D-Link DCS Series Cameras - Insecure Crossdomain

🗓️ 22 Feb 2017 00:00:00Reported by SlidingWindowType

Insecure CrossDomain.XML in D-Link DCS Series Cameras, allows CSRF attack to change device settings and access live feed

Reporter	Title	Published	Views	Family All 10
0day.today	DLink DCS Series Cameras - Insecure Crossdomain Vulnerability	26 May 201700:00	–	zdt
CNVD	D-Link DCS Cross-Site Forgery Request Vulnerability	26 Apr 201700:00	–	cnvd
CVE	CVE-2017-7852	24 Apr 201710:00	–	cve
Cvelist	CVE-2017-7852	24 Apr 201710:00	–	cvelist
EUVD	EUVD-2017-16827	7 Oct 202500:30	–	euvd
exploitpack	D-Link DCS Series Cameras - Insecure Crossdomain	22 Feb 201700:00	–	exploitpack
NVD	CVE-2017-7852	24 Apr 201710:59	–	nvd
Packet Storm	D-Link DCS Series Cameras Insecure Crossdomain.xml	27 May 201700:00	–	packetstorm
Prion	Cross site request forgery (csrf)	24 Apr 201710:59	–	prion
Positive Technologies	PT-2017-17954 · D Link · Dcs-932Lb1 +7	24 Apr 201700:00	–	ptsecurity

# Exploit Title: [Insecure CrossDomain.XML in D-Link DCS Series Cameras]
# Date: [22/02/2017]
# Exploit Author: [SlidingWindow] , Twitter: @Kapil_Khot
# Vendor Homepage: [http://us.dlink.com/product-category/home-solutions/view/network-cameras/]
# Version: [Tested on DCS-933L with firmware version 1.03. Other versions/models are also be affected]
# Tested on: [DCS-933L with firmware version 1.03]
# CVE : [CVE-2017-7852]

==================
#Product:-
==================
Small and unobtrusive, SecuriCamô IP surveillance solutions from D-Link allow you to monitor your offices or warehouses from anywhere - at anytime. Extreme Low LUX optics, 2 way audio, and full pan/tilt/zoom manipulation provide everything an SMB needs to safeguard their valuable resources.

==================
#Vulnerability:-
==================
D-Link DCS series network cameras implement a weak CrossDomain.XML.

========================
#Vulnerability Details:-
========================

=============================================================================================================================
Insecure CrossDomain.XML in D-Link DCS Series Cameras (CVE-2017-7852)
=============================================================================================================================

D-Link DCS cameras have a weak/insecure CrossDomain.XML file that allows sites hosting malicious Flash objects to access and/or change the device's settings via a CSRF attack. This is because of the 'allow-access-from domain' child element set to *, thus accepting requests from any domain. If a victim logged into the camera's web console visits a malicious site hosting a malicious Flash file from another Browser tab, the malicious Flash file then can send requests to the victim's DCS series Camera without knowing the credentials. An attacker can host a malicious Flash file that can retrieve Live Feeds or information from the victim's DCS series Camera, add new admin users, or make other changes to the device. Known affected devices are DCS-933L with firmware before 1.13.05, DCS-5030L, DCS-5020L, DCS-2530L, DCS-2630L, DCS-930L, DCS-932L, and DCS-932LB1. 

Vendor Response:-
----------------
In 2016 we phased in CSRF mitigation on all CGI on the cameras so an injection like this would not be allowed authenticated or unauthenticated. Please refer to the tracking table below which includes the H/W Revision and firmware when this CSRF mitigation was enabled.

DCS-2132L H/W ver:B F/W ver:2.12.00, DCS-2330L H/W ver:A F/W ver:1.13.00, DCS-2310L H/W ver:B, F/W ver:2.03.00, DCS-5029L H/W ver:A F/W ver:1.12.00,DCS-5222L H/W ver:B F/W ver:2.12.00, DCS-6212L H/W ver:A F/W ver:1.00.12, DCS-7000L H/W ver:A F/W ver:1.04.00, DCS-2132L H/W ver:A F/W ver:1.08.01, DCS-2136L H/W ver:A F/W ver:1.04.01, DCS-2210L H/W ver:A F/W ver:1.03.01, DCS-2230L H/W ver:A F/W ver:1.03.01, DCS-2310L H/W ver:A F/W ver:1.08.01, DCS-2332L H/W ver:A F/W ver:1.08.01, DCS-6010L H/W ver:A F/W ver:1.15.01, DCS-7010L H/W ver:A F/W ver:1.08.01, DCS-2530L H/W ver:A F/W ver:1.00.21, DCS-930L H/W ver:A F/W ver:1.15.04,DCS-930L H/W ver:B F/W ver:2.13.15, DCS-932L H/W ver:A  F/W ver:1.13.04, DCS-932L H/W ver:B  F/W ver:2.13.15, DCS-934L H/W ver:A  F/W ver:1.04.15, DCS-942L H/W ver:A  F/W ver:1.27, DCS-942L H/W ver:B  F/W ver:2.11.03, DCS-931L H/W ver:A  F/W ver:1.13.05, DCS-933L H/W ver:A  F/W ver:1.13.05, DCS-5009L H/W ver:A  F/W ver:1.07.05, DCS-5010L H/W ver:A  F/W ver:1.13.05, DCS-5020L H/W ver:A  F/W ver:1.13.05, DCS-5000L H/W ver:A  F/W ver:1.02.02, DCS-5025L H/W ver:A  F/W ver:1.02.10, DCS-5030L H/W ver:A  F/W ver:1.01.06

#Proof-of-Concept:-
-------------------
1. Build a Flash file 'FlashMe.swf' using Flex SDK which would access Advance.htm from target device and send the response to attackerís site.
2. Upload 'FlashMe.swf' to the webroot of attacking machine.
3. Log into the Cameraís web console.
4. From another tab in the same browser visit http://attackingsiteip.com/FlashMe.swf
5. Flash object from Request#4 sends a GET request to http://CameraIP/advanced.htm
6. Flash object receives response from Camera and forwards it to http://attackingsiteip.com/
7. Sensitive information like Live Feed, WiFi password etc can be retrieved or new admin users can be added.

===================================
#Vulnerability Disclosure Timeline:
===================================

22/02/2017: First email to disclose the vulnerability to the D-Link incident response team
17/03/2017: Vendor responded stating that this attack would not work due to recently added CSRF mitigation.Shipped two different models running latest firmware for testing.
26/03/2017: Confirmed the fix after testing latest firmware. The 'Referer' header based CSRF protection mitigates this attack which cannot be bypassed unless there is a browser vulnerability.
24/04/2017: Published CVE-2017-7852

22 Feb 2017 00:00Current

7High risk

Vulners AI Score7

CVSS 26.8

CVSS 3.18.8

EPSS0.00498