Sign-up

ID

VAR-202002-0515


CVE

CVE-2013-2673


TITLE

Brother MFC-9970CDW firmware L Unauthorized authentication vulnerabilities in devices

Trust: 0.8

sources: JVNDB: JVNDB-2013-007164

DESCRIPTION

Brother MFC-9970CDW 1.10 firmware L devices contain a security bypass vulnerability which allows physically proximate attackers to gain unauthorized access. (DoS) It may be put into a state. The Brother MFC-9970CDW is a color laser printer device that supports wireless network printing. The Brother MFC-9970 CDW login page uses the auto-complete feature in the password field by default, allowing an attacker with physical access to more easily access user accounts. A remote attacker could exploit this vulnerability to obtain password information. Brother MFC-9970CDW Printer is prone to a security-bypass weakness. An attacker with physical access can exploit this issue to gain unauthorized access to other user's account. Brother MFC-9970CDW 1.10 firmware L is vulnerable; other versions may also be affected. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ========================================= Brother MFC-9970CDW Firmware 0D Date: Jan. 13, 2013 URL: http://www.cloudscan.me/2013/05/xss-javascript-injection-brother-mfc.html ========================================= Keywords ========================================= XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit, Zero Day, Brother MFC-9970 CDW CVE-2013-2507, CVE-2013-2670, CVE-2013-2671, CVE-2013-2672, CVE-2013-2673, CVE-2013-2674, CVE-2013-2675, CVE-2013-2676 ========================================= Summary ========================================= A Reflected XSS Bug in the Brother MFC-9970CDW Printer was discovered in January 2013. This document will introduce and discuss the vulnerability and provide Proof-of-Concept (PoC) Zero Day (0D) code examples for Firmware L Version 1.10 Released on July 9, 2012, and prior versions. ========================================= Overview ========================================= Brother Industries, Ltd. is a multinational electronics and electrical equipment company headquartered in Nagoya, Japan. Its products include printers, multifunction printers, sewing machines, large machine tools, label printers, typewriters, fax machines, and other computer-related electronics. Brother distributes its products both under its own name and under OEM agreements with other companies. It produces high-impact color output at impressive print and copy speeds of up to 30ppm and offers flexible connectivity with wireless, Ethernet and USB interfaces. It features a 5" Color Touch Screen display for easy navigation and menu selection. Also, this flagship model offers automatic duplex print/copy/scan/fax and optional high yield toner cartridges to help lower your operating costs \x96 making this all-in-one a smart choice for a business or workgroup. ========================================= The Bug ========================================= Reflected Cross Site Scripting, CWE-79 ========================================= Vulnerable Parameters = id , val, kind + Query String Signature = "><script>alert(1)</script> ========================================= Version Identification ========================================= Brother MFC-9970CDW - Version Identification - Firmware \x93L\x94 Version 1.10 Brother MFC-9970CDW - Version Identification - Firmware \x93G\x94 ========================================= PoC ========================================= PoC URL http://my.vulnerable.printer/admin/admin_main.html?id=websettings"><script> alert(1)</script> ========================================= CVE Information ========================================= CVE-2013-2507 is specific to Firmware G. XSS at: admin/log_to_net.html id parameter fax/copy_settings.html kind parameter CVE-2013-2670 is for the issue that is present in both the Firmware G report and Firmware L. XSS at: admin/admin_main.html name of an arbitrarily assigned URL parameter CVE-2013-2671 is for the XSS issues that are only present in Firmware L. CVEs for Firmware L: Cleartext submission of password CVE-2013-2672 Password field with autocomplete enabled CVE-2013-2673 Cross-domain Referer leakage CVE-2013-2674 Frameable response (Clickjacking) CVE-2013-2675 Private IP addresses disclosed CVE-2013-2676 CVSS 2 Score = 4.5 Timeline Attempt contact via e-mail in January 2013. Call the Toll Free Support Line in March 2013. Callback from Vendor in April 2013. E-mail sent to Vendor in April 2013. VENDOR UNRESPONSIVE Published May 3, 2013 Hoyt LLC Research Public Domain Report http://xss.cx/ ========================================= END ========================================= -----BEGIN PGP SIGNATURE----- Version: 10.2.0.2526 wsBVAwUBUYkKz3z+WcLIygj0AQiVegf/VFskxkdQkqUcqzKXHbTvnHLkkTA8fSgx 1orNQQwxahmpX2f5Jce4zuUz2g+35McwWCKR4kMnOio/9FnWl/w+zqiwmzFqfuHv AIQAD0XXP+vKY/vSF0Bjtg9bUVlkNC4ilmyYVwWS9ycM0HOff3nwXxaZmpkr1Ibb 4Bn4ZeILFYaZYYfj3kM4JSsIuI+gisGmTDg6jMYfZhFDIps5nXeq2vDm34E7Sgx8 nSEOiS9FIq7YSh+ZIWCJE3Olcsx0DUiZuZXVIR4pT8mubB0f6Fx6wOVNQyiT5qNG VQNG1QARkNQFxxuSZD11NtO8mszE+sC8ZBP4VfRjkvJ3c8DecyB5Mg== =Ua1o -----END PGP SIGNATURE-----

