[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Remote Password Disclosure Vulnerability in RXS-3211 IP Camera + others
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Remote Password Disclosure Vulnerability in RXS-3211 IP Camera + others
- From: supernothing@xxxxxxxxxxxxxxxxxxxx
- Date: 25 May 2011 08:31:16 -0000
-==Description==-
The RXS-3211 IP camera, among others, is vulnerable to remote password
disclosure, which can be exploited by an unauthenticated attacker with a single
UDP packet. The problem exists in the camera management protocol used by the
devices, which sends the administrator password and other configuration
settings in cleartext following an unauthenticated request.
The following UDP payload, sent to port 13364 on a vulnerable device, can
exploit the issue:
\xff\xff\xff\xff\xff\xff\x00\x06\xff\xf9
It is also possible to set configuration settings on the remote device with a
single unauthenticated request.
-==Mitigation==-
Block external access to UDP port 13364.
-==Disclosure==-
Contacted Rosewill, but received no response.
-==PoCs==-
http://spareclockcycles.org/downloads/code/rxs_3211_retrievepw.rb
http://spareclockcycles.org/downloads/code/rxs-3211-retrievepw.py
http://spareclockcycles.org/downloads/code/rxs-3211-changepw.py
-==Reference==-
http://spareclockcycles.org/2011/05/23/exploiting-an-ip-camera-control-protocol/
-==Affected Devices==-
http://spareclockcycles.org/downloads/ipcam_pass_disclosure_devices.txt