lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 19 Dec 2017 11:39:33 +0200
From: Maor Shwartz <maors@...ondsecurity.com>
To: fulldisclosure@...lists.org
Cc: SecuriTeam Secure Disclosure <ssd@...ondsecurity.com>
Subject: [FD] SSD Advisory – Ichano AtHome IP Cameras Multiple Vulnerabilities

SSD Advisory – Ichano AtHome IP Cameras Multiple Vulnerabilities


Full report: https://blogs.securiteam.com/index.php/archives/3576
Twitter: @SecuriTeam_SSD
Weibo: SecuriTeam_SSD

Vulnerabilities Summary
The following advisory describes three (3) vulnerabilities found in Ichano
IP Cameras.

AtHome Camera is “a remote video surveillance app which turns your personal
computer, smart TV/set-top box, smart phone, and tablet into a professional
video monitoring system in a minute.”

The vulnerabilities found are:

Hard-coded username and password – telnet
Hard-coded username and password – Web server
Unauthenticated Remote Code Execution

Credit
An independent security researcher, Tim Carrington, has reported this
vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
We tried to contact Ichano since November 21st 2017, repeated attempts to
establish contact went unanswered. At this time there is no solution or
workaround for these vulnerabilities.

Vulnerabilities details

Hard-coded username and password – telnet
The device runs a telnet server at startup with a default password of 123.

Hard-coded username and password – Web server
In /app/www/doc/script/login.js, in the function DoLogin(), client side
validation is used to login a user:

===

if($("#UserName").val()=="super_yg"){jumpPage();return}

===

A user can login with these credentials and can then take control of the
device over http:

Unauthenticated Remote Code Execution
The device runs “noodles” binary – a service on port 1300 that allows a
remote (LAN) unauthenticated user to run arbitrary commands.

The binary has a set of commands he can run – if a user will use the
following “protocol”, command to be run is enclosed like html tags, i.e.
<system>id</system>, a successful execution results in
<system_ack>ok</system_ack>.



--
Thanks
Maor Shwartz
Beyond Security
GPG Key ID: 6D273779F52A9FC2

Download attachment "SSD Advisory – Ichano AtHome IP Cameras Multiple Vulnerabilities.pdf" of type "application/pdf" (142936 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists