| | | | _ \ _|\ \ \ / -_) | | | _` | _ \(_-< \___/_| \_/\_/\___|_|_|_|\__,_|_.__/___/ www.orwelllabs.com security advisory olsa-2016-04-01 * Adivisory Information +++++++++++++++++++++++ (+) Title: JVC Multiple Products Multiple Vulnerabilities (+) Vendor: JVC Professional Video (+) Research and Advisory: Orwelllabs (+) Adivisory URL: http://www.orwelllabs.com/2016/04/jvc-multiple-products-multiple.html (+) OLSA-ID: OLSA-2016-04-01 (+) Affected Products: JVC HDR VR-809/816, Network cameras VN-C*, VN-V*, VN-X* with firmwares 1.03 and 2.03 (+) IoT Attack Surface: Device Administrative Interface (+) Owasp IoTTop10: I1, I2 * Overview ++++++++++ I1 - 1. Multiple Cross-site Scripting I1 - 2. HTTP Header Injection I1 - 3. Multiple Cross-site Request Forgery I1 - 4. Cleartext sensitive data I1 - 5. Weak Default Credentials/Known credentials I2 - 6. Poorly Protected Credentials 1. Reflected Cross-site scripting ================================= JVC Hard Disk Recorders are prone to XSS and HTTP Header Injection[2]. (+) Affected Products: ---------------------- JVC VR-809 HDR JVC VR-816 HDR (+) Technical Details/PoCs -------------------------- (+) URL Trigger: http://xxx.xxx.xxx.xxx/api/param?video.input(01).comment&video.input(02).comment&video.input(03).comment&video.input(04).comment&video.input(05).comment&video.input(06).comment&video.input(07).comment&video.input(08).comment&video.input(09).comment (+) Payload used [ *** XSS *** ]:

(+) affected script/path: /api/param? (+) affected parameters (video.input.COMMENT): + video.input(01).comment[ *** XSS *** ] + video.input(02).comment[ *** XSS *** ] + video.input(03).comment[ *** XSS *** ] + video.input(04).comment[ *** XSS *** ] + video.input(05).comment[ *** XSS *** ] + video.input(06).comment[ *** XSS *** ] + video.input(07).comment[ *** XSS *** ] + video.input(08).comment[ *** XSS *** ] + video.input(09).comment[ *** XSS *** ] (+) affected parameters (video.input.STATUS): + video.input(01).status[ *** XSS *** ] + video.input(02).status[ *** XSS *** ] + video.input(03).status[ *** XSS *** ] + video.input(04).status[ *** XSS *** ] + video.input(05).status[ *** XSS *** ] + video.input(06).status[ *** XSS *** ] + video.input(07).status[ *** XSS *** ] + video.input(08).status[ *** XSS *** ] + video.input(09).status[ *** XSS *** ] (+) URL Trigger: http://xxx.xxx.xxx.xxx/api/param?network.interface(01).dhcp.status[ *** XSS ***] (+) affected parameters: + interface(01).dhcp.status[ *** XSS *** ] * In fact the javascript can be triggered just requesting the '/api/param?' directly with payload, like this: (+) URL: http://xxx.xxx.xxx.xxx/api/param?[*** XSS *** ] 2. HTTP Header Injection ======================== The value of the "video.input(X).comment/status" request parameter is copied into the 'X-Response' response header. So the malicious payload submitted in the parameter generates a response with an injected HTTP header. > If you request the following URL with an Javascript Payload "[*** XSS ***]": http://xxx.xxx.xxx.xxx/api/param?video.input(01).comment

&video.input(02).comment&video.input(03).comment&video.input(04).comment&video.input(05).comment&video.input(06).comment&video.input(07).comment&video.input(08).comment&video.input(09).comment HTTP/1.1 Host: xxx.xxx.xxx.xxx User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://xxx.xxx.xxx.xxx/ Cookie: vrtypename=Hard%20Disk%20Recorder; vrmodelname=0rw3|||4bs Authorization: Basic YWRtaW46anZj Connection: keep-alive > And we'll get the response from the server: HTTP/1.1 200 OK Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 564 X-Response: video.input(01).comment

