bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/webapps/29266.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

54 lines
No EOL
2.7 KiB
Text
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Stem Innovation IZON Hard-coded Credentials (CVE-2013-6236)
Mark Stanislav - mstanislav@duosecurity.com
I. DESCRIPTION
---------------------------------------
Stem Innovation's IP camera called IZON utilizes numerous hard-coded credentials within its Linux distribution and also the hidden web application running on the camera. These sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the camera. Further, using the web interface credentials will provide access to a camera stream and configuration details, including third-party API keys.
II. TESTED VERSION
---------------------------------------
iOS Mobile Application: 1.0.5
Camera Firmware: 2.0.2
III. PoC EXPLOIT
---------------------------------------
1) Telnet Credentials
* "root" with a password of "stemroot"
* "admin" with a password of "/ADMIN/"
* "mg3500" with a password of "merlin"
2) HTTP Credentials (http://camera-ip/mobileye/)
* "user" with a password of "user"
IV. SOLUTION
---------------------------------------
Update to the latest firmware and hope for the best.
V. REFERENCES
---------------------------------------
https://blog.duosecurity.com/2013/10/izon-ip-camera-hardcoded-passwords-and-unencrypted-data-abound/
https://securityledger.com/2013/10/apple-store-favorite-izon-cameras-riddled-with-security-holes/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6236
VI. TIMELINE
---------------------------------------
09/06/2013 - Initial vendor contact stating I wanted to discuss a variety of security issues
09/06/2013 - Vendors help desk responded and asked for clarification about my request
09/06/2013 - Responded to the vendors help desk and reaffirmed my purpose for contact
09/16/2013 - Updated my existing help desk ticket after not hearing back in 10 days
09/19/2013 - Received a response back to contact their CEO directly about these issues
09/19/2013 - E-mailed the vendors CEO with synopsis details and severity ratings for the key issues
09/30/2013 - I opened up a new help desk ticket to follow-up after not hearing from their CEO after 11 days
10/01/2013 - The new case was updated saying that their CEO was aware of my email and would respond
10/03/2013 - I received a follow-up from their CTO with no specific details about plans to fix issues
10/03/2013 - Followed-up with the CTO to ask for specific details about the issues I had found
10/14/2013 - CTO responded asking to “meet” to discuss my findings but again offered no details
10/14/2013 - Offered up time ranges for the next day that were viable to discuss my findings
10/17/2013 - Public presentation of camera research which included these issues
10/28/2013 - Still no response from vendor on confirmation of fixes or a timeline to do so
Reference in a new issue View git blame Copy permalink