CVE-2017-7588
published 2017-04-12CVE-2017-7588: On certain Brother devices, authorization is mishandled by including a valid AuthCookie cookie in the HTTP response to a failed login attempt. Affected models…
PriorityP272critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
33.58%
98.2th percentile
On certain Brother devices, authorization is mishandled by including a valid AuthCookie cookie in the HTTP response to a failed login attempt. Affected models are: MFC-J6973CDW MFC-J4420DW MFC-8710DW MFC-J4620DW MFC-L8850CDW MFC-J3720 MFC-J6520DW MFC-L2740DW MFC-J5910DW MFC-J6920DW MFC-L2700DW MFC-9130CW MFC-9330CDW MFC-9340CDW MFC-J5620DW MFC-J6720DW MFC-L8600CDW MFC-L9550CDW MFC-L2720DW DCP-L2540DW DCP-L2520DW HL-3140CW HL-3170CDW HL-3180CDW HL-L8350CDW HL-L2380DW ADS-2500W ADS-1000W ADS-1500W.
Detection & IOCsextracted from sources · hover to see the quote
- →Detect failed HTTP login responses to Brother device admin interfaces that nonetheless set an AuthCookie header — a Set-Cookie response containing 'AuthCookie=' on a non-200 or redirect response to a login POST is a strong indicator of exploitation. ↗
- →Alert on POST requests to /general/status.html with a body containing 'loginurl=%2Fgeneral%2Fstatus.html' and a trivially wrong password value (e.g., 'xyz'), which is the exploit's authentication-bypass trigger. ↗
- →Alert on POST requests to /admin/password.html containing 'pageid=1' and 'temp_retypePass=' parameters, especially when accompanied by an AuthCookie obtained without a successful prior login — this is the password-change step of the exploit chain. ↗
- →The AuthCookie value is the MD5 hash of the device password (ASCII hex). Detecting an AuthCookie value in traffic allows offline cracking of the current device password. ↗
- →Monitor for the exploit's characteristic user-agent string 'Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0' in HTTP requests to Brother device admin paths, as it is hardcoded in the published PoC. ↗
- ·The exploit targets the HTTP (and HTTPS) administrative web interface of affected Brother devices. The vulnerability is only exploitable if the HTTP/HTTPS interface is network-accessible; restricting network access to the device or disabling the HTTP(S) interface eliminates the attack surface. ↗
- ·The bypass only works when a password IS configured on the device. If no password is set, the exploit itself exits, but the device would be trivially accessible anyway. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2017-04-12
Published