SHARE
TWEET

Untitled

a guest Aug 6th, 2019 690 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. > [Suggested description]
  2. > An issue was discovered on MicroDigital N-series cameras with firmware
  3. > through 6400.0.8.5. In a CGI program running under the HTTPD web
  4. > server, a buffer overflow in the param parameter leads to remote code
  5. > execution in the context of the nobody account.
  6. >
  7. > ------------------------------------------
  8. >
  9. > [Additional Information]
  10. > 1. Company is not in the MITRE's list
  11. > 2. Have exploitation screenshots as a PoC
  12. > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
  13. >
  14. > ------------------------------------------
  15. >
  16. > [Vulnerability Type]
  17. > Buffer Overflow
  18. >
  19. > ------------------------------------------
  20. >
  21. > [Vendor of Product]
  22. > MicroDigital
  23. >
  24. > ------------------------------------------
  25. >
  26. > [Affected Product Code Base]
  27. > All of N-series cameras - up to 6400.0.8.5 (including)
  28. >
  29. > ------------------------------------------
  30. >
  31. > [Affected Component]
  32. > Executable CGI-file running at HTTPD webserver
  33. >
  34. > ------------------------------------------
  35. >
  36. > [Attack Type]
  37. > Remote
  38. >
  39. > ------------------------------------------
  40. >
  41. > [Impact Code execution]
  42. > true
  43. >
  44. > ------------------------------------------
  45. >
  46. > [Impact Denial of Service]
  47. > true
  48. >
  49. > ------------------------------------------
  50. >
  51. > [Impact Escalation of Privileges]
  52. > true
  53. >
  54. > ------------------------------------------
  55. >
  56. > [Impact Information Disclosure]
  57. > true
  58. >
  59. > ------------------------------------------
  60. >
  61. > [Attack Vectors]
  62. > Attacker can exploit buffer overflow in "param" parameter for system remote code execution from user "nobody".
  63. >
  64. > ------------------------------------------
  65. >
  66. > [Reference]
  67. > https://www.microdigital.ru/
  68. > http://www.microdigital.co.kr/
  69. >
  70. > ------------------------------------------
  71. >
  72. > [Has vendor confirmed or acknowledged the vulnerability?]
  73. > true
  74. >
  75. > ------------------------------------------
  76. >
  77. > [Discoverer]
  78. > Shaposhnikov Ilya
  79.  
  80. Use CVE-2019-14698.
  81.  
  82.  
  83. > [Suggested description]
  84. > An issue was discovered on MicroDigital N-series cameras with firmware
  85. > through 6400.0.8.5. An attacker can exploit OS Command Injection in
  86. > the filename parameter for remote code execution as root. This occurs
  87. > in the Mainproc executable file, which can be run from the HTTPD web
  88. > server.
  89. >
  90. > ------------------------------------------
  91. >
  92. > [Additional Information]
  93. > 1. Company is not in the MITRE's list
  94. > 2. Have exploitation screenshots as a PoC
  95. > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
  96. >
  97. > ------------------------------------------
  98. >
  99. > [VulnerabilityType Other]
  100. > OS Command Injection
  101. >
  102. > ------------------------------------------
  103. >
  104. > [Vendor of Product]
  105. > MicroDigital
  106. >
  107. > ------------------------------------------
  108. >
  109. > [Affected Product Code Base]
  110. > All of N-series cameras - up to 6400.0.8.5 (including)
  111. >
  112. > ------------------------------------------
  113. >
  114. > [Affected Component]
  115. > "Mainproc" executable file which can be run from HTTPD web server.
  116. >
  117. > ------------------------------------------
  118. >
  119. > [Attack Type]
  120. > Remote
  121. >
  122. > ------------------------------------------
  123. >
  124. > [Impact Code execution]
  125. > true
  126. >
  127. > ------------------------------------------
  128. >
  129. > [Impact Denial of Service]
  130. > true
  131. >
  132. > ------------------------------------------
  133. >
  134. > [Impact Escalation of Privileges]
  135. > true
  136. >
  137. > ------------------------------------------
  138. >
  139. > [Impact Information Disclosure]
  140. > true
  141. >
  142. > ------------------------------------------
  143. >
  144. > [Attack Vectors]
  145. > Attacker can send request to camera  web server with parameter "filename" with injected OS command into it and this command will be run from root user.
  146. >
  147. > ------------------------------------------
  148. >
  149. > [Reference]
  150. > https://www.microdigital.ru/
  151. > http://www.microdigital.co.kr/
  152. >
  153. > ------------------------------------------
  154. >
  155. > [Has vendor confirmed or acknowledged the vulnerability?]
  156. > true
  157. >
  158. > ------------------------------------------
  159. >
  160. > [Discoverer]
  161. > Shaposhnikov Ilya
  162.  
  163. Use CVE-2019-14699.
  164.  
  165.  
  166. > [Suggested description]
  167. > An issue was discovered on MicroDigital N-series cameras with firmware
  168. > through 6400.0.8.5. There is disclosure of the existence of arbitrary
  169. > files via Path Traversal in HTTPD. This occurs because the filename
  170. > specified in the TZ parameter is accessed with a substantial delay if
  171. > that file exists.
  172. >
  173. > ------------------------------------------
  174. >
  175. > [Additional Information]
  176. > 1. Company is not in the MITRE's list
  177. > 2. Have exploitation screenshots as a PoC
  178. > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
  179. >
  180. > ------------------------------------------
  181. >
  182. > [Vulnerability Type]
  183. > Directory Traversal
  184. >
  185. > ------------------------------------------
  186. >
  187. > [VulnerabilityType Other]
  188. > Relative Path Traversal
  189. >
  190. > ------------------------------------------
  191. >
  192. > [Vendor of Product]
  193. > MicroDigital
  194. >
  195. > ------------------------------------------
  196. >
  197. > [Affected Product Code Base]
  198. > All of N-series cameras - up to 6400.0.8.5 (including)
  199. >
  200. > ------------------------------------------
  201. >
  202. > [Affected Component]
  203. > HTTPD web server of camera at 80 port.
  204. >
  205. > ------------------------------------------
  206. >
  207. > [Attack Type]
  208. > Remote
  209. >
  210. > ------------------------------------------
  211. >
  212. > [Impact Denial of Service]
  213. > true
  214. >
  215. > ------------------------------------------
  216. >
  217. > [Impact Information Disclosure]
  218. > true
  219. >
  220. > ------------------------------------------
  221. >
  222. > [Attack Vectors]
  223. > to exploit vulnerability attacker must send an http request to web
  224. > server with special field named "TZ" with path of file (with
  225. > path-traversal), and if file exist, site will wait for several seconds
  226. > for reading and parsing it. It can gave the ability to check any exist
  227. > file at device filesystem. Also attacker can set path to /dev/random
  228. > to perform DoS attack.
  229. >
  230. > ------------------------------------------
  231. >
  232. > [Reference]
  233. > https://www.microdigital.ru/
  234. > http://www.microdigital.co.kr/
  235. >
  236. > ------------------------------------------
  237. >
  238. > [Has vendor confirmed or acknowledged the vulnerability?]
  239. > true
  240. >
  241. > ------------------------------------------
  242. >
  243. > [Discoverer]
  244. > Shaposhnikov Ilya
  245.  
  246. Use CVE-2019-14700.
  247.  
  248.  
  249. > [Suggested description]
  250. > An issue was discovered on MicroDigital N-series cameras with firmware
  251. > through 6400.0.8.5. An attacker can trigger read operations on an
  252. > arbitrary file via Path Traversal in the TZ parameter, but cannot
  253. > retrieve the data that is read. This causes a denial of service if the
  254. > filename is, for example, /dev/random.
  255. >
  256. > ------------------------------------------
  257. >
  258. > [Additional Information]
  259. > 1. Company is not in the MITRE's list
  260. > 2. Have exploitation screenshots as a PoC
  261. > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
  262. >
  263. > ------------------------------------------
  264. >
  265. > [Vulnerability Type]
  266. > does not block /dev/random access
  267. >
  268. > ------------------------------------------
  269. >
  270. > [Vendor of Product]
  271. > MicroDigital
  272. >
  273. > ------------------------------------------
  274. >
  275. > [Affected Product Code Base]
  276. > All of N-series cameras - up to 6400.0.8.5 (including)
  277. >
  278. > ------------------------------------------
  279. >
  280. > [Affected Component]
  281. > HTTPD web server of camera at 80 port.
  282. >
  283. > ------------------------------------------
  284. >
  285. > [Attack Type]
  286. > Remote
  287. >
  288. > ------------------------------------------
  289. >
  290. > [Impact Denial of Service]
  291. > true
  292. >
  293. > ------------------------------------------
  294. >
  295. > [Impact Information Disclosure]
  296. > true
  297. >
  298. > ------------------------------------------
  299. >
  300. > [Attack Vectors]
  301. > to exploit vulnerability attacker must send an http request to web
  302. > server with special field named "TZ" with path of file (with
  303. > path-traversal), and if file exist, site will wait for several seconds
  304. > for reading and parsing it. It can gave the ability to check any exist
  305. > file at device filesystem. Also attacker can set path to /dev/random
  306. > to perform DoS attack.
  307. >
  308. > ------------------------------------------
  309. >
  310. > [Reference]
  311. > https://www.microdigital.ru/
  312. > http://www.microdigital.co.kr/
  313. >
  314. > ------------------------------------------
  315. >
  316. > [Has vendor confirmed or acknowledged the vulnerability?]
  317. > true
  318. >
  319. > ------------------------------------------
  320. >
  321. > [Discoverer]
  322. > Shaposhnikov Ilya
  323.  
  324. Use CVE-2019-14701.
  325.  
  326.  
  327. > [Suggested description]
  328. > An issue was discovered on MicroDigital N-series cameras with firmware
  329. > through 6400.0.8.5. SQL injection vulnerabilities exist in 13 forms
  330. > that are reachable through HTTPD. An attacker can, for example, create
  331. > an admin account.
  332. >
  333. > ------------------------------------------
  334. >
  335. > [Additional Information]
  336. > 1. Company is not in the MITRE's list
  337. > 2. Have exploitation screenshots as a PoC
  338. > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
  339. >
  340. > ------------------------------------------
  341. >
  342. > [Vulnerability Type]
  343. > SQL Injection
  344. >
  345. > ------------------------------------------
  346. >
  347. > [Vendor of Product]
  348. > MicroDigital
  349. >
  350. > ------------------------------------------
  351. >
  352. > [Affected Product Code Base]
  353. > All of N-series cameras - up to 6400.0.8.5 (including)
  354. >
  355. > ------------------------------------------
  356. >
  357. > [Affected Component]
  358. > HTTPD web server of camera at 80 port.
  359. >
  360. > ------------------------------------------
  361. >
  362. > [Attack Type]
  363. > Remote
  364. >
  365. > ------------------------------------------
  366. >
  367. > [Impact Code execution]
  368. > true
  369. >
  370. > ------------------------------------------
  371. >
  372. > [Impact Denial of Service]
  373. > true
  374. >
  375. > ------------------------------------------
  376. >
  377. > [Impact Escalation of Privileges]
  378. > true
  379. >
  380. > ------------------------------------------
  381. >
  382. > [Impact Information Disclosure]
  383. > true
  384. >
  385. > ------------------------------------------
  386. >
  387. > [Attack Vectors]
  388. > Multiple vulnerable to SQL-injection forms (13 forms) which attacker can ,for example, use for creating admin account.
  389. >
  390. > ------------------------------------------
  391. >
  392. > [Reference]
  393. > https://www.microdigital.ru/
  394. > http://www.microdigital.co.kr/
  395. >
  396. > ------------------------------------------
  397. >
  398. > [Has vendor confirmed or acknowledged the vulnerability?]
  399. > true
  400. >
  401. > ------------------------------------------
  402. >
  403. > [Discoverer]
  404. > Shaposhnikov Ilya
  405.  
  406. Use CVE-2019-14702.
  407.  
  408.  
  409. > [Suggested description]
  410. > A CSRF issue was discovered in webparam?user&action=set&param=add in
  411. > HTTPD on MicroDigital N-series cameras with firmware through
  412. > 6400.0.8.5 to create an admin account.
  413. >
  414. > ------------------------------------------
  415. >
  416. > [Additional Information]
  417. > 1. Company is not in the MITRE's list
  418. > 2. Have exploitation screenshots as a PoC
  419. > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
  420. >
  421. > ------------------------------------------
  422. >
  423. > [Vulnerability Type]
  424. > Cross Site Request Forgery (CSRF)
  425. >
  426. > ------------------------------------------
  427. >
  428. > [VulnerabilityType Other]
  429. > Cross Site Request Forgery
  430. >
  431. > ------------------------------------------
  432. >
  433. > [Vendor of Product]
  434. > MicroDigital
  435. >
  436. > ------------------------------------------
  437. >
  438. > [Affected Product Code Base]
  439. > All of N-series cameras - up to 6400.0.8.5 (including)
  440. >
  441. > ------------------------------------------
  442. >
  443. > [Affected Component]
  444. > HTTPD web server of camera at 80 port.
  445. >
  446. > ------------------------------------------
  447. >
  448. > [Attack Type]
  449. > Remote
  450. >
  451. > ------------------------------------------
  452. >
  453. > [Impact Code execution]
  454. > true
  455. >
  456. > ------------------------------------------
  457. >
  458. > [Impact Denial of Service]
  459. > true
  460. >
  461. > ------------------------------------------
  462. >
  463. > [Impact Escalation of Privileges]
  464. > true
  465. >
  466. > ------------------------------------------
  467. >
  468. > [Impact Information Disclosure]
  469. > true
  470. >
  471. > ------------------------------------------
  472. >
  473. > [Attack Vectors]
  474. > Attacker can send a url to admin of camera to control everything
  475. > available at web admin panel. Example: url
  476. > http://<ip>/webparam?user&action=set&param=add&id=tester&pass=cGFzc3dvcmQ=&authority=0&t=1552491782708
  477. > will create admin user "tester" with password "password".
  478. >
  479. > ------------------------------------------
  480. >
  481. > [Reference]
  482. > https://www.microdigital.ru/
  483. > http://www.microdigital.co.kr/
  484. >
  485. > ------------------------------------------
  486. >
  487. > [Has vendor confirmed or acknowledged the vulnerability?]
  488. > true
  489. >
  490. > ------------------------------------------
  491. >
  492. > [Discoverer]
  493. > Shaposhnikov Ilya
  494.  
  495. Use CVE-2019-14703.
  496.  
  497.  
  498. > [Suggested description]
  499. > An SSRF issue was discovered in HTTPD on MicroDigital N-series cameras
  500. > with firmware through 6400.0.8.5 via FTP commands following a newline
  501. > character in the uploadfile field.
  502. >
  503. > ------------------------------------------
  504. >
  505. > [Additional Information]
  506. > 1. Company is not in the MITRE's list
  507. > 2. Have exploitation screenshots as a PoC
  508. > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
  509. >
  510. > ------------------------------------------
  511. >
  512. > [VulnerabilityType Other]
  513. > Server Side Request Forgery
  514. >
  515. > ------------------------------------------
  516. >
  517. > [Vendor of Product]
  518. > MicroDigital
  519. >
  520. > ------------------------------------------
  521. >
  522. > [Affected Product Code Base]
  523. > All of N-series cameras - up to 6400.0.8.5 (including)
  524. >
  525. > ------------------------------------------
  526. >
  527. > [Affected Component]
  528. > HTTPD web server of camera at 80 port.
  529. >
  530. > ------------------------------------------
  531. >
  532. > [Attack Type]
  533. > Remote
  534. >
  535. > ------------------------------------------
  536. >
  537. > [Impact Information Disclosure]
  538. > true
  539. >
  540. > ------------------------------------------
  541. >
  542. > [CVE Impact Other]
  543. > File editing
  544. >
  545. > ------------------------------------------
  546. >
  547. > [Attack Vectors]
  548. > to exploit vulnerability attacker must send an http request to web
  549. > server with special field named "uploadfile" with newline bytes and
  550. > ftp-commands, followed after it. It can gave the ability to use device
  551. > as proxy or edit any available information/files from connected
  552. > ftp-server. Also attacker can read large file from FTP-server to
  553. > perform DoS attack.
  554. >
  555. > ------------------------------------------
  556. >
  557. > [Reference]
  558. > https://www.microdigital.ru/
  559. > http://www.microdigital.co.kr/
  560. >
  561. > ------------------------------------------
  562. >
  563. > [Has vendor confirmed or acknowledged the vulnerability?]
  564. > true
  565. >
  566. > ------------------------------------------
  567. >
  568. > [Discoverer]
  569. > Shaposhnikov Ilya
  570.  
  571. Use CVE-2019-14704.
  572.  
  573.  
  574. > [Suggested description]
  575. > An Incorrect Access Control issue was discovered on MicroDigital
  576. > N-series cameras with firmware through 6400.0.8.5 because any valid
  577. > cookie can be used to make requests as an admin.
  578. >
  579. > ------------------------------------------
  580. >
  581. > [Additional Information]
  582. > 1. Company is not in the MITRE's list
  583. > 2. Have exploitation screenshots as a PoC
  584. > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
  585. >
  586. > ------------------------------------------
  587. >
  588. > [Vulnerability Type]
  589. > Incorrect Access Control
  590. >
  591. > ------------------------------------------
  592. >
  593. > [Vendor of Product]
  594. > MicroDigital
  595. >
  596. > ------------------------------------------
  597. >
  598. > [Affected Product Code Base]
  599. > All of N-series cameras - up to 6400.0.8.5 (including)
  600. >
  601. > ------------------------------------------
  602. >
  603. > [Affected Component]
  604. > HTTPD web server of camera at 80 port.
  605. >
  606. > ------------------------------------------
  607. >
  608. > [Attack Type]
  609. > Remote
  610. >
  611. > ------------------------------------------
  612. >
  613. > [Impact Code execution]
  614. > true
  615. >
  616. > ------------------------------------------
  617. >
  618. > [Impact Denial of Service]
  619. > true
  620. >
  621. > ------------------------------------------
  622. >
  623. > [Impact Escalation of Privileges]
  624. > true
  625. >
  626. > ------------------------------------------
  627. >
  628. > [Impact Information Disclosure]
  629. > true
  630. >
  631. > ------------------------------------------
  632. >
  633. > [Attack Vectors]
  634. > Attacker can send http request with only login in cookies and make any requests from selected user.  Default admin user is root.
  635. >
  636. > ------------------------------------------
  637. >
  638. > [Reference]
  639. > https://www.microdigital.ru/
  640. > http://www.microdigital.co.kr/
  641. >
  642. > ------------------------------------------
  643. >
  644. > [Has vendor confirmed or acknowledged the vulnerability?]
  645. > true
  646. >
  647. > ------------------------------------------
  648. >
  649. > [Discoverer]
  650. > Shaposhnikov Ilya
  651.  
  652. Use CVE-2019-14705.
  653.  
  654.  
  655. > [Suggested description]
  656. > A denial of service issue in HTTPD was discovered on MicroDigital
  657. > N-series cameras with firmware through 6400.0.8.5. An attacker without
  658. > authorization can upload a file to upload.php with a filename longer
  659. > than 256 bytes. This will be placed in the updownload area. It will
  660. > not be deleted, because of a buffer overflow in a Bash command string.
  661. >
  662. > ------------------------------------------
  663. >
  664. > [Additional Information]
  665. > 1. Company is not in the MITRE's list
  666. > 2. Have exploitation screenshots as a PoC
  667. > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
  668. >
  669. > ------------------------------------------
  670. >
  671. > [Vulnerability Type]
  672. > Buffer Overflow
  673. >
  674. > ------------------------------------------
  675. >
  676. > [Vendor of Product]
  677. > MicroDigital
  678. >
  679. > ------------------------------------------
  680. >
  681. > [Affected Product Code Base]
  682. > All of N-series cameras - up to 6400.0.8.5 (including)
  683. >
  684. > ------------------------------------------
  685. >
  686. > [Affected Component]
  687. > file upload.php at HTTPD web server of camera at 80 port.
  688. >
  689. > ------------------------------------------
  690. >
  691. > [Attack Type]
  692. > Remote
  693. >
  694. > ------------------------------------------
  695. >
  696. > [Impact Denial of Service]
  697. > true
  698. >
  699. > ------------------------------------------
  700. >
  701. > [Attack Vectors]
  702. > attacker without authorization can upload file to upload.php with
  703. > filename, longer than 256 bytes, which will be placed to
  704. > updownload and will not be deleted because of bof in bash command
  705. > string.
  706. >
  707. > ------------------------------------------
  708. >
  709. > [Reference]
  710. > https://www.microdigital.ru/
  711. > http://www.microdigital.co.kr/
  712. >
  713. > ------------------------------------------
  714. >
  715. > [Has vendor confirmed or acknowledged the vulnerability?]
  716. > true
  717. >
  718. > ------------------------------------------
  719. >
  720. > [Discoverer]
  721. > Shaposhnikov Ilya
  722.  
  723. Use CVE-2019-14706.
  724.  
  725.  
  726. > [Suggested description]
  727. > An issue was discovered on MicroDigital N-series cameras with firmware
  728. > through 6400.0.8.5. The firmware update process is insecure, leading
  729. > to remote code execution. The attacker can provide arbitrary firmware
  730. > in a .dat file via a webparam?system&action=set&upgrade URI.
  731. >
  732. > ------------------------------------------
  733. >
  734. > [Additional Information]
  735. > 1. Company is not in the MITRE's list
  736. > 2. Have exploitation screenshots as a PoC
  737. > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
  738. >
  739. > ------------------------------------------
  740. >
  741. > [VulnerabilityType Other]
  742. > Download of Code Without Integrity Check
  743. >
  744. > ------------------------------------------
  745. >
  746. > [Vendor of Product]
  747. > MicroDigital
  748. >
  749. > ------------------------------------------
  750. >
  751. > [Affected Product Code Base]
  752. > All of N-series cameras - up to 6400.0.8.5 (including)
  753. >
  754. > ------------------------------------------
  755. >
  756. > [Affected Component]
  757. > Executable CGI-file running at HTTPD webserver
  758. >
  759. > ------------------------------------------
  760. >
  761. > [Attack Type]
  762. > Remote
  763. >
  764. > ------------------------------------------
  765. >
  766. > [Impact Code execution]
  767. > true
  768. >
  769. > ------------------------------------------
  770. >
  771. > [Impact Denial of Service]
  772. > true
  773. >
  774. > ------------------------------------------
  775. >
  776. > [Impact Escalation of Privileges]
  777. > true
  778. >
  779. > ------------------------------------------
  780. >
  781. > [Attack Vectors]
  782. > Attacker can build and upload .dat firmware using upload.php and initiate firmware update with request
  783. > in admin panel ( /webparam?system&action=set&upgrade&...).
  784. >
  785. > ------------------------------------------
  786. >
  787. > [Reference]
  788. > https://www.microdigital.ru/
  789. > http://www.microdigital.co.kr/
  790. >
  791. > ------------------------------------------
  792. >
  793. > [Has vendor confirmed or acknowledged the vulnerability?]
  794. > true
  795. >
  796. > ------------------------------------------
  797. >
  798. > [Discoverer]
  799. > Shaposhnikov Ilya
  800.  
  801. Use CVE-2019-14707.
  802.  
  803.  
  804. > [Suggested description]
  805. > An issue was discovered on MicroDigital N-series cameras with firmware
  806. > through 6400.0.8.5. A buffer overflow in the action parameter leads to
  807. > remote code execution in the context of the nobody account.
  808. >
  809. > ------------------------------------------
  810. >
  811. > [Additional Information]
  812. > 1. Company is not in the MITRE's list
  813. > 2. Have exploitation screenshots as a PoC
  814. > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
  815. >
  816. > ------------------------------------------
  817. >
  818. > [Vulnerability Type]
  819. > Buffer Overflow
  820. >
  821. > ------------------------------------------
  822. >
  823. > [Vendor of Product]
  824. > MicroDigital
  825. >
  826. > ------------------------------------------
  827. >
  828. > [Affected Product Code Base]
  829. > All of N-series cameras - up to 6400.0.8.5 (including)
  830. >
  831. > ------------------------------------------
  832. >
  833. > [Affected Component]
  834. > Executable CGI-file running at HTTPD webserver
  835. >
  836. > ------------------------------------------
  837. >
  838. > [Attack Type]
  839. > Remote
  840. >
  841. > ------------------------------------------
  842. >
  843. > [Impact Code execution]
  844. > true
  845. >
  846. > ------------------------------------------
  847. >
  848. > [Impact Denial of Service]
  849. > true
  850. >
  851. > ------------------------------------------
  852. >
  853. > [Impact Escalation of Privileges]
  854. > true
  855. >
  856. > ------------------------------------------
  857. >
  858. > [Impact Information Disclosure]
  859. > true
  860. >
  861. > ------------------------------------------
  862. >
  863. > [Attack Vectors]
  864. > Attacker can exploit buffer overflow in action parameter for system remote code execution from user "nobody".
  865. >
  866. > ------------------------------------------
  867. >
  868. > [Reference]
  869. > https://www.microdigital.ru/
  870. > http://www.microdigital.co.kr/
  871. >
  872. > ------------------------------------------
  873. >
  874. > [Has vendor confirmed or acknowledged the vulnerability?]
  875. > true
  876. >
  877. > ------------------------------------------
  878. >
  879. > [Discoverer]
  880. > Shaposhnikov Ilya
  881.  
  882. Use CVE-2019-14708.
  883.  
  884.  
  885. > [Suggested description]
  886. > A cleartext password storage issue was discovered on MicroDigital
  887. > N-series cameras with firmware through 6400.0.8.5. The file in
  888. > question is /usr/local/ipsca/mipsca.db. If a camera is compromised,
  889. > the attacker can gain access to passwords and abuse them to compromise
  890. > further systems.
  891. >
  892. > ------------------------------------------
  893. >
  894. > [Additional Information]
  895. > 1. Company is not in the MITRE's list
  896. > 2. Have exploitation screenshots as a PoC
  897. > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
  898. >
  899. > ------------------------------------------
  900. >
  901. > [VulnerabilityType Other]
  902. > Password Plaintext Storage
  903. >
  904. > ------------------------------------------
  905. >
  906. > [Vendor of Product]
  907. > MicroDigital
  908. >
  909. > ------------------------------------------
  910. >
  911. > [Affected Product Code Base]
  912. > All of N-series cameras - up to 6400.0.8.5 (including)
  913. >
  914. > ------------------------------------------
  915. >
  916. > [Affected Component]
  917. > HTTPD web server of camera at 80 port.
  918. >
  919. > ------------------------------------------
  920. >
  921. > [Attack Type]
  922. > Local
  923. >
  924. > ------------------------------------------
  925. >
  926. > [Impact Information Disclosure]
  927. > true
  928. >
  929. > ------------------------------------------
  930. >
  931. > [Attack Vectors]
  932. > To exploit vulnerability someone must read file /usr/local/ipsca/mipsca.db (which is SQLite3 database) which contains actual accounts passwords
  933. >
  934. > ------------------------------------------
  935. >
  936. > [Reference]
  937. > https://www.microdigital.ru/
  938. > http://www.microdigital.co.kr/
  939. >
  940. > ------------------------------------------
  941. >
  942. > [Has vendor confirmed or acknowledged the vulnerability?]
  943. > true
  944. >
  945. > ------------------------------------------
  946. >
  947. > [Discoverer]
  948. > Shaposhnikov Ilya
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top