Home page logo
/

bugtraq logo Bugtraq mailing list archives

Remote Password Disclosure Vulnerability in RXS-3211 IP Camera + others
From: supernothing () spareclockcycles org
Date: 25 May 2011 08:31:16 -0000

-==Description==-
The RXS-3211 IP camera, among others, is vulnerable to remote password disclosure, which can be exploited by an 
unauthenticated attacker with a single UDP packet. The problem exists in the camera management protocol used by the 
devices, which sends the administrator password and other configuration settings in cleartext following an 
unauthenticated request.

The following UDP payload, sent to port 13364 on a vulnerable device, can exploit the issue:

\xff\xff\xff\xff\xff\xff\x00\x06\xff\xf9

It is also possible to set configuration settings on the remote device with a single unauthenticated request.

-==Mitigation==-
Block external access to UDP port 13364. 

-==Disclosure==-
Contacted Rosewill, but received no response.

-==PoCs==-
http://spareclockcycles.org/downloads/code/rxs_3211_retrievepw.rb
http://spareclockcycles.org/downloads/code/rxs-3211-retrievepw.py
http://spareclockcycles.org/downloads/code/rxs-3211-changepw.py

-==Reference==-
http://spareclockcycles.org/2011/05/23/exploiting-an-ip-camera-control-protocol/

-==Affected Devices==-
http://spareclockcycles.org/downloads/ipcam_pass_disclosure_devices.txt


  By Date           By Thread  

Current thread:
  • Remote Password Disclosure Vulnerability in RXS-3211 IP Camera + others supernothing (May 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]