Conceptronic Wireless Pan & Tilt Network Camera - CSRF Vulnerability
2014-01-14T00:00:00
ID EDB-ID:30914 Type exploitdb Reporter Felipe Molina Modified 2014-01-14T00:00:00
Description
Conceptronic Wireless Pan & Tilt Network Camera - CSRF Vulnerability. CVE-2013-7204. Webapps exploit for hardware platform
**General Details**
Affected Product: Conceptronic camera CIPCAMPTIWL
Tested Firmware: 21.37.2.49
Tested Web UI Firmware: 0.61.4.18
Assigned CVE: CVE-2013-7204
CVSSv2 Base Score: 5.8 (AV:N/AC:M/AU:N/C:P/I:P/A:N)
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
Solution Status: Not Fixed
Vendor Notification Timeline:
- 23/12/2013: Contacting with technical support through their web
form http://www.conceptronic.net/supcon.php?action=init
- 23/12/2013: Contacting with general information email addres
(info@conceptronic.net) to inform about the vulnerability and request
suitable security or technical contact to send the complete details of
the CSRF.
- 25/12/2013: Contacting with public twitter accounts
@conceptronic and @conceptronic_es to request suitable security or
technical contact to send the complete details of the CSRF.
- 28/12/2013: Recontacting the technical support.
- 28/12/2013: Recontacting general information address
info@conceptronic.net.
- 02/01/2014: Trying to conntact with security@conceptronic.net y
vulnerabilities@conceptronic.net but they are non existent addresses.
- 03/01/2014: Involve Inteco CERT in the notification proccess.
- 08/01/2014: Inteco confirms that there is still no response from
Conceptronic.
None of the comunication atempts with the vendor received a response,
so I'm publishing the advisory to warn users and confirm the
vulnerability with you.
**Vulnerabilitty details**
The CSRF is present in the CGI formulary used to create and modify
users of the web interface of the camera (/set_users.cgi). This CSRF
would allow a malicious attacker to create users in the camera web
interface (including administrator users) if he is able to lure the
legitimate administrator of the camera to visit a web controlled by
the attacker.
An example of the process to exploit this vulnerability:
1- A webcam administrator is already logged in the camera web interface.
2- A malicious user knows it and send a link to this administrator
pointing to a web controlled by this attacker
(http://example.com/conceptronic_csrf.html). In this web, the attacker
placed an image with the following code:
<img alt="csrf image"
src="http://<victim_camera_server>/set_users.cgi?next_url=rebootme.htm&user1=attacker&pwd1=attacker&pri1=2&user2=&pwd2=&pri2=0&user3=&pwd3=&pri3=0&user4=&pwd4=&pri4=0&user5=&pwd5=&pri5=0&user6=&pwd6=&pri6=0&user7=&pwd7=&pri7=0&user8=&pwd8=&pri8=0">
3- The webcam administrator visit the link.
4- The page http://example.com/test_csrf.html tries to load the image
by making a GET request to the pointed URL, thus, making the
legitimate administrator to create a new user identified by "attacker"
and password "attacker".
A video was uploaded to youtube showing this behaviour:
https://www.youtube.com/watch?v=URXEe_VRc74
This issue can be fixed by adding an additional step to the user
creation CGI, either requesting the administrator password again
before creating/modifying any user or creating a hidden random token
for each form (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet)
--
Felipe Molina de la Torre
{"published": "2014-01-14T00:00:00", "id": "EDB-ID:30914", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "history": [], "enchantments": {"vulnersScore": 4.3}, "hash": "30d87892af6b9b6c06c60943cba7c8af10d1513f419794970c85eac245af03a7", "description": "Conceptronic Wireless Pan & Tilt Network Camera - CSRF Vulnerability. CVE-2013-7204. Webapps exploit for hardware platform", "type": "exploitdb", "href": "https://www.exploit-db.com/exploits/30914/", "lastseen": "2016-02-03T13:24:59", "edition": 1, "title": "Conceptronic Wireless Pan & Tilt Network Camera - CSRF Vulnerability", "osvdbidlist": ["101930"], "modified": "2014-01-14T00:00:00", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-7204"], "sourceHref": "https://www.exploit-db.com/download/30914/", "references": [], "reporter": "Felipe Molina", "sourceData": "**General Details**\r\n\r\nAffected Product: Conceptronic camera CIPCAMPTIWL\r\nTested Firmware: 21.37.2.49\r\nTested Web UI Firmware: 0.61.4.18\r\nAssigned CVE: CVE-2013-7204\r\nCVSSv2 Base Score: 5.8 (AV:N/AC:M/AU:N/C:P/I:P/A:N)\r\nVulnerability Type: Cross-Site Request Forgery [CWE-352]\r\nSolution Status: Not Fixed\r\nVendor Notification Timeline:\r\n - 23/12/2013: Contacting with technical support through their web\r\nform http://www.conceptronic.net/supcon.php?action=init\r\n - 23/12/2013: Contacting with general information email addres\r\n(info@conceptronic.net) to inform about the vulnerability and request\r\nsuitable security or technical contact to send the complete details of\r\nthe CSRF.