Guest User

Untitled

a guest
Aug 6th, 2019
2,907
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. > [Suggested description]
  2. > An issue was discovered on MicroDigital N-series cameras with firmware
  3. > through 6400.0.8.5. In a CGI program running under the HTTPD web
  4. > server, a buffer overflow in the param parameter leads to remote code
  5. > execution in the context of the nobody account.
  6. >
  7. > ------------------------------------------
  8. >
  9. > [Additional Information]
  10. > 1. Company is not in the MITRE's list
  11. > 2. Have exploitation screenshots as a PoC
  12. > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
  13. >
  14. > ------------------------------------------
  15. >
  16. > [Vulnerability Type]
  17. > Buffer Overflow
  18. >
  19. > ------------------------------------------
  20. >
  21. > [Vendor of Product]
  22. > MicroDigital
  23. >
  24. > ------------------------------------------
  25. >
  26. > [Affected Product Code Base]
  27. > All of N-series cameras - up to 6400.0.8.5 (including)
  28. >
  29. > ------------------------------------------
  30. >
  31. > [Affected Component]
  32. > Executable CGI-file running at HTTPD webserver
  33. >
  34. > ------------------------------------------
  35. >
  36. > [Attack Type]
  37. > Remote
  38. >
  39. > ------------------------------------------
  40. >
  41. > [Impact Code execution]
  42. > true
  43. >
  44. > ------------------------------------------
  45. >
  46. > [Impact Denial of Service]
  47. > true
  48. >
  49. > ------------------------------------------
  50. >
  51. > [Impact Escalation of Privileges]
  52. > true
  53. >
  54. > ------------------------------------------
  55. >
  56. > [Impact Information Disclosure]
  57. > true
  58. >
  59. > ------------------------------------------
  60. >
  61. > [Attack Vectors]
  62. > Attacker can exploit buffer overflow in "param" parameter for system remote code execution from user "nobody".
  63. >
  64. > ------------------------------------------
  65. >
  66. > [Reference]
  67. > https://www.microdigital.ru/
  68. > http://www.microdigital.co.kr/
  69. >
  70. > ------------------------------------------
  71. >
  72. > [Has vendor confirmed or acknowledged the vulnerability?]
  73. > true
  74. >
  75. > ------------------------------------------
  76. >
  77. > [Discoverer]
  78. > Shaposhnikov Ilya
  79.  
  80. Use CVE-2019-14698.
  81.  
  82.  
  83. > [Suggested description]
  84. > An issue was discovered on MicroDigital N-series cameras with firmware
  85. > through 6400.0.8.5. An attacker can exploit OS Command Injection in
  86. > the filename parameter for remote code execution as root. This occurs
  87. > in the Mainproc executable file, which can be run from the HTTPD web
  88. > server.
  89. >
  90. > ------------------------------------------
  91. >
  92. > [Additional Information]
  93. > 1. Company is not in the MITRE's list
  94. > 2. Have exploitation screenshots as a PoC
  95. > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
  96. >
  97. > ------------------------------------------
  98. >
  99. > [VulnerabilityType Other]
  100. > OS Command Injection
  101. >
  102. > ------------------------------------------
  103. >
  104. > [Vendor of Product]
  105. > MicroDigital
  106. >
  107. > ------------------------------------------
  108. >
  109. > [Affected Product Code Base]
  110. > All of N-series cameras - up to 6400.0.8.5 (including)
  111. >
  112. > ------------------------------------------
  113. >
  114. > [Affected Component]
  115. > "Mainproc" executable file which can be run from HTTPD web server.
  116. >
  117. > ------------------------------------------
  118. >
  119. > [Attack Type]
  120. > Remote
  121. >
  122. > ------------------------------------------
  123. >
  124. > [Impact Code execution]
  125. > true
  126. >
  127. > ------------------------------------------
  128. >
  129. > [Impact Denial of Service]
  130. > true
  131. >
  132. > ------------------------------------------
  133. >
  134. > [Impact Escalation of Privileges]
  135. > true
  136. >
  137. > ------------------------------------------
  138. >
  139. > [Impact Information Disclosure]
  140. > true
  141. >
  142. > ------------------------------------------
  143. >
  144. > [Attack Vectors]
  145. > Attacker can send request to camera web server with parameter "filename" with injected OS command into it and this command will be run from root user.
  146. >
  147. > ------------------------------------------
  148. >
  149. > [Reference]
  150. > https://www.microdigital.ru/
  151. > http://www.microdigital.co.kr/
  152. >
  153. > ------------------------------------------
  154. >
  155. > [Has vendor confirmed or acknowledged the vulnerability?]
  156. > true
  157. >
  158. > ------------------------------------------
  159. >
  160. > [Discoverer]
  161. > Shaposhnikov Ilya
  162.  
  163. Use CVE-2019-14699.
  164.  
  165.  
  166. > [Suggested description]
  167. > An issue was discovered on MicroDigital N-series cameras with firmware
  168. > through 6400.0.8.5. There is disclosure of the existence of arbitrary
  169. > files via Path Traversal in HTTPD. This occurs because the filename
  170. > specified in the TZ parameter is accessed with a substantial delay if
  171. > that file exists.
  172. >
  173. > ------------------------------------------
  174. >
  175. > [Additional Information]
  176. > 1. Company is not in the MITRE's list
  177. > 2. Have exploitation screenshots as a PoC
  178. > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
  179. >
  180. > ------------------------------------------
  181. >
  182. > [Vulnerability Type]
  183. > Directory Traversal
  184. >
  185. > ------------------------------------------
  186. >
  187. > [VulnerabilityType Other]
  188. > Relative Path Traversal
  189. >
  190. > ------------------------------------------
  191. >
  192. > [Vendor of Product]
  193. > MicroDigital
  194. >
  195. > ------------------------------------------
  196. >
  197. > [Affected Product Code Base]
  198. > All of N-series cameras - up to 6400.0.8.5 (including)
  199. >
  200. > ------------------------------------------
  201. >
  202. > [Affected Component]
  203. > HTTPD web server of camera at 80 port.
  204. >
  205. > ------------------------------------------
  206. >
  207. > [Attack Type]
  208. > Remote
  209. >
  210. > ------------------------------------------
  211. >
  212. > [Impact Denial of Service]
  213. > true
  214. >
  215. > ------------------------------------------
  216. >
  217. > [Impact Information Disclosure]
  218. > true
  219. >
  220. > ------------------------------------------
  221. >
  222. > [Attack Vectors]
  223. > to exploit vulnerability attacker must send an http request to web
  224. > server with special field named "TZ" with path of file (with
  225. > path-traversal), and if file exist, site will wait for several seconds
  226. > for reading and parsing it. It can gave the ability to check any exist
  227. > file at device filesystem. Also attacker can set path to /dev/random
  228. > to perform DoS attack.
  229. >
  230. > ------------------------------------------
  231. >
  232. > [Reference]
  233. > https://www.microdigital.ru/
  234. > http://www.microdigital.co.kr/
  235. >
  236. > ------------------------------------------
  237. >
  238. > [Has vendor confirmed or acknowledged the vulnerability?]
  239. > true
  240. >
  241. > ------------------------------------------
  242. >
  243. > [Discoverer]
  244. > Shaposhnikov Ilya
  245.  
  246. Use CVE-2019-14700.
  247.  
  248.  
  249. > [Suggested description]
  250. > An issue was discovered on MicroDigital N-series cameras with firmware
  251. > through 6400.0.8.5. An attacker can trigger read operations on an
  252. > arbitrary file via Path Traversal in the TZ parameter, but cannot
  253. > retrieve the data that is read. This causes a denial of service if the
  254. > filename is, for example, /dev/random.
  255. >
  256. > ------------------------------------------
  257. >
  258. > [Additional Information]
  259. > 1. Company is not in the MITRE's list
  260. > 2. Have exploitation screenshots as a PoC
  261. > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
  262. >
  263. > ------------------------------------------
  264. >
  265. > [Vulnerability Type]
  266. > does not block /dev/random access
  267. >
  268. > ------------------------------------------
  269. >
  270. > [Vendor of Product]
  271. > MicroDigital
  272. >
  273. > ------------------------------------------
  274. >
  275. > [Affected Product Code Base]
  276. > All of N-series cameras - up to 6400.0.8.5 (including)
  277. >
  278. > ------------------------------------------
  279. >
  280. > [Affected Component]
  281. > HTTPD web server of camera at 80 port.
  282. >
  283. > ------------------------------------------
  284. >
  285. > [Attack Type]
  286. > Remote
  287. >
  288. > ------------------------------------------
  289. >
  290. > [Impact Denial of Service]
  291. > true
  292. >
  293. > ------------------------------------------
  294. >
  295. > [Impact Information Disclosure]
  296. > true
  297. >
  298. > ------------------------------------------
  299. >
  300. > [Attack Vectors]
  301. > to exploit vulnerability attacker must send an http request to web
  302. > server with special field named "TZ" with path of file (with
  303. > path-traversal), and if file exist, site will wait for several seconds
  304. > for reading and parsing it. It can gave the ability to check any exist
  305. > file at device filesystem. Also attacker can set path to /dev/random
  306. > to perform DoS attack.
  307. >
  308. > ------------------------------------------
  309. >
  310. > [Reference]
  311. > https://www.microdigital.ru/
  312. > http://www.microdigital.co.kr/
  313. >
  314. > ------------------------------------------
  315. >
  316. > [Has vendor confirmed or acknowledged the vulnerability?]
  317. > true
  318. >
  319. > ------------------------------------------
  320. >
  321. > [Discoverer]
  322. > Shaposhnikov Ilya
  323.  
  324. Use CVE-2019-14701.
  325.  
  326.  
  327. > [Suggested description]
  328. > An issue was discovered on MicroDigital N-series cameras with firmware
  329. > through 6400.0.8.5. SQL injection vulnerabilities exist in 13 forms
  330. > that are reachable through HTTPD. An attacker can, for example, create
  331. > an admin account.
  332. >
  333. > ------------------------------------------
  334. >
  335. > [Additional Information]
  336. > 1. Company is not in the MITRE's list
  337. > 2. Have exploitation screenshots as a PoC
  338. > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
  339. >
  340. > ------------------------------------------
  341. >
  342. > [Vulnerability Type]
  343. > SQL Injection
  344. >
  345. > ------------------------------------------
  346. >
  347. > [Vendor of Product]
  348. > MicroDigital
  349. >
  350. > ------------------------------------------
  351. >
  352. > [Affected Product Code Base]
  353. > All of N-series cameras - up to 6400.0.8.5 (including)
  354. >
  355. > ------------------------------------------
  356. >
  357. > [Affected Component]
  358. > HTTPD web server of camera at 80 port.
  359. >
  360. > ------------------------------------------
  361. >
  362. > [Attack Type]
  363. > Remote
  364. >
  365. > ------------------------------------------
  366. >
  367. > [Impact Code execution]
  368. > true
  369. >
  370. > ------------------------------------------
  371. >
  372. > [Impact Denial of Service]
  373. > true
  374. >
  375. > ------------------------------------------
  376. >
  377. > [Impact Escalation of Privileges]
  378. > true
  379. >
  380. > ------------------------------------------
  381. >
  382. > [Impact Information Disclosure]
  383. > true
  384. >
  385. > ------------------------------------------
  386. >
  387. > [Attack Vectors]
  388. > Multiple vulnerable to SQL-injection forms (13 forms) which attacker can ,for example, use for creating admin account.
  389. >
  390. > ------------------------------------------
  391. >
  392. > [Reference]
  393. > https://www.microdigital.ru/
  394. > http://www.microdigital.co.kr/
  395. >
  396. > ------------------------------------------
  397. >
  398. > [Has vendor confirmed or acknowledged the vulnerability?]
  399. > true
  400. >
  401. > ------------------------------------------
  402. >
  403. > [Discoverer]
  404. > Shaposhnikov Ilya
  405.  
  406. Use CVE-2019-14702.
  407.  
  408.  
  409. > [Suggested description]
  410. > A CSRF issue was discovered in webparam?user&action=set&param=add in
  411. > HTTPD on MicroDigital N-series cameras with firmware through
  412. > 6400.0.8.5 to create an admin account.
  413. >
  414. > ------------------------------------------
  415. >
  416. > [Additional Information]
  417. > 1. Company is not in the MITRE's list
  418. > 2. Have exploitation screenshots as a PoC
  419. > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
  420. >
  421. > ------------------------------------------
  422. >
  423. > [Vulnerability Type]
  424. > Cross Site Request Forgery (CSRF)
  425. >
  426. > ------------------------------------------
  427. >
  428. > [VulnerabilityType Other]
  429. > Cross Site Request Forgery
  430. >
  431. > ------------------------------------------
  432. >
  433. > [Vendor of Product]
  434. > MicroDigital
  435. >
  436. > ------------------------------------------
  437. >
  438. > [Affected Product Code Base]
  439. > All of N-series cameras - up to 6400.0.8.5 (including)
  440. >
  441. > ------------------------------------------
  442. >
  443. > [Affected Component]
  444. > HTTPD web server of camera at 80 port.
  445. >
  446. > ------------------------------------------
  447. >
  448. > [Attack Type]
  449. > Remote
  450. >
  451. > ------------------------------------------
  452. >
  453. > [Impact Code execution]
  454. > true
  455. >
  456. > ------------------------------------------
  457. >
  458. > [Impact Denial of Service]
  459. > true
  460. >
  461. > ------------------------------------------
  462. >
  463. > [Impact Escalation of Privileges]
  464. > true
  465. >
  466. > ------------------------------------------
  467. >
  468. > [Impact Information Disclosure]
  469. > true
  470. >
  471. > ------------------------------------------
  472. >
  473. > [Attack Vectors]
  474. > Attacker can send a url to admin of camera to control everything
  475. > available at web admin panel. Example: url
  476. > http://<ip>/webparam?user&action=set&param=add&id=tester&pass=cGFzc3dvcmQ=&authority=0&t=1552491782708
  477. > will create admin user "tester" with password "password".
  478. >
  479. > ------------------------------------------
  480. >
  481. > [Reference]
  482. > https://www.microdigital.ru/
  483. > http://www.microdigital.co.kr/
  484. >
  485. > ------------------------------------------
  486. >
  487. > [Has vendor confirmed or acknowledged the vulnerability?]
  488. > true
  489. >
  490. > ------------------------------------------
  491. >
  492. > [Discoverer]
  493. > Shaposhnikov Ilya
  494.  
  495. Use CVE-2019-14703.
  496.  
  497.  
  498. > [Suggested description]
  499. > An SSRF issue was discovered in HTTPD on MicroDigital N-series cameras
  500. > with firmware through 6400.0.8.5 via FTP commands following a newline
  501. > character in the uploadfile field.
  502. >
  503. > ------------------------------------------
  504. >
  505. > [Additional Information]
  506. > 1. Company is not in the MITRE's list
  507. > 2. Have exploitation screenshots as a PoC
  508. > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
  509. >
  510. > ------------------------------------------
  511. >
  512. > [VulnerabilityType Other]
  513. > Server Side Request Forgery
  514. >
  515. > ------------------------------------------
  516. >
  517. > [Vendor of Product]
  518. > MicroDigital
  519. >
  520. > ------------------------------------------
  521. >
  522. > [Affected Product Code Base]
  523. > All of N-series cameras - up to 6400.0.8.5 (including)
  524. >
  525. > ------------------------------------------
  526. >
  527. > [Affected Component]
  528. > HTTPD web server of camera at 80 port.
  529. >
  530. > ------------------------------------------
  531. >
  532. > [Attack Type]
  533. > Remote
  534. >
  535. > ------------------------------------------
  536. >
  537. > [Impact Information Disclosure]
  538. > true
  539. >
  540. > ------------------------------------------
  541. >
  542. > [CVE Impact Other]
  543. > File editing
  544. >
  545. > ------------------------------------------
  546. >
  547. > [Attack Vectors]
  548. > to exploit vulnerability attacker must send an http request to web
  549. > server with special field named "uploadfile" with newline bytes and
  550. > ftp-commands, followed after it. It can gave the ability to use device
  551. > as proxy or edit any available information/files from connected
  552. > ftp-server. Also attacker can read large file from FTP-server to
  553. > perform DoS attack.
  554. >
  555. > ------------------------------------------
  556. >
  557. > [Reference]
  558. > https://www.microdigital.ru/
  559. > http://www.microdigital.co.kr/
  560. >
  561. > ------------------------------------------
  562. >
  563. > [Has vendor confirmed or acknowledged the vulnerability?]
  564. > true
  565. >
  566. > ------------------------------------------
  567. >
  568. > [Discoverer]
  569. > Shaposhnikov Ilya
  570.  
  571. Use CVE-2019-14704.
  572.  
  573.  
  574. > [Suggested description]
  575. > An Incorrect Access Control issue was discovered on MicroDigital
  576. > N-series cameras with firmware through 6400.0.8.5 because any valid
  577. > cookie can be used to make requests as an admin.
  578. >
  579. > ------------------------------------------
  580. >
  581. > [Additional Information]
  582. > 1. Company is not in the MITRE's list
  583. > 2. Have exploitation screenshots as a PoC
  584. > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
  585. >
  586. > ------------------------------------------
  587. >
  588. > [Vulnerability Type]
  589. > Incorrect Access Control
  590. >
  591. > ------------------------------------------
  592. >
  593. > [Vendor of Product]
  594. > MicroDigital
  595. >
  596. > ------------------------------------------
  597. >
  598. > [Affected Product Code Base]
  599. > All of N-series cameras - up to 6400.0.8.5 (including)
  600. >
  601. > ------------------------------------------
  602. >
  603. > [Affected Component]
  604. > HTTPD web server of camera at 80 port.
  605. >
  606. > ------------------------------------------
  607. >
  608. > [Attack Type]
  609. > Remote
  610. >
  611. > ------------------------------------------
  612. >
  613. > [Impact Code execution]
  614. > true
  615. >
  616. > ------------------------------------------
  617. >
  618. > [Impact Denial of Service]
  619. > true
  620. >
  621. > ------------------------------------------
  622. >
  623. > [Impact Escalation of Privileges]
  624. > true
  625. >
  626. > ------------------------------------------
  627. >
  628. > [Impact Information Disclosure]
  629. > true
  630. >
  631. > ------------------------------------------
  632. >
  633. > [Attack Vectors]
  634. > Attacker can send http request with only login in cookies and make any requests from selected user. Default admin user is root.
  635. >
  636. > ------------------------------------------
  637. >
  638. > [Reference]
  639. > https://www.microdigital.ru/
  640. > http://www.microdigital.co.kr/
  641. >
  642. > ------------------------------------------
  643. >
  644. > [Has vendor confirmed or acknowledged the vulnerability?]
  645. > true
  646. >
  647. > ------------------------------------------
  648. >
  649. > [Discoverer]
  650. > Shaposhnikov Ilya
  651.  
  652. Use CVE-2019-14705.
  653.  
  654.  
  655. > [Suggested description]
  656. > A denial of service issue in HTTPD was discovered on MicroDigital
  657. > N-series cameras with firmware through 6400.0.8.5. An attacker without
  658. > authorization can upload a file to upload.php with a filename longer
  659. > than 256 bytes. This will be placed in the updownload area. It will
  660. > not be deleted, because of a buffer overflow in a Bash command string.
  661. >
  662. > ------------------------------------------
  663. >
  664. > [Additional Information]
  665. > 1. Company is not in the MITRE's list
  666. > 2. Have exploitation screenshots as a PoC
  667. > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
  668. >
  669. > ------------------------------------------
  670. >
  671. > [Vulnerability Type]
  672. > Buffer Overflow
  673. >
  674. > ------------------------------------------
  675. >
  676. > [Vendor of Product]
  677. > MicroDigital
  678. >
  679. > ------------------------------------------
  680. >
  681. > [Affected Product Code Base]
  682. > All of N-series cameras - up to 6400.0.8.5 (including)
  683. >
  684. > ------------------------------------------
  685. >
  686. > [Affected Component]
  687. > file upload.php at HTTPD web server of camera at 80 port.
  688. >
  689. > ------------------------------------------
  690. >
  691. > [Attack Type]
  692. > Remote
  693. >
  694. > ------------------------------------------
  695. >
  696. > [Impact Denial of Service]
  697. > true
  698. >
  699. > ------------------------------------------
  700. >
  701. > [Attack Vectors]
  702. > attacker without authorization can upload file to upload.php with
  703. > filename, longer than 256 bytes, which will be placed to
  704. > updownload and will not be deleted because of bof in bash command
  705. > string.
  706. >
  707. > ------------------------------------------
  708. >
  709. > [Reference]
  710. > https://www.microdigital.ru/
  711. > http://www.microdigital.co.kr/
  712. >
  713. > ------------------------------------------
  714. >
  715. > [Has vendor confirmed or acknowledged the vulnerability?]
  716. > true
  717. >
  718. > ------------------------------------------
  719. >
  720. > [Discoverer]
  721. > Shaposhnikov Ilya
  722.  
  723. Use CVE-2019-14706.
  724.  
  725.  
  726. > [Suggested description]
  727. > An issue was discovered on MicroDigital N-series cameras with firmware
  728. > through 6400.0.8.5. The firmware update process is insecure, leading
  729. > to remote code execution. The attacker can provide arbitrary firmware
  730. > in a .dat file via a webparam?system&action=set&upgrade URI.
  731. >
  732. > ------------------------------------------
  733. >
  734. > [Additional Information]
  735. > 1. Company is not in the MITRE's list
  736. > 2. Have exploitation screenshots as a PoC
  737. > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
  738. >
  739. > ------------------------------------------
  740. >
  741. > [VulnerabilityType Other]
  742. > Download of Code Without Integrity Check
  743. >
  744. > ------------------------------------------
  745. >
  746. > [Vendor of Product]
  747. > MicroDigital
  748. >
  749. > ------------------------------------------
  750. >
  751. > [Affected Product Code Base]
  752. > All of N-series cameras - up to 6400.0.8.5 (including)
  753. >
  754. > ------------------------------------------
  755. >
  756. > [Affected Component]
  757. > Executable CGI-file running at HTTPD webserver
  758. >
  759. > ------------------------------------------
  760. >
  761. > [Attack Type]
  762. > Remote
  763. >
  764. > ------------------------------------------
  765. >
  766. > [Impact Code execution]
  767. > true
  768. >
  769. > ------------------------------------------
  770. >
  771. > [Impact Denial of Service]
  772. > true
  773. >
  774. > ------------------------------------------
  775. >
  776. > [Impact Escalation of Privileges]
  777. > true
  778. >
  779. > ------------------------------------------
  780. >
  781. > [Attack Vectors]
  782. > Attacker can build and upload .dat firmware using upload.php and initiate firmware update with request
  783. > in admin panel ( /webparam?system&action=set&upgrade&...).
  784. >
  785. > ------------------------------------------
  786. >
  787. > [Reference]
  788. > https://www.microdigital.ru/
  789. > http://www.microdigital.co.kr/
  790. >
  791. > ------------------------------------------
  792. >
  793. > [Has vendor confirmed or acknowledged the vulnerability?]
  794. > true
  795. >
  796. > ------------------------------------------
  797. >
  798. > [Discoverer]
  799. > Shaposhnikov Ilya
  800.  
  801. Use CVE-2019-14707.
  802.  
  803.  
  804. > [Suggested description]
  805. > An issue was discovered on MicroDigital N-series cameras with firmware
  806. > through 6400.0.8.5. A buffer overflow in the action parameter leads to
  807. > remote code execution in the context of the nobody account.
  808. >
  809. > ------------------------------------------
  810. >
  811. > [Additional Information]
  812. > 1. Company is not in the MITRE's list
  813. > 2. Have exploitation screenshots as a PoC
  814. > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
  815. >
  816. > ------------------------------------------
  817. >
  818. > [Vulnerability Type]
  819. > Buffer Overflow
  820. >
  821. > ------------------------------------------
  822. >
  823. > [Vendor of Product]
  824. > MicroDigital
  825. >
  826. > ------------------------------------------
  827. >
  828. > [Affected Product Code Base]
  829. > All of N-series cameras - up to 6400.0.8.5 (including)
  830. >
  831. > ------------------------------------------
  832. >
  833. > [Affected Component]
  834. > Executable CGI-file running at HTTPD webserver
  835. >
  836. > ------------------------------------------
  837. >
  838. > [Attack Type]
  839. > Remote
  840. >
  841. > ------------------------------------------
  842. >
  843. > [Impact Code execution]
  844. > true
  845. >
  846. > ------------------------------------------
  847. >
  848. > [Impact Denial of Service]
  849. > true
  850. >
  851. > ------------------------------------------
  852. >
  853. > [Impact Escalation of Privileges]
  854. > true
  855. >
  856. > ------------------------------------------
  857. >
  858. > [Impact Information Disclosure]
  859. > true
  860. >
  861. > ------------------------------------------
  862. >
  863. > [Attack Vectors]
  864. > Attacker can exploit buffer overflow in action parameter for system remote code execution from user "nobody".
  865. >
  866. > ------------------------------------------
  867. >
  868. > [Reference]
  869. > https://www.microdigital.ru/
  870. > http://www.microdigital.co.kr/
  871. >
  872. > ------------------------------------------
  873. >
  874. > [Has vendor confirmed or acknowledged the vulnerability?]
  875. > true
  876. >
  877. > ------------------------------------------
  878. >
  879. > [Discoverer]
  880. > Shaposhnikov Ilya
  881.  
  882. Use CVE-2019-14708.
  883.  
  884.  
  885. > [Suggested description]
  886. > A cleartext password storage issue was discovered on MicroDigital
  887. > N-series cameras with firmware through 6400.0.8.5. The file in
  888. > question is /usr/local/ipsca/mipsca.db. If a camera is compromised,
  889. > the attacker can gain access to passwords and abuse them to compromise
  890. > further systems.
  891. >
  892. > ------------------------------------------
  893. >
  894. > [Additional Information]
  895. > 1. Company is not in the MITRE's list
  896. > 2. Have exploitation screenshots as a PoC
  897. > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
  898. >
  899. > ------------------------------------------
  900. >
  901. > [VulnerabilityType Other]
  902. > Password Plaintext Storage
  903. >
  904. > ------------------------------------------
  905. >
  906. > [Vendor of Product]
  907. > MicroDigital
  908. >
  909. > ------------------------------------------
  910. >
  911. > [Affected Product Code Base]
  912. > All of N-series cameras - up to 6400.0.8.5 (including)
  913. >
  914. > ------------------------------------------
  915. >
  916. > [Affected Component]
  917. > HTTPD web server of camera at 80 port.
  918. >
  919. > ------------------------------------------
  920. >
  921. > [Attack Type]
  922. > Local
  923. >
  924. > ------------------------------------------
  925. >
  926. > [Impact Information Disclosure]
  927. > true
  928. >
  929. > ------------------------------------------
  930. >
  931. > [Attack Vectors]
  932. > To exploit vulnerability someone must read file /usr/local/ipsca/mipsca.db (which is SQLite3 database) which contains actual accounts passwords
  933. >
  934. > ------------------------------------------
  935. >
  936. > [Reference]
  937. > https://www.microdigital.ru/
  938. > http://www.microdigital.co.kr/
  939. >
  940. > ------------------------------------------
  941. >
  942. > [Has vendor confirmed or acknowledged the vulnerability?]
  943. > true
  944. >
  945. > ------------------------------------------
  946. >
  947. > [Discoverer]
  948. > Shaposhnikov Ilya
RAW Paste Data