T00:00:00
db:	CNNVD	id:	CNNVD-201305-204	date:	2014-03-18T00:00:00
db:	NVD	id:	CVE-2013-2507	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2013-05290	date:	2013-05-14T00:00:00
db:	VULHUB	id:	VHN-62509	date:	2014-03-14T00:00:00
db:	BID	id:	59719	date:	2013-05-06T00:00:00
db:	JVNDB	id:	JVNDB-2013-006192	date:	2014-03-18T00:00:00
db:	PACKETSTORM	id:	121553	date:	2013-05-08T02:27:54
db:	CNNVD	id:	CNNVD-201305-204	date:	2013-05-09T00:00:00
db:	NVD	id:	CVE-2013-2507	date:	2014-03-14T14:55:04.250