\r\n - 25/12/2013: Contacting with public twitter accounts\r\n@conceptronic and @conceptronic_es to request suitable security or\r\ntechnical contact to send the complete details of the CSRF.\r\n - 28/12/2013: Recontacting the technical support.\r\n - 28/12/2013: Recontacting general information address\r\ninfo@conceptronic.net.\r\n - 02/01/2014: Trying to conntact with security@conceptronic.net y\r\nvulnerabilities@conceptronic.net but they are non existent addresses.\r\n - 03/01/2014: Involve Inteco CERT in the notification proccess.\r\n - 08/01/2014: Inteco confirms that there is still no response from\r\nConceptronic.\r\n\r\nNone of the comunication atempts with the vendor received a response,\r\nso I'm publishing the advisory to warn users and confirm the\r\nvulnerability with you.\r\n\r\n**Vulnerabilitty details**\r\n\r\nThe CSRF is present in the CGI formulary used to create and modify\r\nusers of the web interface of the camera (/set_users.cgi). This CSRF\r\nwould allow a malicious attacker to create users in the camera web\r\ninterface (including administrator users) if he is able to lure the\r\nlegitimate administrator of the camera to visit a web controlled by\r\nthe attacker.\r\n\r\nAn example of the process to exploit this vulnerability:\r\n\r\n1- A webcam administrator is already logged in the camera web interface.\r\n\r\n2- A malicious user knows it and send a link to this administrator\r\npointing to a web controlled by this attacker\r\n(http://example.com/conceptronic_csrf.html). In this web, the attacker\r\nplaced an image with the following code:\r\n\r\n <img alt=\"csrf image\"\r\nsrc=\"http://<victim_camera_server>/set_users.cgi?next_url=rebootme.htm&user1=attacker&pwd1=attacker&pri1=2&user2=&pwd2=&pri2=0&user3=&pwd3=&pri3=0&user4=&pwd4=&pri4=0&user5=&pwd5=&pri5=0&user6=&pwd6=&pri6=0&user7=&pwd7=&pri7=0&user8=&pwd8=&pri8=0\">\r\n\r\n3- The webcam administrator visit the link.\r\n\r\n4- The page http://example.com/test_csrf.html tries to load the image\r\nby making a GET request to the pointed URL, thus, making the\r\nlegitimate administrator to create a new user identified by \"attacker\"\r\nand password \"attacker\".\r\n\r\nA video was uploaded to youtube showing this behaviour:\r\n\r\nhttps://www.youtube.com/watch?v=URXEe_VRc74\r\n\r\nThis issue can be fixed by adding an additional step to the user\r\ncreation CGI, either requesting the administrator password again\r\nbefore creating/modifying any user or creating a hidden random token\r\nfor each form (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet)\r\n\r\n-- \r\nFelipe Molina de la Torre", "objectVersion": "1.0"}
{"result": {"cve": [{"id": "CVE-2013-7204", "type": "cve", "title": "CVE-2013-7204", "description": "Cross-site request forgery (CSRF) vulnerability in set_users.cgi in Conceptronic CIPCAMPTIWL Camera 1.0 with firmware 21.37.2.49 allows remote attackers to hijack the authentication of administrators for requests that add arbitrary users.", "published": "2014-01-17T10:18:02", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7204", "cvelist": ["CVE-2013-7204"], "lastseen": "2016-09-03T19:18:33"}], "seebug": [{"id": "SSV:84271", "type": "seebug", "title": "Conceptronic Wireless Pan & Tilt Network Camera - CSRF Vulnerability", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-84271", "cvelist": ["CVE-2013-7204"], "lastseen": "2017-11-19T14:05:31"}], "packetstorm": [{"id": "PACKETSTORM:124747", "type": "packetstorm", "title": "Conceptronic CIPCAMPTIWL 21.37.2.49 Cross Site Request Forgery", "description": "", "published": "2014-01-10T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://packetstormsecurity.com/files/124747/Conceptronic-CIPCAMPTIWL-21.37.2.49-Cross-Site-Request-Forgery.html", "cvelist": ["CVE-2013-7204"], "lastseen": "2016-12-05T22:20:46"}], "zdt": [{"id": "1337DAY-ID-21748", "type": "zdt", "title": "Conceptronic Wireless Pan & Tilt Network Camera - CSRF Vulnerability", "description": "Exploit for hardware platform in category web applications", "published": "2014-01-14T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://0day.today/exploit/description/21748", "cvelist": ["CVE-2013-7204"], "lastseen": "2018-01-02T23:00:08"}]}}
