Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- > [Suggested description]
- > An issue was discovered on MicroDigital N-series cameras with firmware
- > through 6400.0.8.5. In a CGI program running under the HTTPD web
- > server, a buffer overflow in the param parameter leads to remote code
- > execution in the context of the nobody account.
- >
- > ------------------------------------------
- >
- > [Additional Information]
- > 1. Company is not in the MITRE's list
- > 2. Have exploitation screenshots as a PoC
- > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
- >
- > ------------------------------------------
- >
- > [Vulnerability Type]
- > Buffer Overflow
- >
- > ------------------------------------------
- >
- > [Vendor of Product]
- > MicroDigital
- >
- > ------------------------------------------
- >
- > [Affected Product Code Base]
- > All of N-series cameras - up to 6400.0.8.5 (including)
- >
- > ------------------------------------------
- >
- > [Affected Component]
- > Executable CGI-file running at HTTPD webserver
- >
- > ------------------------------------------
- >
- > [Attack Type]
- > Remote
- >
- > ------------------------------------------
- >
- > [Impact Code execution]
- > true
- >
- > ------------------------------------------
- >
- > [Impact Denial of Service]
- > true
- >
- > ------------------------------------------
- >
- > [Impact Escalation of Privileges]
- > true
- >
- > ------------------------------------------
- >
- > [Impact Information Disclosure]
- > true
- >
- > ------------------------------------------
- >
- > [Attack Vectors]
- > Attacker can exploit buffer overflow in "param" parameter for system remote code execution from user "nobody".
- >
- > ------------------------------------------
- >
- > [Reference]
- > https://www.microdigital.ru/
- > http://www.microdigital.co.kr/
- >
- > ------------------------------------------
- >
- > [Has vendor confirmed or acknowledged the vulnerability?]
- > true
- >
- > ------------------------------------------
- >
- > [Discoverer]
- > Shaposhnikov Ilya
- Use CVE-2019-14698.
- > [Suggested description]
- > An issue was discovered on MicroDigital N-series cameras with firmware
- > through 6400.0.8.5. An attacker can exploit OS Command Injection in
- > the filename parameter for remote code execution as root. This occurs
- > in the Mainproc executable file, which can be run from the HTTPD web
- > server.
- >
- > ------------------------------------------
- >
- > [Additional Information]
- > 1. Company is not in the MITRE's list
- > 2. Have exploitation screenshots as a PoC
- > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
- >
- > ------------------------------------------
- >
- > [VulnerabilityType Other]
- > OS Command Injection
- >
- > ------------------------------------------
- >
- > [Vendor of Product]
- > MicroDigital
- >
- > ------------------------------------------
- >
- > [Affected Product Code Base]
- > All of N-series cameras - up to 6400.0.8.5 (including)
- >
- > ------------------------------------------
- >
- > [Affected Component]
- > "Mainproc" executable file which can be run from HTTPD web server.
- >
- > ------------------------------------------
- >
- > [Attack Type]
- > Remote
- >
- > ------------------------------------------
- >
- > [Impact Code execution]
- > true
- >
- > ------------------------------------------
- >
- > [Impact Denial of Service]
- > true
- >
- > ------------------------------------------
- >
- > [Impact Escalation of Privileges]
- > true
- >
- > ------------------------------------------
- >
- > [Impact Information Disclosure]
- > true
- >
- > ------------------------------------------
- >
- > [Attack Vectors]
- > Attacker can send request to camera web server with parameter "filename" with injected OS command into it and this command will be run from root user.
- >
- > ------------------------------------------
- >
- > [Reference]
- > https://www.microdigital.ru/
- > http://www.microdigital.co.kr/
- >
- > ------------------------------------------
- >
- > [Has vendor confirmed or acknowledged the vulnerability?]
- > true
- >
- > ------------------------------------------
- >
- > [Discoverer]
- > Shaposhnikov Ilya
- Use CVE-2019-14699.
- > [Suggested description]
- > An issue was discovered on MicroDigital N-series cameras with firmware
- > through 6400.0.8.5. There is disclosure of the existence of arbitrary
- > files via Path Traversal in HTTPD. This occurs because the filename
- > specified in the TZ parameter is accessed with a substantial delay if
- > that file exists.
- >
- > ------------------------------------------
- >
- > [Additional Information]
- > 1. Company is not in the MITRE's list
- > 2. Have exploitation screenshots as a PoC
- > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
- >
- > ------------------------------------------
- >
- > [Vulnerability Type]
- > Directory Traversal
- >
- > ------------------------------------------
- >
- > [VulnerabilityType Other]
- > Relative Path Traversal
- >
- > ------------------------------------------
- >
- > [Vendor of Product]
- > MicroDigital
- >
- > ------------------------------------------
- >
- > [Affected Product Code Base]
- > All of N-series cameras - up to 6400.0.8.5 (including)
- >
- > ------------------------------------------
- >
- > [Affected Component]
- > HTTPD web server of camera at 80 port.
- >
- > ------------------------------------------
- >
- > [Attack Type]
- > Remote
- >
- > ------------------------------------------
- >
- > [Impact Denial of Service]
- > true
- >
- > ------------------------------------------
- >
- > [Impact Information Disclosure]
- > true
- >
- > ------------------------------------------
- >
- > [Attack Vectors]
- > to exploit vulnerability attacker must send an http request to web
- > server with special field named "TZ" with path of file (with
- > path-traversal), and if file exist, site will wait for several seconds
- > for reading and parsing it. It can gave the ability to check any exist
- > file at device filesystem. Also attacker can set path to /dev/random
- > to perform DoS attack.
- >
- > ------------------------------------------
- >
- > [Reference]
- > https://www.microdigital.ru/
- > http://www.microdigital.co.kr/
- >
- > ------------------------------------------
- >
- > [Has vendor confirmed or acknowledged the vulnerability?]
- > true
- >
- > ------------------------------------------
- >
- > [Discoverer]
- > Shaposhnikov Ilya
- Use CVE-2019-14700.
- > [Suggested description]
- > An issue was discovered on MicroDigital N-series cameras with firmware
- > through 6400.0.8.5. An attacker can trigger read operations on an
- > arbitrary file via Path Traversal in the TZ parameter, but cannot
- > retrieve the data that is read. This causes a denial of service if the
- > filename is, for example, /dev/random.
- >
- > ------------------------------------------
- >
- > [Additional Information]
- > 1. Company is not in the MITRE's list
- > 2. Have exploitation screenshots as a PoC
- > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
- >
- > ------------------------------------------
- >
- > [Vulnerability Type]
- > does not block /dev/random access
- >
- > ------------------------------------------
- >
- > [Vendor of Product]
- > MicroDigital
- >
- > ------------------------------------------
- >
- > [Affected Product Code Base]
- > All of N-series cameras - up to 6400.0.8.5 (including)
- >
- > ------------------------------------------
- >
- > [Affected Component]
- > HTTPD web server of camera at 80 port.
- >
- > ------------------------------------------
- >
- > [Attack Type]
- > Remote
- >
- > ------------------------------------------
- >
- > [Impact Denial of Service]
- > true
- >
- > ------------------------------------------
- >
- > [Impact Information Disclosure]
- > true
- >
- > ------------------------------------------
- >
- > [Attack Vectors]
- > to exploit vulnerability attacker must send an http request to web
- > server with special field named "TZ" with path of file (with
- > path-traversal), and if file exist, site will wait for several seconds
- > for reading and parsing it. It can gave the ability to check any exist
- > file at device filesystem. Also attacker can set path to /dev/random
- > to perform DoS attack.
- >
- > ------------------------------------------
- >
- > [Reference]
- > https://www.microdigital.ru/
- > http://www.microdigital.co.kr/
- >
- > ------------------------------------------
- >
- > [Has vendor confirmed or acknowledged the vulnerability?]
- > true
- >
- > ------------------------------------------
- >
- > [Discoverer]
- > Shaposhnikov Ilya
- Use CVE-2019-14701.
- > [Suggested description]
- > An issue was discovered on MicroDigital N-series cameras with firmware
- > through 6400.0.8.5. SQL injection vulnerabilities exist in 13 forms
- > that are reachable through HTTPD. An attacker can, for example, create
- > an admin account.
- >
- > ------------------------------------------
- >
- > [Additional Information]
- > 1. Company is not in the MITRE's list
- > 2. Have exploitation screenshots as a PoC
- > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
- >
- > ------------------------------------------
- >
- > [Vulnerability Type]
- > SQL Injection
- >
- > ------------------------------------------
- >
- > [Vendor of Product]
- > MicroDigital
- >
- > ------------------------------------------
- >
- > [Affected Product Code Base]
- > All of N-series cameras - up to 6400.0.8.5 (including)
- >
- > ------------------------------------------
- >
- > [Affected Component]
- > HTTPD web server of camera at 80 port.
- >
- > ------------------------------------------
- >
- > [Attack Type]
- > Remote
- >
- > ------------------------------------------
- >
- > [Impact Code execution]
- > true
- >
- > ------------------------------------------
- >
- > [Impact Denial of Service]
- > true
- >
- > ------------------------------------------
- >
- > [Impact Escalation of Privileges]
- > true
- >
- > ------------------------------------------
- >
- > [Impact Information Disclosure]
- > true
- >
- > ------------------------------------------
- >
- > [Attack Vectors]
- > Multiple vulnerable to SQL-injection forms (13 forms) which attacker can ,for example, use for creating admin account.
- >
- > ------------------------------------------
- >
- > [Reference]
- > https://www.microdigital.ru/
- > http://www.microdigital.co.kr/
- >
- > ------------------------------------------
- >
- > [Has vendor confirmed or acknowledged the vulnerability?]
- > true
- >
- > ------------------------------------------
- >
- > [Discoverer]
- > Shaposhnikov Ilya
- Use CVE-2019-14702.
- > [Suggested description]
- > A CSRF issue was discovered in webparam?user&action=set¶m=add in
- > HTTPD on MicroDigital N-series cameras with firmware through
- > 6400.0.8.5 to create an admin account.
- >
- > ------------------------------------------
- >
- > [Additional Information]
- > 1. Company is not in the MITRE's list
- > 2. Have exploitation screenshots as a PoC
- > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
- >
- > ------------------------------------------
- >
- > [Vulnerability Type]
- > Cross Site Request Forgery (CSRF)
- >
- > ------------------------------------------
- >
- > [VulnerabilityType Other]
- > Cross Site Request Forgery
- >
- > ------------------------------------------
- >
- > [Vendor of Product]
- > MicroDigital
- >
- > ------------------------------------------
- >
- > [Affected Product Code Base]
- > All of N-series cameras - up to 6400.0.8.5 (including)
- >
- > ------------------------------------------
- >
- > [Affected Component]
- > HTTPD web server of camera at 80 port.
- >
- > ------------------------------------------
- >
- > [Attack Type]
- > Remote
- >
- > ------------------------------------------
- >
- > [Impact Code execution]
- > true
- >
- > ------------------------------------------
- >
- > [Impact Denial of Service]
- > true
- >
- > ------------------------------------------
- >
- > [Impact Escalation of Privileges]
- > true
- >
- > ------------------------------------------
- >
- > [Impact Information Disclosure]
- > true
- >
- > ------------------------------------------
- >
- > [Attack Vectors]
- > Attacker can send a url to admin of camera to control everything
- > available at web admin panel. Example: url
- > http://<ip>/webparam?user&action=set¶m=add&id=tester&pass=cGFzc3dvcmQ=&authority=0&t=1552491782708
- > will create admin user "tester" with password "password".
- >
- > ------------------------------------------
- >
- > [Reference]
- > https://www.microdigital.ru/
- > http://www.microdigital.co.kr/
- >
- > ------------------------------------------
- >
- > [Has vendor confirmed or acknowledged the vulnerability?]
- > true
- >
- > ------------------------------------------
- >
- > [Discoverer]
- > Shaposhnikov Ilya
- Use CVE-2019-14703.
- > [Suggested description]
- > An SSRF issue was discovered in HTTPD on MicroDigital N-series cameras
- > with firmware through 6400.0.8.5 via FTP commands following a newline
- > character in the uploadfile field.
- >
- > ------------------------------------------
- >
- > [Additional Information]
- > 1. Company is not in the MITRE's list
- > 2. Have exploitation screenshots as a PoC
- > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
- >
- > ------------------------------------------
- >
- > [VulnerabilityType Other]
- > Server Side Request Forgery
- >
- > ------------------------------------------
- >
- > [Vendor of Product]
- > MicroDigital
- >
- > ------------------------------------------
- >
- > [Affected Product Code Base]
- > All of N-series cameras - up to 6400.0.8.5 (including)
- >
- > ------------------------------------------
- >
- > [Affected Component]
- > HTTPD web server of camera at 80 port.
- >
- > ------------------------------------------
- >
- > [Attack Type]
- > Remote
- >
- > ------------------------------------------
- >
- > [Impact Information Disclosure]
- > true
- >
- > ------------------------------------------
- >
- > [CVE Impact Other]
- > File editing
- >
- > ------------------------------------------
- >
- > [Attack Vectors]
- > to exploit vulnerability attacker must send an http request to web
- > server with special field named "uploadfile" with newline bytes and
- > ftp-commands, followed after it. It can gave the ability to use device
- > as proxy or edit any available information/files from connected
- > ftp-server. Also attacker can read large file from FTP-server to
- > perform DoS attack.
- >
- > ------------------------------------------
- >
- > [Reference]
- > https://www.microdigital.ru/
- > http://www.microdigital.co.kr/
- >
- > ------------------------------------------
- >
- > [Has vendor confirmed or acknowledged the vulnerability?]
- > true
- >
- > ------------------------------------------
- >
- > [Discoverer]
- > Shaposhnikov Ilya
- Use CVE-2019-14704.
- > [Suggested description]
- > An Incorrect Access Control issue was discovered on MicroDigital
- > N-series cameras with firmware through 6400.0.8.5 because any valid
- > cookie can be used to make requests as an admin.
- >
- > ------------------------------------------
- >
- > [Additional Information]
- > 1. Company is not in the MITRE's list
- > 2. Have exploitation screenshots as a PoC
- > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
- >
- > ------------------------------------------
- >
- > [Vulnerability Type]
- > Incorrect Access Control
- >
- > ------------------------------------------
- >
- > [Vendor of Product]
- > MicroDigital
- >
- > ------------------------------------------
- >
- > [Affected Product Code Base]
- > All of N-series cameras - up to 6400.0.8.5 (including)
- >
- > ------------------------------------------
- >
- > [Affected Component]
- > HTTPD web server of camera at 80 port.
- >
- > ------------------------------------------
- >
- > [Attack Type]
- > Remote
- >
- > ------------------------------------------
- >
- > [Impact Code execution]
- > true
- >
- > ------------------------------------------
- >
- > [Impact Denial of Service]
- > true
- >
- > ------------------------------------------
- >
- > [Impact Escalation of Privileges]
- > true
- >
- > ------------------------------------------
- >
- > [Impact Information Disclosure]
- > true
- >
- > ------------------------------------------
- >
- > [Attack Vectors]
- > Attacker can send http request with only login in cookies and make any requests from selected user. Default admin user is root.
- >
- > ------------------------------------------
- >
- > [Reference]
- > https://www.microdigital.ru/
- > http://www.microdigital.co.kr/
- >
- > ------------------------------------------
- >
- > [Has vendor confirmed or acknowledged the vulnerability?]
- > true
- >
- > ------------------------------------------
- >
- > [Discoverer]
- > Shaposhnikov Ilya
- Use CVE-2019-14705.
- > [Suggested description]
- > A denial of service issue in HTTPD was discovered on MicroDigital
- > N-series cameras with firmware through 6400.0.8.5. An attacker without
- > authorization can upload a file to upload.php with a filename longer
- > than 256 bytes. This will be placed in the updownload area. It will
- > not be deleted, because of a buffer overflow in a Bash command string.
- >
- > ------------------------------------------
- >
- > [Additional Information]
- > 1. Company is not in the MITRE's list
- > 2. Have exploitation screenshots as a PoC
- > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
- >
- > ------------------------------------------
- >
- > [Vulnerability Type]
- > Buffer Overflow
- >
- > ------------------------------------------
- >
- > [Vendor of Product]
- > MicroDigital
- >
- > ------------------------------------------
- >
- > [Affected Product Code Base]
- > All of N-series cameras - up to 6400.0.8.5 (including)
- >
- > ------------------------------------------
- >
- > [Affected Component]
- > file upload.php at HTTPD web server of camera at 80 port.
- >
- > ------------------------------------------
- >
- > [Attack Type]
- > Remote
- >
- > ------------------------------------------
- >
- > [Impact Denial of Service]
- > true
- >
- > ------------------------------------------
- >
- > [Attack Vectors]
- > attacker without authorization can upload file to upload.php with
- > filename, longer than 256 bytes, which will be placed to
- > updownload and will not be deleted because of bof in bash command
- > string.
- >
- > ------------------------------------------
- >
- > [Reference]
- > https://www.microdigital.ru/
- > http://www.microdigital.co.kr/
- >
- > ------------------------------------------
- >
- > [Has vendor confirmed or acknowledged the vulnerability?]
- > true
- >
- > ------------------------------------------
- >
- > [Discoverer]
- > Shaposhnikov Ilya
- Use CVE-2019-14706.
- > [Suggested description]
- > An issue was discovered on MicroDigital N-series cameras with firmware
- > through 6400.0.8.5. The firmware update process is insecure, leading
- > to remote code execution. The attacker can provide arbitrary firmware
- > in a .dat file via a webparam?system&action=set&upgrade URI.
- >
- > ------------------------------------------
- >
- > [Additional Information]
- > 1. Company is not in the MITRE's list
- > 2. Have exploitation screenshots as a PoC
- > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
- >
- > ------------------------------------------
- >
- > [VulnerabilityType Other]
- > Download of Code Without Integrity Check
- >
- > ------------------------------------------
- >
- > [Vendor of Product]
- > MicroDigital
- >
- > ------------------------------------------
- >
- > [Affected Product Code Base]
- > All of N-series cameras - up to 6400.0.8.5 (including)
- >
- > ------------------------------------------
- >
- > [Affected Component]
- > Executable CGI-file running at HTTPD webserver
- >
- > ------------------------------------------
- >
- > [Attack Type]
- > Remote
- >
- > ------------------------------------------
- >
- > [Impact Code execution]
- > true
- >
- > ------------------------------------------
- >
- > [Impact Denial of Service]
- > true
- >
- > ------------------------------------------
- >
- > [Impact Escalation of Privileges]
- > true
- >
- > ------------------------------------------
- >
- > [Attack Vectors]
- > Attacker can build and upload .dat firmware using upload.php and initiate firmware update with request
- > in admin panel ( /webparam?system&action=set&upgrade&...).
- >
- > ------------------------------------------
- >
- > [Reference]
- > https://www.microdigital.ru/
- > http://www.microdigital.co.kr/
- >
- > ------------------------------------------
- >
- > [Has vendor confirmed or acknowledged the vulnerability?]