Trust: 2.52

sources: NVD: CVE-2013-2673 // JVNDB: JVNDB-2013-007164 // CNVD: CNVD-2013-05293 // BID: 59727 // PACKETSTORM: 121553

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2013-05293

AFFECTED PRODUCTS

vendor:brothermodel:mfc-9970cdwscope:eqversion:1.10

Trust: 1.0

vendor:brothermodel:mfc-9970cdw lscope:eqversion:1.10

Trust: 0.9

vendor:brother industriesmodel:mfc-9970cdwscope:eqversion:1.10

Trust: 0.8

sources: CNVD: CNVD-2013-05293 // BID: 59727 // JVNDB: JVNDB-2013-007164 // NVD: CVE-2013-2673

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-2673
value: MEDIUM

Trust: 1.0

NVD: JVNDB-2013-007164
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2013-05293
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201305-197
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2013-2673
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2013-007164
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2013-05293
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2013-2673
baseSeverity: MEDIUM
baseScore: 6.8
vectorString: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: PHYSICAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 0.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: JVNDB-2013-007164
baseSeverity: MEDIUM
baseScore: 6.8
vectorString: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: PHYSICAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2013-05293 // JVNDB: JVNDB-2013-007164 // CNNVD: CNNVD-201305-197 // NVD: CVE-2013-2673

PROBLEMTYPE DATA

problemtype:CWE-863

Trust: 1.8

sources: JVNDB: JVNDB-2013-007164 // NVD: CVE-2013-2673

THREAT TYPE

local

Trust: 0.9

sources: BID: 59727 // CNNVD: CNNVD-201305-197

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201305-197

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2013-007164

PATCH
title:MFC-9970CDWurl:https://www.brother.co.jp/product/printer/laserprinter/mfc9970cdw/index.aspx
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2013-007164

EXTERNAL IDS
db:NVDid:CVE-2013-2673
Trust: 3.4
db:BIDid:59727
Trust: 2.5
db:PACKETSTORMid:121553
Trust: 2.5
db:JVNDBid:JVNDB-2013-007164
Trust: 0.8
db:CNVDid:CNVD-2013-05293
Trust: 0.6
db:CNNVDid:CNNVD-201305-197
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2013-05293 // 
            
            
            
            BID: 59727 // 
            
            
            
            JVNDB: JVNDB-2013-007164 // 
            
            
            
            PACKETSTORM: 121553 // 
            
            
            
            CNNVD: CNNVD-201305-197 // 
            
            
            
            NVD: CVE-2013-2673

REFERENCES
url:http://packetstormsecurity.com/files/121553/brother-mfc-9970cdw-firmware-0d-cross-site-scripting.html
Trust: 2.4
url:https://www.securityfocus.com/bid/59727
Trust: 1.6
url:https://nvd.nist.gov/vuln/detail/cve-2013-2673
Trust: 1.5
url:http://www.cloudscan.me/2013/05/xss-javascript-injection-brother-mfc.html
Trust: 1.0
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-2673
Trust: 0.8
url:http://www.brother.com
Trust: 0.3
url:http://www.brother-usa.com/mfc/modeldetail/4/mfc9970cdw/overview#.uyobsuqdyit
Trust: 0.3
url:http://my.vulnerable.printer/admin/admin_main.html?id=websettings"><script>
Trust: 0.1
url:http://xss.cx/
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-2507
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-2671
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-2674
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-2670
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-2676
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-2672
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-2675
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2013-05293 // 
            
            
            
            BID: 59727 // 
            
            
            
            JVNDB: JVNDB-2013-007164 // 
            
            
            
            PACKETSTORM: 121553 // 
            
            
            
            CNNVD: CNNVD-201305-197 // 
            
            
            
            NVD: CVE-2013-2673

CREDITS
Hoyt LLC
Trust: 0.9
sources:
            
            
            BID: 59727 // 
            
            
            
            CNNVD: CNNVD-201305-197

SOURCES
db:CNVDid:CNVD-2013-05293
db:BIDid:59727
db:JVNDBid:JVNDB-2013-007164
db:PACKETSTORMid:121553
db:CNNVDid:CNNVD-201305-197
db:NVDid:CVE-2013-2673

LAST UPDATE DATE
2024-08-14T13:48:30.658000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2013-05293date:2013-05-14T00:00:00
db:BIDid:59727date:2013-05-06T00:00:00
db:JVNDBid:JVNDB-2013-007164date:2020-02-18T00:00:00
db:CNNVDid:CNNVD-201305-197date:2020-05-25T00:00:00
db:NVDid:CVE-2013-2673date:2020-02-05T21:13:28.697

SOURCES RELEASE DATE
db:CNVDid:CNVD-2013-05293date:2013-05-14T00:00:00
db:BIDid:59727date:2013-05-06T00:00:00
db:JVNDBid:JVNDB-2013-007164date:2020-02-18T00:00:00
db:PACKETSTORMid:121553date:2013-05-08T02:27:54
db:CNNVDid:CNNVD-201305-197date:2013-05-09T00:00:00
db:NVDid:CVE-2013-2673date:2020-02-03T18:15:10.960