Brother Devices Stack-Based Buffer Overflow Vulnerability

A stack-based buffer overflow vulnerability has been identified in certain Brother multifunction printers, scanners, and label makers. This vulnerability allows an authenticated attacker to overwrite the return address of a function, potentially leading to arbitrary code execution. The issue arises when the device's HTTP, HTTPS, or IPP services receive a malformed request with an empty Origin header and a Referer header containing a host value longer than 64 bytes. The vulnerability is present in 689 models across Brother's range of devices, as well as 46 models from FUJIFILM Business Innovation, 5 models from Ricoh, and 2 models from Toshiba Tec Corporation.

Impact

Exploitation of this vulnerability allows for a stack-based buffer overflow, where the return address of a function can be overwritten. This is typically a precursor to executing arbitrary code on the device.

Reproduction

To reproduce this vulnerability, an authenticated attacker must send a POST request to the /boc/boc.html endpoint. The request must include a valid CSRF token, an empty Origin header, and a Referer header with a host value that exceeds 64 bytes. This can be done by first exploiting the authentication bypass vulnerability (CVE-2024-51978) to gain access to the device with default administrator privileges. Once authenticated, the attacker can leak the CSRF token and then craft the malicious request to trigger the buffer overflow.

Remediation

Brother has released firmware updates for this vulnerability. Users should check the Brother website for the latest firmware version, install the update, and change the default administrator password via the Web Based Management interface.