Conceptronic CIPCAMPTIWL Cross Site Request Forgery

Type packetstorm
Reporter Felipe Molina
Modified 2014-01-10T00:00:00


                                            `Hello List,  
Here I inform you about an easily exploitable CSRF discovered in  
Conceptronic cameras CIPCAMPTIWL.  
**General Details**  
Affected Product: Conceptronic camera CIPCAMPTIWL  
Tested Firmware:  
Tested Web UI Firmware:  
Assigned CVE: CVE-2013-7204  
CVSSv2 Base Score: 5.8 (AV:N/AC:M/AU:N/C:P/I:P/A:N)  
Vulnerability Type: Cross-Site Request Forgery [CWE-352]  
Solution Status: Not Fixed  
Vendor Notification Timeline:  
- 23/12/2013: Contacting with technical support through their web  
- 23/12/2013: Contacting with general information email addres  
( to inform about the vulnerability and request  
suitable security or technical contact to send the complete details of  
the CSRF.  
- 25/12/2013: Contacting with public twitter accounts  
@conceptronic and @conceptronic_es to request suitable security or  
technical contact to send the complete details of the CSRF.  
- 28/12/2013: Recontacting the technical support.  
- 28/12/2013: Recontacting general information address  
- 02/01/2014: Trying to conntact with y but they are non existent addresses.  
- 03/01/2014: Involve Inteco CERT in the notification proccess.  
- 08/01/2014: Inteco confirms that there is still no response from  
None of the comunication atempts with the vendor received a response,  
so I'm publishing the advisory to warn users and confirm the  
vulnerability with you.  
**Vulnerabilitty details**  
The CSRF is present in the CGI formulary used to create and modify  
users of the web interface of the camera (/set_users.cgi). This CSRF  
would allow a malicious attacker to create users in the camera web  
interface (including administrator users) if he is able to lure the  
legitimate administrator of the camera to visit a web controlled by  
the attacker.  
An example of the process to exploit this vulnerability:  
1- A webcam administrator is already logged in the camera web interface.  
2- A malicious user knows it and send a link to this administrator  
pointing to a web controlled by this attacker  
( In this web, the attacker  
placed an image with the following code:  
<img alt="csrf image"  
3- The webcam administrator visit the link.  
4- The page tries to load the image  
by making a GET request to the pointed URL, thus, making the  
legitimate administrator to create a new user identified by "attacker"  
and password "attacker".  
A video was uploaded to youtube showing this behaviour:  
This issue can be fixed by adding an additional step to the user  
creation CGI, either requesting the administrator password again  
before creating/modifying any user or creating a hidden random token  
for each form (  
Felipe Molina de la Torre