Esqo www.esqo.com Security Advisory Advisory Name: GeoVision Digital Video Surveillance System – Multiple authentication issues Release Date: 10-05-2005 Application: GeoVision Digital Video Surveillance System 6.04, 6.1 and 7.0 Platform: Microsoft Windows Severity: Sniffed credentials can be replayed or descrambled to view live and recorded CCTV footage, also unauthenticated access to still images Author: Tirath Rai Vendor Status: Vendor alerted - details below Reference: www.esqo.com/research/advisories/2005/100505-1.txt Overview: The GeoVision Digital Video Surveillance System is a PCI card based digital video surveillance range for Microsoft Windows platforms. The GeoVision system is expandable to support POS, Central Monitoring Station and License Plate Recognition Systems. The GeoVision system is in use in commercial and residential installations worldwide. Multiple issues exist revolving around poor authentication mechanisms. These issues allow sniffed authentication credentials to be reused as-is or descrambled to allow the discovery of the original password. In certain configurations still pictures from security cameras can be viewed without providing any authentication. GeoVision client software is used to view live and recorded video from a GeoVision system. These clients may be used to authenticate a user over an untrusted network, perhaps a wireless LAN in an airport lounge or coffee shop. In such an instance GeoVision credentials can be captured and replayed (or descrambled) to allow access to digital video surveillance system footage. Details: First issue - No authentication required When the GeoVision software is set to create JPEG images for use via the JPEG Image Viewer it can be seen that no authentication is required to view the JPEG images. Using GeoVisions own demonstration as an example the following URLs can be used to access images. This is true even for servers who specify that a username and password is required for authentication. In the current GeoVision demonstration only a username is required to access footage. This method works on GeoVision 6.04 or 6.1 systems which are configured to create JPEG images. It will also work on GeoVision 7 systems which are not configured with the 'Enhanced Network Security' feature. This is understood to be the default setting. http://webcam.geovision.com.tw/cam1.jpg http://webcam.geovision.com.tw/cam2.jpg ... http://GeoVision/cam[1-16].jpg Esqo was informed by GeoVision that the issue is known and that future GeoVision documentation will make this issue plain to those wishing to use the JPEG Image viewing facilty. In the version 7.0 documentation this is not made plain to the user. It is our belief that some version 7.0 installations may be vulnerable due to users not being aware of this. Second issue - Plain text authentication During the authentication phase using the live playback client it was seen that the username part of the authentication component is passed in plain text. In this partial dump taken using tcpflow the username is seen to be 'gvUser'. Here is a partial network dump of an authentication attempt - --------------------- Network traffic sniffer --------------------- 192.168.105.136:01187-192.168.105.130:00514: .... 192.168.105.130:04550-192.168.105.136:01186: RDY. 192.168.105.136:01186-192.168.105.130:04550: ..7d6a6666636e.gvUser. 192.168.105.130:04550-192.168.105.136:01186: ... 192.168.105.136:01186-192.168.105.130:04550: 2. ------------------------------------------------------------------- This testing was performed with GeoVision 6.04, 6.1 and 7.0. Version 7.0 was tested with the 'Enhanced Network Security' feature off, this is understood to be the default. Our research shows that a simple transformation of the password based on hex values for ASCII characters is used to scramble the password. This scrambling is simple to do in reverse, as seen in the example below. Sniff from network - this dump is interpreted with tcpflow. --------------------- Network traffic sniffer --------------------- 192.168.105.130:04550-192.168.105.136:01186: RDY. 192.168.105.136:01186-192.168.105.130:04550: ..7d6a6666636e.gvUser. 192.168.105.130:04550-192.168.105.136:01186: ... ------------------------------------------------------------------- Here we see the username 'gvUser', still in plain text and the scrambled password '7d6a6666636e'. In order to go to the from the scrambled string to the original password a few simple steps are performed. Split the string into pairs of hex strings 0x7d 0x6a 0x66 0x66 0x63 0x6e Each pair represents one character in the original password, so this scrambled string is for a password of 6 characters Iterate through the pairs subtracting a number from each pair starting with 0x6, for the first character as there are 6 characters in this password. 0x7d - 0x6 = 77 0x6a - 0x5 = 65 0x66 - 0x4 = 62 0x66 - 0x3 = 63 0x63 - 0x2 = 61 0x6e - 0x1 = 6d Then use an ASCII table to translate into characters 0x77 = w 0x65 = e 0x62 = b 0x63 = c 0x61 = a 0x6d = m So the original password was 'webcam'. This issue is encountered for all the authentication options below- Mpeg4 Encoder Viewer 56kMpegView0.htm LanMpegView0.htm MultiView.htm Remote Play Back PlayBackX.htm Emap Emap.htm For the JPEG Image Viewer (JPGLogin.htm) the authentication credentials are passed using the HTTP POST method completely in plain text. Scrambling is not used - see below. --------------------- Network traffic sniffer --------------------- 192.168.105.130:34707-192.168.105.136:80 POST /password HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, */* Referer: http://192.168.105.136/JPGLogin.htm Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: 192.168.1.5 Content-Length: 37 Connection: Keep-Alive Cache-Control: no-cache id=gvUser&pwd=webcam&send=Submit ------------------------------------------------------------------- Here the id= value is the username and the pwd= value is the password. Vendor Response: After Esqo initially notified GeoVision in Dec 2004 the issues were explained and received due care and attention. The issues were first noticed on version 6.04 they were confirmed on version 6.1. We were informed that version 7 would include strong authentication in order to resolve these issues. GeoVision version 7 was released in April 2005. Upon testing this new release the issues are still seen though they can be mitigated by using a newly added 'Enhanced Network Security' feature. It is understood that the 'Enhanced Network Security' feature is not enabled by default. Recommendation: If you have a pre version 7.0 GeoVision installation it is recommended to authenticate only over trusted or private networks. If you have a version 7.0 GeoVision system it is advised to enable the 'Enhanced Network Security' feature, newly introduced in version 7.0. This feature is said to utilize RSA encryption. GeoVision version 7.0 documentation does not inform system administrators of the risks they face if they do not enable the new 'Enhanced Network Security' feature. Company Information Esqo is a UK based IT security firm with worldwide reach, we have performed successful engagements across the UK, Mainland Europe and the Middle East. Esqo provides a range of E-risk identification and management services. We strive to minimize exposure to risks while maximizing the business benefits of IT systems. Esqo has been retained by TACGuard (www.tacguard.com) as its lead IT security partner. TACGuard is a UK based digital CCTV specialist. Together we aimed to verify the GeoVision system before it was deployed by TACGuard in commercial installations. It was during this collaboration that these issues were discovered. This advisory is created in accordance with the Full Disclosure Policy (RFPolicy) v2.0 available at http://www.wiretrip.net/rfp/policy.html Copyright (c) 2005 Esqo. All rights reserved worldwide. -- Tirath Rai Principal Security Engineer Esqo Infrastructure and Web Application Security