lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 20 Aug 2013 19:11:04 +0200 From: Andrea Fabrizi <andrea.fabrizi@...il.com> To: bugtraq@...urityfocus.com, websecurity@...appsec.org, full-disclosure@...ts.grok.org.uk, webappsec@...urityfocus.com Subject: Samsung DVR authentication bypass ************************************************************** Title: Samsung DVR authentication bypass Version affected: firmware version <= 1.10 Vendor: Samsung - www.samsung-security.com Discovered by: Andrea Fabrizi Email: andrea.fabrizi@...il.com Web: http://www.andreafabrizi.it Twitter: @andreaf83 Status: unpatched ************************************************************** Samsung provides a wide range of DVR products, all working with nearly the same firmware. The firmware it's a Linux embedded system that expose a web interface through the lighttpd webserver and CGI pages. The authenticated session is tracked using two cookies, called DATA1 and DATA2, containing respectively the base64 encoded username and password. So, the first advise for the developers is to don't put the user credentials into the cookies! Anyway, the critical vulnerability is that in most of the CGI, the session check is made in a wrong way, that allows to access protected pages simply putting an arbitrary cookie into the HTTP request. Yes, that's all. This vulnerability allows remote unauthenticated users to: - Get/set/delete username/password of local users (/cgi-bin/setup_user) - Get/set DVR/Camera general configuration - Get info about the device/storage - Get/set the NTP server - Get/set many other settings Vulnerables CGIs: - /cgi-bin/camera_privacy_area - /cgi-bin/dev_camera - /cgi-bin/dev_devinfo - /cgi-bin/dev_devinfo2 - /cgi-bin/dev_hddalarm - /cgi-bin/dev_modechange - /cgi-bin/dev_monitor - /cgi-bin/dev_pos - /cgi-bin/dev_ptz - /cgi-bin/dev_remote - /cgi-bin/dev_spotout - /cgi-bin/event_alarmsched - /cgi-bin/event_motion_area - /cgi-bin/event_motiondetect - /cgi-bin/event_sensordetect - /cgi-bin/event_tamper - /cgi-bin/event_vldetect - /cgi-bin/net_callback - /cgi-bin/net_connmode - /cgi-bin/net_ddns - /cgi-bin/net_event - /cgi-bin/net_group - /cgi-bin/net_imagetrans - /cgi-bin/net_recipient - /cgi-bin/net_server - /cgi-bin/net_snmp - /cgi-bin/net_transprotocol - /cgi-bin/net_user - /cgi-bin/rec_event - /cgi-bin/rec_eventrecduration - /cgi-bin/rec_normal - /cgi-bin/rec_recopt - /cgi-bin/rec_recsched - /cgi-bin/restart_page - /cgi-bin/setup_admin_setup - /cgi-bin/setup_datetimelang - /cgi-bin/setup_group - /cgi-bin/setup_holiday - /cgi-bin/setup_ntp - /cgi-bin/setup_systeminfo - /cgi-bin/setup_user - /cgi-bin/setup_userpwd - /cgi-bin/webviewer PoC exploit to list device users and password: http://www.andreafabrizi.it/download.php?file=samsung_dvr.py _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists