Conceptronic Wireless Pan & Tilt Network Camera - Cross-Site Request Forgery

2014-01-14T00:00:00

Description

{"id": "EDB-ID:30914", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "Conceptronic Wireless Pan & Tilt Network Camera - Cross-Site Request Forgery", "description": "", "published": "2014-01-14T00:00:00", "modified": "2014-01-14T00:00:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.8}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {}, "href": "https://www.exploit-db.com/exploits/30914", "reporter": "Felipe Molina", "references": [], "cvelist": ["2013-7204", "CVE-2013-7204"], "immutableFields": [], "lastseen": "2022-08-16T08:33:34", "viewCount": 12, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-7204"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:202946E54343F24EA03654AB0E5D68FE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:124747"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:30232", "SECURITYVULNS:VULN:13518"]}, {"type": "seebug", "idList": ["SSV:84271"]}, {"type": "zdt", "idList": ["1337DAY-ID-21748"]}]}, "score": {"value": -0.0, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2013-7204"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:202946E54343F24EA03654AB0E5D68FE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:124747"]}, {"type": "seebug", "idList": ["SSV:84271"]}, {"type": "zdt", "idList": ["1337DAY-ID-21748"]}]}, "exploitation": null, "vulnersScore": -0.0}, "_state": {"dependencies": 1661190352, "score": 1661184847}, "_internal": {"score_hash": "0b8c018d41cd6705261d1cf39af5f373"}, "sourceHref": "https://www.exploit-db.com/download/30914", "sourceData": "**General Details**\r\n\r\nAffected Product: Conceptronic camera CIPCAMPTIWL\r\nTested Firmware: 21.37.2.49\r\nTested Web UI Firmware: 0.61.4.18\r\nAssigned CVE: CVE-2013-7204\r\nCVSSv2 Base Score: 5.8 (AV:N/AC:M/AU:N/C:P/I:P/A:N)\r\nVulnerability Type: Cross-Site Request Forgery [CWE-352]\r\nSolution Status: Not Fixed\r\nVendor Notification Timeline:\r\n - 23/12/2013: Contacting with technical support through their web\r\nform http://www.conceptronic.net/supcon.php?action=init\r\n - 23/12/2013: Contacting with general information email addres\r\n(info@conceptronic.net) to inform about the vulnerability and request\r\nsuitable security or technical contact to send the complete details of\r\nthe CSRF.\r\n - 25/12/2013: Contacting with public twitter accounts\r\n@conceptronic and @conceptronic_es to request suitable security or\r\ntechnical contact to send the complete details of the CSRF.\r\n - 28/12/2013: Recontacting the technical support.\r\n - 28/12/2013: Recontacting general information address\r\ninfo@conceptronic.net.\r\n - 02/01/2014: Trying to conntact with security@conceptronic.net y\r\nvulnerabilities@conceptronic.net but they are non existent addresses.\r\n - 03/01/2014: Involve Inteco CERT in the notification proccess.\r\n - 08/01/2014: Inteco confirms that there is still no response from\r\nConceptronic.\r\n\r\nNone of the comunication atempts with the vendor received a response,\r\nso I'm publishing the advisory to warn users and confirm the\r\nvulnerability with you.\r\n\r\n**Vulnerabilitty details**\r\n\r\nThe CSRF is present in the CGI formulary used to create and modify\r\nusers of the web interface of the camera (/set_users.cgi). This CSRF\r\nwould allow a malicious attacker to create users in the camera web\r\ninterface (including administrator users) if he is able to lure the\r\nlegitimate administrator of the camera to visit a web controlled by\r\nthe attacker.\r\n\r\nAn example of the process to exploit this vulnerability:\r\n\r\n1- A webcam administrator is already logged in the camera web interface.\r\n\r\n2- A malicious user knows it and send a link to this administrator\r\npointing to a web controlled by this attacker\r\n(http://example.com/conceptronic_csrf.html). In this web, the attacker\r\nplaced an image with the following code:\r\n\r\n <img alt=\"csrf image\"\r\nsrc=\"http://<victim_camera_server>/set_users.cgi?next_url=rebootme.htm&user1=attacker&pwd1=attacker&pri1=2&user2=&pwd2=&pri2=0&user3=&pwd3=&pri3=0&user4=&pwd4=&pri4=0&user5=&pwd5=&pri5=0&user6=&pwd6=&pri6=0&user7=&pwd7=&pri7=0&user8=&pwd8=&pri8=0\">\r\n\r\n3- The webcam administrator visit the link.\r\n\r\n4- The page http://example.com/test_csrf.html tries to load the image\r\nby making a GET request to the pointed URL, thus, making the\r\nlegitimate administrator to create a new user identified by \"attacker\"\r\nand password \"attacker\".\r\n\r\nA video was uploaded to youtube showing this behaviour:\r\n\r\nhttps://www.youtube.com/watch?v=URXEe_VRc74\r\n\r\nThis issue can be fixed by adding an additional step to the user\r\ncreation CGI, either requesting the administrator password again\r\nbefore creating/modifying any user or creating a hidden random token\r\nfor each form (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet)\r\n\r\n-- \r\nFelipe Molina de la Torre", "osvdbidlist": ["101930"], "exploitType": "webapps", "verified": false}

{"cve": [{"lastseen": "2022-03-23T14:52:27", "description": "Cross-site request forgery (CSRF) vulnerability in set_users.cgi in Conceptronic CIPCAMPTIWL Camera 1.0 with firmware 21.37.2.49 allows remote attackers to hijack the authentication of administrators for requests that add arbitrary users.", "cvss3": {}, "published": "2014-01-17T15:18:00", "type": "cve", "title": "CVE-2013-7204", "cwe": ["CWE-352"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-7204"], "modified": "2018-10-09T19:35:00", "cpe": ["cpe:/o:conceptronic:cipcamptiwl_1.0_firmware:21.37.2.49", "cpe:/h:conceptronic:cipcamptiwl:1.0"], "id": "CVE-2013-7204", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7204", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:h:conceptronic:cipcamptiwl:1.0:*:*:*:*:*:*:*", "cpe:2.3:o:conceptronic:cipcamptiwl_1.0_firmware:21.37.2.49:*:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2018-08-31T11:10:50", "bulletinFamily": "software", "cvelist": ["CVE-2013-7204"], "description": "\r\n\r\nHello List,\r\n\r\nHere I inform you about an easily exploitable CSRF discovered in\r\nConceptronic cameras CIPCAMPTIWL.\r\n\r\n**General Details**\r\n\r\nAffected Product: Conceptronic camera CIPCAMPTIWL\r\nTested Firmware: 21.37.2.49\r\nTested Web UI Firmware: 0.61.4.18\r\nAssigned CVE: CVE-2013-7204\r\nCVSSv2 Base Score: 5.8 (AV:N/AC:M/AU:N/C:P/I:P/A:N)\r\nVulnerability Type: Cross-Site Request Forgery [CWE-352]\r\nSolution Status: Not Fixed\r\nVendor Notification Timeline:\r\n - 23/12/2013: Contacting with technical support through their web\r\nform http://www.conceptronic.net/supcon.php?action=init\r\n - 23/12/2013: Contacting with general information email addres\r\n(info@conceptronic.net) to inform about the vulnerability and request\r\nsuitable security or technical contact to send the complete details of\r\nthe CSRF.\r\n - 25/12/2013: Contacting with public twitter accounts\r\n@conceptronic and @conceptronic_es to request suitable security or\r\ntechnical contact to send the complete details of the CSRF.\r\n - 28/12/2013: Recontacting the technical support.\r\n - 28/12/2013: Recontacting general information address\r\ninfo@conceptronic.net.\r\n - 02/01/2014: Trying to conntact with security@conceptronic.net y\r\nvulnerabilities@conceptronic.net but they are non existent addresses.\r\n - 03/01/2014: Involve Inteco CERT in the notification proccess.\r\n - 08/01/2014: Inteco confirms that there is still no response from\r\nConceptronic.\r\n\r\nNone of the comunication atempts with the vendor received a response,\r\nso I'm publishing the advisory to warn users and confirm the\r\nvulnerability with you.\r\n\r\n**Vulnerabilitty details**\r\n\r\nThe CSRF is present in the CGI formulary used to create and modify\r\nusers of the web interface of the camera (/set_users.cgi). This CSRF\r\nwould allow a malicious attacker to create users in the camera web\r\ninterface (including administrator users) if he is able to lure the\r\nlegitimate administrator of the camera to visit a web controlled by\r\nthe attacker.\r\n\r\nAn example of the process to exploit this vulnerability:\r\n\r\n1- A webcam administrator is already logged in the camera web interface.\r\n\r\n2- A malicious user knows it and send a link to this administrator\r\npointing to a web controlled by this attacker\r\n(http://example.com/conceptronic_csrf.html). In this web, the attacker\r\nplaced an image with the following code:\r\n\r\n <img alt="csrf image"\r\nsrc="http://<victim_camera_server>/set_users.cgi?next_url=rebootme.htm&user1=attacker&pwd1=attacker&pri1=2&user2=&pwd2=&pri2=0&user3=&pwd3=&pri3=0&user4=&pwd4=&pri4=0&user5=&pwd5=&pri5=0&user6=&pwd6=&pri6=0&user7=&pwd7=&pri7=0&user8=&pwd8=&pri8=0">\r\n\r\n3- The webcam administrator visit the link.\r\n\r\n4- The page http://example.com/test_csrf.html tries to load the image\r\nby making a GET request to the pointed URL, thus, making the\r\nlegitimate administrator to create a new user identified by "attacker"\r\nand password "attacker".\r\n\r\nA video was uploaded to youtube showing this behaviour:\r\n\r\nhttps://www.youtube.com/watch?v=URXEe_VRc74\r\n\r\nThis issue can be fixed by adding an additional step to the user\r\ncreation CGI, either requesting the administrator password again\r\nbefore creating/modifying any user or creating a hidden random token\r\nfor each form (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet)\r\n\r\n-- Felipe Molina de la Torre\r\n", "edition": 1, "modified": "2014-01-13T00:00:00", "published": "2014-01-13T00:00:00", "id": "SECURITYVULNS:DOC:30232", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30232", "title": "[CVE-2013-7204] CSRF in Conceptronic IP Camera (CIPCAMPTIWL)", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:54", "bulletinFamily": "software", "cvelist": ["CVE-2013-7204"], "description": "Web interface crossite request forgery.", "edition": 1, "modified": "2014-01-13T00:00:00", "published": "2014-01-13T00:00:00", "id": "SECURITYVULNS:VULN:13518", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13518", "title": "Conceptronic IP cameras CSRF", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "seebug": [{"lastseen": "2017-11-19T14:05:31", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "Conceptronic Wireless Pan & Tilt Network Camera - CSRF Vulnerability", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-7204"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-84271", "id": "SSV:84271", "sourceData": "\n **General Details**\r\n\r\nAffected Product: Conceptronic camera CIPCAMPTIWL\r\nTested Firmware: 21.37.2.49\r\nTested Web UI Firmware: 0.61.4.18\r\nAssigned CVE: CVE-2013-7204\r\nCVSSv2 Base Score: 5.8 (AV:N/AC:M/AU:N/C:P/I:P/A:N)\r\nVulnerability Type: Cross-Site Request Forgery [CWE-352]\r\nSolution Status: Not Fixed\r\nVendor Notification Timeline:\r\n - 23/12/2013: Contacting with technical support through their web\r\nform http://www.conceptronic.net/supcon.php?action=init\r\n - 23/12/2013: Contacting with general information email addres\r\n(info@conceptronic.net) to inform about the vulnerability and request\r\nsuitable security or technical contact to send the complete details of\r\nthe CSRF.\r\n - 25/12/2013: Contacting with public twitter accounts\r\n@conceptronic and @conceptronic_es to request suitable security or\r\ntechnical contact to send the complete details of the CSRF.\r\n - 28/12/2013: Recontacting the technical support.\r\n - 28/12/2013: Recontacting general information address\r\ninfo@conceptronic.net.\r\n - 02/01/2014: Trying to conntact with security@conceptronic.net y\r\nvulnerabilities@conceptronic.net but they are non existent addresses.\r\n - 03/01/2014: Involve Inteco CERT in the notification proccess.\r\n - 08/01/2014: Inteco confirms that there is still no response from\r\nConceptronic.\r\n\r\nNone of the comunication atempts with the vendor received a response,\r\nso I'm publishing the advisory to warn users and confirm the\r\nvulnerability with you.\r\n\r\n**Vulnerabilitty details**\r\n\r\nThe CSRF is present in the CGI formulary used to create and modify\r\nusers of the web interface of the camera (/set_users.cgi). This CSRF\r\nwould allow a malicious attacker to create users in the camera web\r\ninterface (including administrator users) if he is able to lure the\r\nlegitimate administrator of the camera to visit a web controlled by\r\nthe attacker.\r\n\r\nAn example of the process to exploit this vulnerability:\r\n\r\n1- A webcam administrator is already logged in the camera web interface.\r\n\r\n2- A malicious user knows it and send a link to this administrator\r\npointing to a web controlled by this attacker\r\n(http://example.com/conceptronic_csrf.html). In this web, the attacker\r\nplaced an image with the following code:\r\n\r\n <img alt="csrf image"\r\nsrc="http://<victim_camera_server>/set_users.cgi?next_url=rebootme.htm&user1=attacker&pwd1=attacker&pri1=2&user2=&pwd2=&pri2=0&user3=&pwd3=&pri3=0&user4=&pwd4=&pri4=0&user5=&pwd5=&pri5=0&user6=&pwd6=&pri6=0&user7=&pwd7=&pri7=0&user8=&pwd8=&pri8=0">\r\n\r\n3- The webcam administrator visit the link.\r\n\r\n4- The page http://example.com/test_csrf.html tries to load the image\r\nby making a GET request to the pointed URL, thus, making the\r\nlegitimate administrator to create a new user identified by "attacker"\r\nand password "attacker".\r\n\r\nA video was uploaded to youtube showing this behaviour:\r\n\r\nhttps://www.youtube.com/watch?v=URXEe_VRc74\r\n\r\nThis issue can be fixed by adding an additional step to the user\r\ncreation CGI, either requesting the administrator password again\r\nbefore creating/modifying any user or creating a hidden random token\r\nfor each form (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet)\r\n\r\n-- \r\nFelipe Molina de la Torre\n ", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-84271"}], "zdt": [{"lastseen": "2018-01-02T23:00:08", "description": "Exploit for hardware platform in category web applications", "cvss3": {}, "published": "2014-01-14T00:00:00", "type": "zdt", "title": "Conceptronic Wireless Pan & Tilt Network Camera - CSRF Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2013-7204"], "modified": "2014-01-14T00:00:00", "id": "1337DAY-ID-21748", "href": "https://0day.today/exploit/description/21748", "sourceData": "Affected Product: Conceptronic camera CIPCAMPTIWL\r\nTested Firmware: 21.37.2.49\r\nTested Web UI Firmware: 0.61.4.18\r\nAssigned CVE: CVE-2013-7204\r\nCVSSv2 Base Score: 5.8 (AV:N/AC:M/AU:N/C:P/I:P/A:N)\r\nVulnerability Type: Cross-Site Request Forgery [CWE-352]\r\nSolution Status: Not Fixed\r\nVendor Notification Timeline:\r\n - 23/12/2013: Contacting with technical support through their web\r\nform http://www.conceptronic.net/supcon.php?action=init\r\n - 23/12/2013: Contacting with general information email addres\r\n([email\u00a0protected]) to inform about the vulnerability and request\r\nsuitable security or technical contact to send the complete details of\r\nthe CSRF.\r\n - 25/12/2013: Contacting with public twitter accounts\r\n@conceptronic and @conceptronic_es to request suitable security or\r\ntechnical contact to send the complete details of the CSRF.\r\n - 28/12/2013: Recontacting the technical support.\r\n - 28/12/2013: Recontacting general information address\r\n[email\u00a0protected]\r\n - 02/01/2014: Trying to conntact with [email\u00a0protected] y\r\n[email\u00a0protected] but they are non existent addresses.\r\n - 03/01/2014: Involve Inteco CERT in the notification proccess.\r\n - 08/01/2014: Inteco confirms that there is still no response from\r\nConceptronic.\r\n \r\nNone of the comunication atempts with the vendor received a response,\r\nso I'm publishing the advisory to warn users and confirm the\r\nvulnerability with you.\r\n \r\n**Vulnerabilitty details**\r\n \r\nThe CSRF is present in the CGI formulary used to create and modify\r\nusers of the web interface of the camera (/set_users.cgi). This CSRF\r\nwould allow a malicious attacker to create users in the camera web\r\ninterface (including administrator users) if he is able to lure the\r\nlegitimate administrator of the camera to visit a web controlled by\r\nthe attacker.\r\n \r\nAn example of the process to exploit this vulnerability:\r\n \r\n1- A webcam administrator is already logged in the camera web interface.\r\n \r\n2- A malicious user knows it and send a link to this administrator\r\npointing to a web controlled by this attacker\r\n(http://example.com/conceptronic_csrf.html). In this web, the attacker\r\nplaced an image with the following code:\r\n \r\n <img alt=\"csrf image\"\r\nsrc=\"http://<victim_camera_server>/set_users.cgi?next_url=rebootme.htm&user1=attacker&pwd1=attacker&pri1=2&user2=&pwd2=&pri2=0&user3=&pwd3=&pri3=0&user4=&pwd4=&pri4=0&user5=&pwd5=&pri5=0&user6=&pwd6=&pri6=0&user7=&pwd7=&pri7=0&user8=&pwd8=&pri8=0\">\r\n \r\n3- The webcam administrator visit the link.\r\n \r\n4- The page http://example.com/test_csrf.html tries to load the image\r\nby making a GET request to the pointed URL, thus, making the\r\nlegitimate administrator to create a new user identified by \"attacker\"\r\nand password \"attacker\".\r\n \r\nA video was uploaded to youtube showing this behaviour:\r\n \r\nhttps://www.youtube.com/watch?v=URXEe_VRc74\r\n \r\nThis issue can be fixed by adding an additional step to the user\r\ncreation CGI, either requesting the administrator password again\r\nbefore creating/modifying any user or creating a hidden random token\r\nfor each form (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet)\r\n \r\n-- \r\nFelipe Molina de la Torre\n\n# 0day.today [2018-01-02] #", "sourceHref": "https://0day.today/exploit/21748", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:10", "description": "\nConceptronic Wireless Pan Tilt Network Camera - Cross-Site Request Forgery", "edition": 2, "published": "2014-01-14T00:00:00", "title": "Conceptronic Wireless Pan Tilt Network Camera - Cross-Site Request Forgery", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-7204"], "modified": "2014-01-14T00:00:00", "id": "EXPLOITPACK:202946E54343F24EA03654AB0E5D68FE", "href": "", "sourceData": "**General Details**\n\nAffected Product: Conceptronic camera CIPCAMPTIWL\nTested Firmware: 21.37.2.49\nTested Web UI Firmware: 0.61.4.18\nAssigned CVE: CVE-2013-7204\nCVSSv2 Base Score: 5.8 (AV:N/AC:M/AU:N/C:P/I:P/A:N)\nVulnerability Type: Cross-Site Request Forgery [CWE-352]\nSolution Status: Not Fixed\nVendor Notification Timeline:\n - 23/12/2013: Contacting with technical support through their web\nform http://www.conceptronic.net/supcon.php?action=init\n - 23/12/2013: Contacting with general information email addres\n(info@conceptronic.net) to inform about the vulnerability and request\nsuitable security or technical contact to send the complete details of\nthe CSRF.\n - 25/12/2013: Contacting with public twitter accounts\n@conceptronic and @conceptronic_es to request suitable security or\ntechnical contact to send the complete details of the CSRF.\n - 28/12/2013: Recontacting the technical support.\n - 28/12/2013: Recontacting general information address\ninfo@conceptronic.net.\n - 02/01/2014: Trying to conntact with security@conceptronic.net y\nvulnerabilities@conceptronic.net but they are non existent addresses.\n - 03/01/2014: Involve Inteco CERT in the notification proccess.\n - 08/01/2014: Inteco confirms that there is still no response from\nConceptronic.\n\nNone of the comunication atempts with the vendor received a response,\nso I'm publishing the advisory to warn users and confirm the\nvulnerability with you.\n\n**Vulnerabilitty details**\n\nThe CSRF is present in the CGI formulary used to create and modify\nusers of the web interface of the camera (/set_users.cgi). This CSRF\nwould allow a malicious attacker to create users in the camera web\ninterface (including administrator users) if he is able to lure the\nlegitimate administrator of the camera to visit a web controlled by\nthe attacker.\n\nAn example of the process to exploit this vulnerability:\n\n1- A webcam administrator is already logged in the camera web interface.\n\n2- A malicious user knows it and send a link to this administrator\npointing to a web controlled by this attacker\n(http://example.com/conceptronic_csrf.html). In this web, the attacker\nplaced an image with the following code:\n\n <img alt=\"csrf image\"\nsrc=\"http://<victim_camera_server>/set_users.cgi?next_url=rebootme.htm&user1=attacker&pwd1=attacker&pri1=2&user2=&pwd2=&pri2=0&user3=&pwd3=&pri3=0&user4=&pwd4=&pri4=0&user5=&pwd5=&pri5=0&user6=&pwd6=&pri6=0&user7=&pwd7=&pri7=0&user8=&pwd8=&pri8=0\">\n\n3- The webcam administrator visit the link.\n\n4- The page http://example.com/test_csrf.html tries to load the image\nby making a GET request to the pointed URL, thus, making the\nlegitimate administrator to create a new user identified by \"attacker\"\nand password \"attacker\".\n\nA video was uploaded to youtube showing this behaviour:\n\nhttps://www.youtube.com/watch?v=URXEe_VRc74\n\nThis issue can be fixed by adding an additional step to the user\ncreation CGI, either requesting the administrator password again\nbefore creating/modifying any user or creating a hidden random token\nfor each form (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet)\n\n-- \nFelipe Molina de la Torre", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:20:46", "description": "", "published": "2014-01-10T00:00:00", "type": "packetstorm", "title": "Conceptronic CIPCAMPTIWL 21.37.2.49 Cross Site Request Forgery", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-7204"], "modified": "2014-01-10T00:00:00", "id": "PACKETSTORM:124747", "href": "https://packetstormsecurity.com/files/124747/Conceptronic-CIPCAMPTIWL-21.37.2.49-Cross-Site-Request-Forgery.html", "sourceData": "`Hello List, \n \nHere I inform you about an easily exploitable CSRF discovered in \nConceptronic cameras CIPCAMPTIWL. \n \n**General Details** \n \nAffected Product: Conceptronic camera CIPCAMPTIWL \nTested Firmware: 21.37.2.49 \nTested Web UI Firmware: 0.61.4.18 \nAssigned CVE: CVE-2013-7204 \nCVSSv2 Base Score: 5.8 (AV:N/AC:M/AU:N/C:P/I:P/A:N) \nVulnerability Type: Cross-Site Request Forgery [CWE-352] \nSolution Status: Not Fixed \nVendor Notification Timeline: \n- 23/12/2013: Contacting with technical support through their web \nform http://www.conceptronic.net/supcon.php?action=init \n- 23/12/2013: Contacting with general information email addres \n(info@conceptronic.net) to inform about the vulnerability and request \nsuitable security or technical contact to send the complete details of \nthe CSRF. \n- 25/12/2013: Contacting with public twitter accounts \n@conceptronic and @conceptronic_es to request suitable security or \ntechnical contact to send the complete details of the CSRF. \n- 28/12/2013: Recontacting the technical support. \n- 28/12/2013: Recontacting general information address \ninfo@conceptronic.net. \n- 02/01/2014: Trying to conntact with security@conceptronic.net y \nvulnerabilities@conceptronic.net but they are non existent addresses. \n- 03/01/2014: Involve Inteco CERT in the notification proccess. \n- 08/01/2014: Inteco confirms that there is still no response from \nConceptronic. \n \nNone of the comunication atempts with the vendor received a response, \nso I'm publishing the advisory to warn users and confirm the \nvulnerability with you. \n \n**Vulnerabilitty details** \n \nThe CSRF is present in the CGI formulary used to create and modify \nusers of the web interface of the camera (/set_users.cgi). This CSRF \nwould allow a malicious attacker to create users in the camera web \ninterface (including administrator users) if he is able to lure the \nlegitimate administrator of the camera to visit a web controlled by \nthe attacker. \n \nAn example of the process to exploit this vulnerability: \n \n1- A webcam administrator is already logged in the camera web interface. \n \n2- A malicious user knows it and send a link to this administrator \npointing to a web controlled by this attacker \n(http://example.com/conceptronic_csrf.html). In this web, the attacker \nplaced an image with the following code: \n \n<img alt=\"csrf image\" \nsrc=\"http://<victim_camera_server>/set_users.cgi?next_url=rebootme.htm&user1=attacker&pwd1=attacker&pri1=2&user2=&pwd2=&pri2=0&user3=&pwd3=&pri3=0&user4=&pwd4=&pri4=0&user5=&pwd5=&pri5=0&user6=&pwd6=&pri6=0&user7=&pwd7=&pri7=0&user8=&pwd8=&pri8=0\"> \n \n3- The webcam administrator visit the link. \n \n4- The page http://example.com/test_csrf.html tries to load the image \nby making a GET request to the pointed URL, thus, making the \nlegitimate administrator to create a new user identified by \"attacker\" \nand password \"attacker\". \n \nA video was uploaded to youtube showing this behaviour: \n \nhttps://www.youtube.com/watch?v=URXEe_VRc74 \n \nThis issue can be fixed by adding an additional step to the user \ncreation CGI, either requesting the administrator password again \nbefore creating/modifying any user or creating a hidden random token \nfor each form (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet) \n \n-- \nFelipe Molina de la Torre \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/124747/conceptronic-xsrf.txt"}]}

Conceptronic Wireless Pan &amp; Tilt Network Camera - Cross-Site Request Forgery

Description

Related

Conceptronic Wireless Pan & Tilt Network Camera - Cross-Site Request Forgery