&video.input(02).comment&video.input(03).comment&video.input(04).comment&video.input(05).comment&video.input(06).comment&video.input(07).comment&video.input(08).comment&video.input(09).comment Cache-control: no-cache Pragma: no-cache Expires: Thu, 05 May 2016 14:20:45 GMT Server: JVC VR-809/816 API Server/1.0.0 Date: Thu, 05 May 2016 14:20:45 GMT The javascript payload will be inject in X-Response response Header field 3. Multiple Cross-site Request Forgery ====================================== Multiple products from JVC are prone to CSRF. (+) Affected Products: ---------------------- The following products with firmware versions 1.03, 2.03 and early: VN-C2WU VN-C3U VN-C1U VN-C2U VN-C3WU VN-A1U VN-C10U VN-C11U VN-C655U VN-C625U VN-C205U VN-C215V4U VN-C215VP4U VN-V686U VN-V686WPU VN-V25U VN-V26U VN-X35U VN-V685U VN-V686WPBU VN-X235VPU VN-V225VPU VN-X235U VN-V225U VN-V17U VN-V217U VN-V217VPU VN-H157WPU VN-T16U VN-T216VPRU (+) Technical Details/PoCs -------------------------- > CSRF: to change 'admin' password to 'sm!thW' > CSRF: to set 'user' password to "w!nst0nSm!th" > CSRF: to reinitialize the cam 4. Cleartext sensitive data =========================== By default everything is trasmite over HTTP, including credentials. 5. Weak Default Credentials/Known credentials ============================================= The vast maiority of these devices remain with default credential admin:jvc or admin:[model-of-camera] and costumers are not obligated to change it during initial setup. 6. Poorly Protected Credentials =============================== An attacker in the same network is able to capture and decode the credentials as they aren't trasmited over HTTPs and are protected using just Base64 with Basic Authorization. > Authentication process GET /cgi-bin/x35viewing.cgi?x35ptzviewer.html HTTP/1.1 Host: xxx.xxx.xxx.xxx User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: X35JPEGVIEWSIZE=VGA; X35JPEGDISP=OFF-OFF-OFF-OFF-1; X35JPEGSTREAM=HTTP-5-225.0.1.1-49152; X35JPEGHTTPPORT=80; X35FOLDERNAME=VN-X35; X35MPEG4VIEWSIZE=VGA; X35MPEG4DISP=OFF-OFF-OFF-1; X35MPEG4STREAM=HTTP-225.0.2.1-59152; X35MPEG4HTTPPORT=80; X35AUDIO=OFF-HTTP-225.0.3.1-39152-49298-80; X35PTZCTRL=w!nst0nSm!th Connection: keep-alive Authorization: Basic YWRtaW46anZj *Once this is related with a old bad design is possible that a large range of products are affected by reported issues. Timeline ++++++++ 2016-04-20: First attemp to contact Vendor 2016-04-22: Vendor asks for products affected/details sent 2016-04-26: Ask vendor for any news about the issues reported 2016-05-09: Until this date no response 2016-05-10: Full disclosure Legal Notices +++++++++++++ The information contained within this advisory and in any other published by our lab is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. About Orwelllabs ++++++++++++++++ Orwelllabs is an independent security research lab interested in IoT, what means embedded devices and all its components like web applications, network, mobile applications and all surface areas prone to attack. Orwelllabs aims to study, learn and produce some intelligence around this vast and confusing big picture called smart cities. We have special appreciation for devices designed to provide security to these highly technological cities, also known as Iost (Internet of Security Things ). -----BEGIN PGP PUBLIC KEY BLOCK----- mQENBFcJl8wBCAC/J8rAQdOoC82gik6LVbH674HnxAAQ6rBdELkyR2S2g1zMIAFt xNN//A3bUWwFtlrfgiJkiOC86FimPus5O/c4iZc8klm07hxWuzoLPzBPM50+uGKH xZwwLa5PLuuR1T0O+OFqd9sdltz6djaYrFsdq6DZHVrp31P7LqHHRVwN8vzqWmSf 55hDGNTrjbnmfuAgQDrjA6FA2i6AWSTXEuDd5NjCN8jCorCczDeLXTY5HuJDb2GY U9H5kjbgX/n3/UvQpUOEQ5JgW1QoqidP8ZwsMcK5pCtr9Ocm+MWEN2tuRcQq3y5I SRuBk/FPhVVnx5ZrLveClCgefYdqqHi9owUTABEBAAG0IU9yd2VsbExhYnMgPG9y d2VsbGxhYnNAZ21haWwuY29tPokBOQQTAQgAIwUCVwmXzAIbAwcLCQgHAwIBBhUI AgkKCwQWAgMBAh4BAheAAAoJELs081R5pszAhGoIALxa6tCCUoQeksHfR5ixEHhA Zrx+i3ZopI2ZqQyxKwbnqXP87lagjSaZUk4/NkB/rWMe5ed4bHLROf0PAOYAQstE f5Nx2tjK7uKOw+SrnnFP08MGBQqJDu8rFmfjBsX2nIo2BgowfFC5XfDl+41cMy9n pVVK9qHDp9aBSd3gMc90nalSQTI/QwZ6ywvg+5/mG2iidSsePlfg5d+BzQoc6SpW LUTJY0RBS0Gsg88XihT58wnX3KhucxVx9RnhainuhH23tPdfPkuEDQqEM/hTVlmN 95rV1waD4+86IWG3Zvx79kbBnctD/e9KGvaeB47mvNPJ3L3r1/tT3AQE+Vv1q965 AQ0EVwmXzAEIAKgsUvquy3q8gZ6/t6J+VR7ed8QxZ7z7LauHvqajpipFV83PnVWf ulaAIazUyy1XWn80bVnQ227fOJj5VqscfnHqBvXnYNjGLCNMRix5kjD/gJ/0pm0U gqcrowSUFSJNTGk5b7Axdpz4ZyZFzXc33R4Wvkg/SAvLleU40S2wayCX+QpwxlMm tnBExzgetRyNN5XENATfr87CSuAaS/CGfpV5reSoX1uOkALaQjjM2ADkuUWDp6KK 6L90h8vFLUCs+++ITWU9TA1FZxqTl6n/OnyC0ufUmvI4hIuQV3nxwFnBj1Q/sxHc TbVSFcGqz2U8W9ka3sFuTQrkPIycfoOAbg0AEQEAAYkBHwQYAQgACQUCVwmXzAIb DAAKCRC7NPNUeabMwLE8B/91F99flUVEpHdvy632H6lt2WTrtPl4ELUy04jsKC30 MDnsfEjXDYMk1GCqmXwJnztwEnTP17YO8N7/EY4xTgpQxUwjlpah++51JfXO58Sf Os5lBcar8e82m1u7NaCN2EKGNEaNC1EbgUw78ylHU3B0Bb/frKQCEd60/Bkv0h4q FoPujMQr0anKWJCz5NILOShdeOWXIjBWxikhXFOUgsUBYgJjCh2b9SqwQ2UXjFsU I0gn7SsgP0uDV7spWv/ef90JYPpAQ4/tEK6ew8yYTJ/omudsGLt4vl565ArKcGwB C0O2PBppCrHnjzck1xxVdHZFyIgWiiAmRyV83CiOfg37 =IZYl -----END PGP PUBLIC KEY BLOCK-----