- > true
- >
- > ------------------------------------------
- >
- > [Discoverer]
- > Shaposhnikov Ilya
- Use CVE-2019-14707.
- > [Suggested description]
- > An issue was discovered on MicroDigital N-series cameras with firmware
- > through 6400.0.8.5. A buffer overflow in the action parameter leads to
- > remote code execution in the context of the nobody account.
- >
- > ------------------------------------------
- >
- > [Additional Information]
- > 1. Company is not in the MITRE's list
- > 2. Have exploitation screenshots as a PoC
- > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
- >
- > ------------------------------------------
- >
- > [Vulnerability Type]
- > Buffer Overflow
- >
- > ------------------------------------------
- >
- > [Vendor of Product]
- > MicroDigital
- >
- > ------------------------------------------
- >
- > [Affected Product Code Base]
- > All of N-series cameras - up to 6400.0.8.5 (including)
- >
- > ------------------------------------------
- >
- > [Affected Component]
- > Executable CGI-file running at HTTPD webserver
- >
- > ------------------------------------------
- >
- > [Attack Type]
- > Remote
- >
- > ------------------------------------------
- >
- > [Impact Code execution]
- > true
- >
- > ------------------------------------------
- >
- > [Impact Denial of Service]
- > true
- >
- > ------------------------------------------
- >
- > [Impact Escalation of Privileges]
- > true
- >
- > ------------------------------------------
- >
- > [Impact Information Disclosure]
- > true
- >
- > ------------------------------------------
- >
- > [Attack Vectors]
- > Attacker can exploit buffer overflow in action parameter for system remote code execution from user "nobody".
- >
- > ------------------------------------------
- >
- > [Reference]
- > https://www.microdigital.ru/
- > http://www.microdigital.co.kr/
- >
- > ------------------------------------------
- >
- > [Has vendor confirmed or acknowledged the vulnerability?]
- > true
- >
- > ------------------------------------------
- >
- > [Discoverer]
- > Shaposhnikov Ilya
- Use CVE-2019-14708.
- > [Suggested description]
- > A cleartext password storage issue was discovered on MicroDigital
- > N-series cameras with firmware through 6400.0.8.5. The file in
- > question is /usr/local/ipsca/mipsca.db. If a camera is compromised,
- > the attacker can gain access to passwords and abuse them to compromise
- > further systems.
- >
- > ------------------------------------------
- >
- > [Additional Information]
- > 1. Company is not in the MITRE's list
- > 2. Have exploitation screenshots as a PoC
- > 3. Contacted company by mail but they refused fixes cause of department dissolution of developers of this firmware
- >
- > ------------------------------------------
- >
- > [VulnerabilityType Other]
- > Password Plaintext Storage
- >
- > ------------------------------------------
- >
- > [Vendor of Product]
- > MicroDigital
- >
- > ------------------------------------------
- >
- > [Affected Product Code Base]
- > All of N-series cameras - up to 6400.0.8.5 (including)
- >
- > ------------------------------------------
- >
- > [Affected Component]
- > HTTPD web server of camera at 80 port.
- >
- > ------------------------------------------
- >
- > [Attack Type]
- > Local
- >
- > ------------------------------------------
- >
- > [Impact Information Disclosure]
- > true
- >
- > ------------------------------------------
- >
- > [Attack Vectors]
- > To exploit vulnerability someone must read file /usr/local/ipsca/mipsca.db (which is SQLite3 database) which contains actual accounts passwords
- >
- > ------------------------------------------
- >
- > [Reference]
- > https://www.microdigital.ru/
- > http://www.microdigital.co.kr/
- >
- > ------------------------------------------
- >
- > [Has vendor confirmed or acknowledged the vulnerability?]
- > true
- >
- > ------------------------------------------
- >
- > [Discoverer]
- > Shaposhnikov Ilya
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement