[<prev] [next>] [day] [month] [year] [list]
Message-ID: <42800BB7.5060209@esqo.com>
Date: Tue, 10 May 2005 01:17:43 +0000
From: Tirath Rai <tirath@...o.com>
To: bugtraq@...urityfocus.com
Subject: Esqo advisory: GeoVision Digital Video Surveillance System - Multiple
authentication issues
Esqo
www.esqo.com
Security Advisory
Advisory Name: GeoVision Digital Video Surveillance System – Multiple
authentication issues
Release Date: 10-05-2005
Application: GeoVision Digital Video Surveillance System 6.04, 6.1
and 7.0
Platform: Microsoft Windows
Severity: Sniffed credentials can be replayed or descrambled to
view live and recorded CCTV footage, also
unauthenticated access to still images
Author: Tirath Rai <tirath.rai@...o.com>
Vendor Status: Vendor alerted - details below
Reference: www.esqo.com/research/advisories/2005/100505-1.txt
Overview:
The GeoVision Digital Video Surveillance System is a PCI card based
digital video surveillance range for Microsoft Windows platforms. The
GeoVision system is expandable to support POS, Central Monitoring
Station and License Plate Recognition Systems. The GeoVision system is
in use in commercial and residential installations worldwide.
Multiple issues exist revolving around poor authentication mechanisms.
These issues allow sniffed authentication credentials to be reused as-is
or descrambled to allow the discovery of the original password. In
certain configurations still pictures from security cameras can be
viewed without providing any authentication.
GeoVision client software is used to view live and recorded video from a
GeoVision system. These clients may be used to authenticate a user over
an untrusted network, perhaps a wireless LAN in an airport lounge or
coffee shop. In such an instance GeoVision credentials can be captured
and replayed (or descrambled) to allow access to digital video
surveillance system footage.
Details:
First issue - No authentication required
When the GeoVision software is set to create JPEG images for use via the
JPEG Image Viewer it can be seen that no authentication is required to
view the JPEG images.
Using GeoVisions own demonstration as an example the following URLs can
be used to access images. This is true even for servers who specify that
a username and password is required for authentication. In the current
GeoVision demonstration only a username is required to access footage.
This method works on GeoVision 6.04 or 6.1 systems which are configured
to create JPEG images. It will also work on GeoVision 7 systems which
are not configured with the 'Enhanced Network Security' feature. This is
understood to be the default setting.
http://webcam.geovision.com.tw/cam1.jpg
http://webcam.geovision.com.tw/cam2.jpg
...
http://GeoVision/cam[1-16].jpg
Esqo was informed by GeoVision that the issue is known and that future
GeoVision documentation will make this issue plain to those wishing to
use the JPEG Image viewing facilty. In the version 7.0 documentation
this is not made plain to the user. It is our belief that some version
7.0 installations may be vulnerable due to users not being aware of
this.
Second issue - Plain text authentication
During the authentication phase using the live playback client it was
seen that the username part of the authentication component is passed in
plain text. In this partial dump taken using tcpflow the username is
seen to be 'gvUser'.
Here is a partial network dump of an authentication attempt -
--------------------- Network traffic sniffer ---------------------
192.168.105.136:01187-192.168.105.130:00514: ....
192.168.105.130:04550-192.168.105.136:01186: RDY.
192.168.105.136:01186-192.168.105.130:04550: ..7d6a6666636e.gvUser.
192.168.105.130:04550-192.168.105.136:01186: ...
192.168.105.136:01186-192.168.105.130:04550: 2.
-------------------------------------------------------------------
This testing was performed with GeoVision 6.04, 6.1 and 7.0. Version 7.0
was tested with the 'Enhanced Network Security' feature off, this is
understood to be the default.
Our research shows that a simple transformation of the password based on
hex values for ASCII characters is used to scramble the password. This
scrambling is simple to do in reverse, as seen in the example below.
Sniff from network - this dump is interpreted with tcpflow.
--------------------- Network traffic sniffer ---------------------
192.168.105.130:04550-192.168.105.136:01186: RDY.
192.168.105.136:01186-192.168.105.130:04550: ..7d6a6666636e.gvUser.
192.168.105.130:04550-192.168.105.136:01186: ...
-------------------------------------------------------------------
Here we see the username 'gvUser', still in plain text and the scrambled
password '7d6a6666636e'. In order to go to the from the scrambled string
to the original password a few simple steps are performed.
Split the string into pairs of hex strings
0x7d
0x6a
0x66
0x66
0x63
0x6e
Each pair represents one character in the original password, so this
scrambled string is for a password of 6 characters
Iterate through the pairs subtracting a number from each pair starting
with 0x6, for the first character as there are 6 characters in this
password.
0x7d - 0x6 = 77
0x6a - 0x5 = 65
0x66 - 0x4 = 62
0x66 - 0x3 = 63
0x63 - 0x2 = 61
0x6e - 0x1 = 6d
Then use an ASCII table to translate into characters
0x77 = w
0x65 = e
0x62 = b
0x63 = c
0x61 = a
0x6d = m
So the original password was 'webcam'.
This issue is encountered for all the authentication options below-
Mpeg4 Encoder Viewer
56kMpegView0.htm
LanMpegView0.htm
MultiView.htm
Remote Play Back
PlayBackX.htm
Emap
Emap.htm
For the JPEG Image Viewer (JPGLogin.htm) the authentication credentials
are passed using the HTTP POST method completely in plain text.
Scrambling is not used - see below.
--------------------- Network traffic sniffer ---------------------
192.168.105.130:34707-192.168.105.136:80 POST /password HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, */*
Referer: http://192.168.105.136/JPGLogin.htm
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: 192.168.1.5
Content-Length: 37
Connection: Keep-Alive
Cache-Control: no-cache
id=gvUser&pwd=webcam&send=Submit
-------------------------------------------------------------------
Here the id= value is the username and the pwd= value is the
password.
Vendor Response:
After Esqo initially notified GeoVision in Dec 2004 the issues were
explained and received due care and attention. The issues were first
noticed on version 6.04 they were confirmed on version 6.1.
We were informed that version 7 would include strong authentication in
order to resolve these issues. GeoVision version 7 was released in April
2005. Upon testing this new release the issues are still seen though
they can be mitigated by using a newly added 'Enhanced Network Security'
feature. It is understood that the 'Enhanced Network Security' feature
is not enabled by default.
Recommendation:
If you have a pre version 7.0 GeoVision installation it is recommended
to authenticate only over trusted or private networks. If you have a
version 7.0 GeoVision system it is advised to enable the 'Enhanced
Network Security' feature, newly introduced in version 7.0. This feature
is said to utilize RSA encryption. GeoVision version 7.0 documentation
does not inform system administrators of the risks they face if they do
not enable the new 'Enhanced Network Security' feature.
Company Information
Esqo is a UK based IT security firm with worldwide reach, we have
performed successful engagements across the UK, Mainland Europe and the
Middle East. Esqo provides a range of E-risk identification and
management services. We strive to minimize exposure to risks while
maximizing the business benefits of IT systems.
Esqo has been retained by TACGuard (www.tacguard.com) as its lead IT
security partner. TACGuard is a UK based digital CCTV specialist.
Together we aimed to verify the GeoVision system before it was deployed
by TACGuard in commercial installations. It was during this
collaboration that these issues were discovered.
This advisory is created in accordance with the Full Disclosure
Policy (RFPolicy) v2.0 available at
http://www.wiretrip.net/rfp/policy.html
Copyright (c) 2005 Esqo. All rights reserved worldwide.
--
Tirath Rai
Principal Security Engineer
Esqo
Infrastructure and Web Application Security
Powered by blists - more mailing lists