cbcvebase.
CVE-2017-7588
published 2017-04-12

CVE-2017-7588: On certain Brother devices, authorization is mishandled by including a valid AuthCookie cookie in the HTTP response to a failed login attempt. Affected models…

PriorityP272critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
33.58%
98.2th percentile
On certain Brother devices, authorization is mishandled by including a valid AuthCookie cookie in the HTTP response to a failed login attempt. Affected models are: MFC-J6973CDW MFC-J4420DW MFC-8710DW MFC-J4620DW MFC-L8850CDW MFC-J3720 MFC-J6520DW MFC-L2740DW MFC-J5910DW MFC-J6920DW MFC-L2700DW MFC-9130CW MFC-9330CDW MFC-9340CDW MFC-J5620DW MFC-J6720DW MFC-L8600CDW MFC-L9550CDW MFC-L2720DW DCP-L2540DW DCP-L2520DW HL-3140CW HL-3170CDW HL-3180CDW HL-L8350CDW HL-L2380DW ADS-2500W ADS-1000W ADS-1500W.

Detection & IOCsextracted from sources · hover to see the quote

cookieAuthCookie=c243a9ee18a9327bfd419f31e75e71c7
path/admin/password.html
path/general/status.html
commandPOST /general/status.html with body: <log_var>=xyz&loginurl=%2Fgeneral%2Fstatus.html
commandPOST /admin/password.html with body: pageid=1&<pwd_var>=<newpass>&temp_retypePass=<newpass>
  • Detect failed HTTP login responses to Brother device admin interfaces that nonetheless set an AuthCookie header — a Set-Cookie response containing 'AuthCookie=' on a non-200 or redirect response to a login POST is a strong indicator of exploitation.
  • Alert on POST requests to /general/status.html with a body containing 'loginurl=%2Fgeneral%2Fstatus.html' and a trivially wrong password value (e.g., 'xyz'), which is the exploit's authentication-bypass trigger.
  • Alert on POST requests to /admin/password.html containing 'pageid=1' and 'temp_retypePass=' parameters, especially when accompanied by an AuthCookie obtained without a successful prior login — this is the password-change step of the exploit chain.
  • The AuthCookie value is the MD5 hash of the device password (ASCII hex). Detecting an AuthCookie value in traffic allows offline cracking of the current device password.
  • Monitor for the exploit's characteristic user-agent string 'Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0' in HTTP requests to Brother device admin paths, as it is hardcoded in the published PoC.
  • ·The exploit targets the HTTP (and HTTPS) administrative web interface of affected Brother devices. The vulnerability is only exploitable if the HTTP/HTTPS interface is network-accessible; restricting network access to the device or disabling the HTTP(S) interface eliminates the attack surface.
  • ·The bypass only works when a password IS configured on the device. If no password is set, the exploit itself exits, but the device would be trivially accessible anyway.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.